Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report bVsKNuwn30

Overview

General Information

Sample Name:bVsKNuwn30 (renamed file extension from none to exe)
Analysis ID:433069
MD5:3c88c6ef1a906bc81fc6b5b7fc478e0c
SHA1:1007ea59d9c209f367a1873ae6da2eac5fad81ef
SHA256:1754283e0b6bbbbeb69f165e54e3795d3e34ca14aa7bd8bd3b7dcdd97f7dfca8
Tags:exetrojan
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected Costura Assembly Loader
Abnormal high CPU Usage
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • bVsKNuwn30.exe (PID: 6700 cmdline: 'C:\Users\user\Desktop\bVsKNuwn30.exe' MD5: 3C88C6EF1A906BC81FC6B5B7FC478E0C)
    • bVsKNuwn30.exe (PID: 5612 cmdline: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe MD5: 3C88C6EF1A906BC81FC6B5B7FC478E0C)
      • explorer.exe (PID: 3440 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • msiexec.exe (PID: 3532 cmdline: C:\Windows\SysWOW64\msiexec.exe MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
          • cmd.exe (PID: 5548 cmdline: /c del 'C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.bucksnortneola.com/gw2/"], "decoy": ["kmampc.com", "swagsoldier.com", "achochapo.com", "nestymentemaestra.com", "rakuen-beans.info", "portaldainsolvencia.com", "nationaltodaytv.com", "monadiclab.com", "thebudgetfurnituredenver.com", "sifangzhouzi.com", "quangcaosonthach.com", "cbluebeltliveshop.com", "hyperrealmarketing.com", "dallasproducecompany.com", "zizhizhengshu.com", "becosyshe.com", "injectionhub.com", "wasteshelter.com", "gapegod.com", "danfrem.com", "emag.enterprises", "insomniaut.com", "margaretsboutiquenb.com", "bestmovies4k.com", "hsxytz.com", "veles.asia", "graphicoustic.com", "rzeroxi.com", "cristyleebennett.com", "vercoicsporno.club", "awdworldwide.com", "agrilast.com", "vineyardplaceseniorliving.com", "blancaholidaylets.com", "didixun.com", "localmiller.com", "gravityphysiotherapy.com", "couchtabledesktop.com", "cypresswoodsseniorliving.com", "mmdastro.com", "opportunitybsi.com", "deejspeaks.com", "alllivesmattertojesus.info", "clippingpathmask.com", "tuoitrechuatraisudoi.site", "mipecheritage.info", "acadeopolis.com", "52jnh.com", "thetrust.place", "highseachartersct.com", "booklarge.com", "kela-de.com", "ea-it-pantomath.com", "tricountyrr.com", "blackeye.online", "hidrovaco.com", "sleeplessreconnaissance.life", "newalbanyironworks.com", "scthxb.com", "bossssss.com", "isaostar.com", "pointredeem.com", "myfulfillmentproject.com", "toikawai.com"]}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
bVsKNuwn30.exeJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000013.00000002.598613776.0000000000D20000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
        00000013.00000002.598613776.0000000000D20000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        00000013.00000002.598613776.0000000000D20000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18409:$sqlite3step: 68 34 1C 7B E1
        • 0x1851c:$sqlite3step: 68 34 1C 7B E1
        • 0x18438:$sqlite3text: 68 38 2A 90 C5
        • 0x1855d:$sqlite3text: 68 38 2A 90 C5
        • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
        00000013.00000002.598554261.0000000000CF0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
          00000013.00000002.598554261.0000000000CF0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 36 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          12.2.bVsKNuwn30.exe.660000.1.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
            19.2.msiexec.exe.4eef834.4.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
              0.2.bVsKNuwn30.exe.6f0000.0.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                12.2.bVsKNuwn30.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
                  12.2.bVsKNuwn30.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
                  • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
                  • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
                  • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
                  • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
                  • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
                  • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
                  • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
                  • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
                  • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
                  • 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4
                  • 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
                  Click to see the 17 entries

                  Sigma Overview

                  No Sigma rule has matched

                  Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Found malware configurationShow sources
                  Source: 00000000.00000002.489441014.0000000003B96000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.bucksnortneola.com/gw2/"], "decoy": ["kmampc.com", "swagsoldier.com", "achochapo.com", "nestymentemaestra.com", "rakuen-beans.info", "portaldainsolvencia.com", "nationaltodaytv.com", "monadiclab.com", "thebudgetfurnituredenver.com", "sifangzhouzi.com", "quangcaosonthach.com", "cbluebeltliveshop.com", "hyperrealmarketing.com", "dallasproducecompany.com", "zizhizhengshu.com", "becosyshe.com", "injectionhub.com", "wasteshelter.com", "gapegod.com", "danfrem.com", "emag.enterprises", "insomniaut.com", "margaretsboutiquenb.com", "bestmovies4k.com", "hsxytz.com", "veles.asia", "graphicoustic.com", "rzeroxi.com", "cristyleebennett.com", "vercoicsporno.club", "awdworldwide.com", "agrilast.com", "vineyardplaceseniorliving.com", "blancaholidaylets.com", "didixun.com", "localmiller.com", "gravityphysiotherapy.com", "couchtabledesktop.com", "cypresswoodsseniorliving.com", "mmdastro.com", "opportunitybsi.com", "deejspeaks.com", "alllivesmattertojesus.info", "clippingpathmask.com", "tuoitrechuatraisudoi.site", "mipecheritage.info", "acadeopolis.com", "52jnh.com", "thetrust.place", "highseachartersct.com", "booklarge.com", "kela-de.com", "ea-it-pantomath.com", "tricountyrr.com", "blackeye.online", "hidrovaco.com", "sleeplessreconnaissance.life", "newalbanyironworks.com", "scthxb.com", "bossssss.com", "isaostar.com", "pointredeem.com", "myfulfillmentproject.com", "toikawai.com"]}
                  Multi AV Scanner detection for dropped fileShow sources
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeVirustotal: Detection: 51%Perma Link
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeMetadefender: Detection: 20%Perma Link
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeReversingLabs: Detection: 55%
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: bVsKNuwn30.exeVirustotal: Detection: 51%Perma Link
                  Source: bVsKNuwn30.exeMetadefender: Detection: 20%Perma Link
                  Source: bVsKNuwn30.exeReversingLabs: Detection: 55%
                  Yara detected FormBookShow sources
                  Source: Yara matchFile source: 00000013.00000002.598613776.0000000000D20000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000002.598554261.0000000000CF0000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.489441014.0000000003B96000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000000.484041587.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000002.598077257.00000000007B0000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.542191970.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.542282401.0000000000DD0000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.489573896.0000000003C6A000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.489676903.0000000003D04000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.538565739.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 12.2.bVsKNuwn30.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.bVsKNuwn30.exe.3b961c0.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.0.bVsKNuwn30.exe.400000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.0.bVsKNuwn30.exe.400000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.bVsKNuwn30.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Machine Learning detection for dropped fileShow sources
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeJoe Sandbox ML: detected
                  Machine Learning detection for sampleShow sources
                  Source: bVsKNuwn30.exeJoe Sandbox ML: detected
                  Source: 12.2.bVsKNuwn30.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
                  Source: 12.0.bVsKNuwn30.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
                  Source: bVsKNuwn30.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: bVsKNuwn30.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: Binary string: msiexec.pdb source: bVsKNuwn30.exe, 0000000C.00000002.542351925.0000000000E20000.00000040.00000001.sdmp
                  Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000E.00000000.506028471.0000000007BA0000.00000002.00000001.sdmp
                  Source: Binary string: msiexec.pdbGCTL source: bVsKNuwn30.exe, 0000000C.00000002.542351925.0000000000E20000.00000040.00000001.sdmp
                  Source: Binary string: wntdll.pdbUGP source: bVsKNuwn30.exe, 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, msiexec.exe, 00000013.00000002.599901876.0000000004ADF000.00000040.00000001.sdmp
                  Source: Binary string: wntdll.pdb source: bVsKNuwn30.exe, msiexec.exe
                  Source: Binary string: wscui.pdb source: explorer.exe, 0000000E.00000000.506028471.0000000007BA0000.00000002.00000001.sdmp
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h0_2_00F9F430
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 4x nop then pop esi12_2_004172E4
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 4x nop then pop edi12_2_00417D55
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then pop esi19_2_007C72E4
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then pop edi19_2_007C7D55

                  Networking:

                  barindex
                  C2 URLs / IPs found in malware configurationShow sources
                  Source: Malware configuration extractorURLs: www.bucksnortneola.com/gw2/
                  Source: bVsKNuwn30.exeString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                  Source: bVsKNuwn30.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                  Source: bVsKNuwn30.exeString found in binary or memory: http://crl.comodoca.com/COMODORSAExtendedValidationCodeSigningCA.crl0
                  Source: bVsKNuwn30.exeString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
                  Source: bVsKNuwn30.exeString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                  Source: bVsKNuwn30.exeString found in binary or memory: http://ocsp.comodoca.com0
                  Source: bVsKNuwn30.exeString found in binary or memory: http://ocsp.comodoca.com0#
                  Source: bVsKNuwn30.exeString found in binary or memory: http://ocsp.sectigo.com0
                  Source: bVsKNuwn30.exeString found in binary or memory: http://us1.unwiredlabs.com/v2/process.php
                  Source: bVsKNuwn30.exeString found in binary or memory: http://us1.unwiredlabs.com/v2/process.php?application/json;
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: explorer.exe, 0000000E.00000000.514555681.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: bVsKNuwn30.exeString found in binary or memory: https://sectigo.com/CPS0D
                  Source: bVsKNuwn30.exeString found in binary or memory: https://sectigo.com/CPS0U
                  Source: bVsKNuwn30.exeString found in binary or memory: https://secure.comodo.com/CPS0L
                  Source: bVsKNuwn30.exe, 0000000C.00000002.542410721.0000000000EAA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                  E-Banking Fraud:

                  barindex
                  Yara detected FormBookShow sources
                  Source: Yara matchFile source: 00000013.00000002.598613776.0000000000D20000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000002.598554261.0000000000CF0000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.489441014.0000000003B96000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000000.484041587.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000002.598077257.00000000007B0000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.542191970.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.542282401.0000000000DD0000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.489573896.0000000003C6A000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.489676903.0000000003D04000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.538565739.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 12.2.bVsKNuwn30.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.bVsKNuwn30.exe.3b961c0.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.0.bVsKNuwn30.exe.400000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.0.bVsKNuwn30.exe.400000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.bVsKNuwn30.exe.400000.0.raw.unpack, type: UNPACKEDPE

                  System Summary:

                  barindex
                  Malicious sample detected (through community Yara rule)Show sources
                  Source: 00000013.00000002.598613776.0000000000D20000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                  Source: 00000013.00000002.598613776.0000000000D20000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                  Source: 00000013.00000002.598554261.0000000000CF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                  Source: 00000013.00000002.598554261.0000000000CF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                  Source: 00000000.00000002.489441014.0000000003B96000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                  Source: 00000000.00000002.489441014.0000000003B96000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                  Source: 0000000C.00000000.484041587.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                  Source: 0000000C.00000000.484041587.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                  Source: 00000013.00000002.598077257.00000000007B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                  Source: 00000013.00000002.598077257.00000000007B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                  Source: 0000000C.00000002.542191970.0000000000C50000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                  Source: 0000000C.00000002.542191970.0000000000C50000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                  Source: 0000000C.00000002.542282401.0000000000DD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                  Source: 0000000C.00000002.542282401.0000000000DD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                  Source: 00000000.00000002.489573896.0000000003C6A000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                  Source: 00000000.00000002.489573896.0000000003C6A000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                  Source: 00000000.00000002.489676903.0000000003D04000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                  Source: 00000000.00000002.489676903.0000000003D04000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                  Source: 0000000C.00000002.538565739.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                  Source: 0000000C.00000002.538565739.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                  Source: 12.2.bVsKNuwn30.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                  Source: 12.2.bVsKNuwn30.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                  Source: 0.2.bVsKNuwn30.exe.3b961c0.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                  Source: 0.2.bVsKNuwn30.exe.3b961c0.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                  Source: 12.0.bVsKNuwn30.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                  Source: 12.0.bVsKNuwn30.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                  Source: 12.0.bVsKNuwn30.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                  Source: 12.0.bVsKNuwn30.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                  Source: 12.2.bVsKNuwn30.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                  Source: 12.2.bVsKNuwn30.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess Stats: CPU usage > 98%
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_00419D60 NtCreateFile,12_2_00419D60
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_00419E10 NtReadFile,12_2_00419E10
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_00419E90 NtClose,12_2_00419E90
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_00419F40 NtAllocateVirtualMemory,12_2_00419F40
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_00419D5A NtCreateFile,12_2_00419D5A
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_00419E8B NtClose,12_2_00419E8B
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_00419F3A NtAllocateVirtualMemory,12_2_00419F3A
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9910 NtAdjustPrivilegesToken,LdrInitializeThunk,12_2_011A9910
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9540 NtReadFile,LdrInitializeThunk,12_2_011A9540
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A99A0 NtCreateSection,LdrInitializeThunk,12_2_011A99A0
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A95D0 NtClose,LdrInitializeThunk,12_2_011A95D0
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9840 NtDelayExecution,LdrInitializeThunk,12_2_011A9840
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9860 NtQuerySystemInformation,LdrInitializeThunk,12_2_011A9860
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A98F0 NtReadVirtualMemory,LdrInitializeThunk,12_2_011A98F0
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9710 NtQueryInformationToken,LdrInitializeThunk,12_2_011A9710
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9780 NtMapViewOfSection,LdrInitializeThunk,12_2_011A9780
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A97A0 NtUnmapViewOfSection,LdrInitializeThunk,12_2_011A97A0
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9A00 NtProtectVirtualMemory,LdrInitializeThunk,12_2_011A9A00
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9A20 NtResumeThread,LdrInitializeThunk,12_2_011A9A20
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9A50 NtCreateFile,LdrInitializeThunk,12_2_011A9A50
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9660 NtAllocateVirtualMemory,LdrInitializeThunk,12_2_011A9660
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A96E0 NtFreeVirtualMemory,LdrInitializeThunk,12_2_011A96E0
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011AAD30 NtSetContextThread,12_2_011AAD30
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9520 NtWaitForSingleObject,12_2_011A9520
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9950 NtQueueApcThread,12_2_011A9950
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9560 NtWriteFile,12_2_011A9560
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A99D0 NtCreateProcessEx,12_2_011A99D0
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A95F0 NtQueryInformationFile,12_2_011A95F0
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9820 NtEnumerateKey,12_2_011A9820
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011AB040 NtSuspendThread,12_2_011AB040
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A98A0 NtWriteVirtualMemory,12_2_011A98A0
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011AA710 NtOpenProcessToken,12_2_011AA710
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9B00 NtSetValueKey,12_2_011A9B00
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9730 NtQueryVirtualMemory,12_2_011A9730
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9770 NtSetInformationFile,12_2_011A9770
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011AA770 NtOpenThread,12_2_011AA770
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9760 NtOpenProcess,12_2_011A9760
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011AA3B0 NtGetContextThread,12_2_011AA3B0
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9FE0 NtCreateMutant,12_2_011A9FE0
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9610 NtEnumerateValueKey,12_2_011A9610
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9A10 NtQuerySection,12_2_011A9A10
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9650 NtQueryValueKey,12_2_011A9650
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9670 NtQueryInformationProcess,12_2_011A9670
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9A80 NtOpenDirectoryObject,12_2_011A9A80
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A96D0 NtCreateKey,12_2_011A96D0
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29860 NtQuerySystemInformation,LdrInitializeThunk,19_2_04A29860
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29840 NtDelayExecution,LdrInitializeThunk,19_2_04A29840
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A299A0 NtCreateSection,LdrInitializeThunk,19_2_04A299A0
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A295D0 NtClose,LdrInitializeThunk,19_2_04A295D0
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29910 NtAdjustPrivilegesToken,LdrInitializeThunk,19_2_04A29910
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29540 NtReadFile,LdrInitializeThunk,19_2_04A29540
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A296E0 NtFreeVirtualMemory,LdrInitializeThunk,19_2_04A296E0
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A296D0 NtCreateKey,LdrInitializeThunk,19_2_04A296D0
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29660 NtAllocateVirtualMemory,LdrInitializeThunk,19_2_04A29660
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29650 NtQueryValueKey,LdrInitializeThunk,19_2_04A29650
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29A50 NtCreateFile,LdrInitializeThunk,19_2_04A29A50
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29780 NtMapViewOfSection,LdrInitializeThunk,19_2_04A29780
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29FE0 NtCreateMutant,LdrInitializeThunk,19_2_04A29FE0
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29710 NtQueryInformationToken,LdrInitializeThunk,19_2_04A29710
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A298A0 NtWriteVirtualMemory,19_2_04A298A0
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A298F0 NtReadVirtualMemory,19_2_04A298F0
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29820 NtEnumerateKey,19_2_04A29820
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A2B040 NtSuspendThread,19_2_04A2B040
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A295F0 NtQueryInformationFile,19_2_04A295F0
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A299D0 NtCreateProcessEx,19_2_04A299D0
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29520 NtWaitForSingleObject,19_2_04A29520
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A2AD30 NtSetContextThread,19_2_04A2AD30
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29560 NtWriteFile,19_2_04A29560
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29950 NtQueueApcThread,19_2_04A29950
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29A80 NtOpenDirectoryObject,19_2_04A29A80
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29A20 NtResumeThread,19_2_04A29A20
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29A00 NtProtectVirtualMemory,19_2_04A29A00
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29610 NtEnumerateValueKey,19_2_04A29610
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29A10 NtQuerySection,19_2_04A29A10
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29670 NtQueryInformationProcess,19_2_04A29670
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A297A0 NtUnmapViewOfSection,19_2_04A297A0
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A2A3B0 NtGetContextThread,19_2_04A2A3B0
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29730 NtQueryVirtualMemory,19_2_04A29730
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29B00 NtSetValueKey,19_2_04A29B00
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A2A710 NtOpenProcessToken,19_2_04A2A710
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29760 NtOpenProcess,19_2_04A29760
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29770 NtSetInformationFile,19_2_04A29770
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A2A770 NtOpenThread,19_2_04A2A770
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_007C9D60 NtCreateFile,19_2_007C9D60
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_007C9E10 NtReadFile,19_2_007C9E10
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_007C9E90 NtClose,19_2_007C9E90
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_007C9F40 NtAllocateVirtualMemory,19_2_007C9F40
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_007C9D5A NtCreateFile,19_2_007C9D5A
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_007C9E8B NtClose,19_2_007C9E8B
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_007C9F3A NtAllocateVirtualMemory,19_2_007C9F3A
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeCode function: 0_2_00F917B00_2_00F917B0
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeCode function: 0_2_00F91C280_2_00F91C28
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeCode function: 0_2_00F91C180_2_00F91C18
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeCode function: 0_2_00F917950_2_00F91795
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeCode function: 0_2_0528F5280_2_0528F528
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeCode function: 0_2_052800070_2_05280007
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeCode function: 0_2_052800400_2_05280040
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeCode function: 0_2_05286B280_2_05286B28
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0040103012_2_00401030
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0041D8BA12_2_0041D8BA
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0041D98812_2_0041D988
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0041E2F212_2_0041E2F2
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_004012FB12_2_004012FB
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0041DA9E12_2_0041DA9E
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_00402D8812_2_00402D88
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_00402D9012_2_00402D90
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_00409E4012_2_00409E40
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0041DE3112_2_0041DE31
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_00409E3B12_2_00409E3B
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0041D71912_2_0041D719
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0041CFA312_2_0041CFA3
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0041CFA612_2_0041CFA6
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_00402FB012_2_00402FB0
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0041DFB012_2_0041DFB0
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0116F90012_2_0116F900
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01160D2012_2_01160D20
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0118412012_2_01184120
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01231D5512_2_01231D55
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0122100212_2_01221002
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0117B09012_2_0117B090
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0119EBB012_2_0119EBB0
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01186E3012_2_01186E30
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A120A019_2_04A120A0
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049FB09019_2_049FB090
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049F841F19_2_049F841F
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AA100219_2_04AA1002
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A1258119_2_04A12581
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049FD5E019_2_049FD5E0
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A0412019_2_04A04120
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049EF90019_2_049EF900
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049E0D2019_2_049E0D20
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AB1D5519_2_04AB1D55
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A06E3019_2_04A06E30
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A1EBB019_2_04A1EBB0
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_007CE2F219_2_007CE2F2
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_007B2D9019_2_007B2D90
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_007B2D8819_2_007B2D88
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_007B9E4019_2_007B9E40
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_007B9E3B19_2_007B9E3B
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_007B2FB019_2_007B2FB0
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_007CCFA619_2_007CCFA6
                  Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe 1754283E0B6BBBBEB69F165E54E3795D3E34CA14AA7BD8BD3B7DCDD97F7DFCA8
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 049EB150 appears 35 times
                  Source: bVsKNuwn30.exeStatic PE information: invalid certificate
                  Source: bVsKNuwn30.exe, 00000000.00000002.491736102.00000000050E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameZcmwzsmpuvltki.dll" vs bVsKNuwn30.exe
                  Source: bVsKNuwn30.exe, 00000000.00000002.484948523.000000000076E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameRFL_0769002.exeB vs bVsKNuwn30.exe
                  Source: bVsKNuwn30.exe, 00000000.00000002.491858013.0000000005120000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dllj% vs bVsKNuwn30.exe
                  Source: bVsKNuwn30.exe, 00000000.00000002.486485678.0000000002A41000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs bVsKNuwn30.exe
                  Source: bVsKNuwn30.exe, 00000000.00000002.491304602.0000000004FE0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs bVsKNuwn30.exe
                  Source: bVsKNuwn30.exe, 00000000.00000002.490881651.0000000004F20000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs bVsKNuwn30.exe
                  Source: bVsKNuwn30.exe, 00000000.00000002.489244106.0000000003ABD000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameZmhikajpuu.dll6 vs bVsKNuwn30.exe
                  Source: bVsKNuwn30.exe, 00000000.00000002.491869526.0000000005130000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dll.muij% vs bVsKNuwn30.exe
                  Source: bVsKNuwn30.exe, 0000000C.00000002.542377429.0000000000E2F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemsiexec.exeX vs bVsKNuwn30.exe
                  Source: bVsKNuwn30.exe, 0000000C.00000000.484196822.00000000006DE000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameRFL_0769002.exeB vs bVsKNuwn30.exe
                  Source: bVsKNuwn30.exe, 0000000C.00000002.543477824.00000000013EF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs bVsKNuwn30.exe
                  Source: bVsKNuwn30.exeBinary or memory string: OriginalFilenameRFL_0769002.exeB vs bVsKNuwn30.exe
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                  Source: bVsKNuwn30.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: 00000013.00000002.598613776.0000000000D20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                  Source: 00000013.00000002.598613776.0000000000D20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                  Source: 00000013.00000002.598554261.0000000000CF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                  Source: 00000013.00000002.598554261.0000000000CF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                  Source: 00000000.00000002.489441014.0000000003B96000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                  Source: 00000000.00000002.489441014.0000000003B96000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                  Source: 0000000C.00000000.484041587.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                  Source: 0000000C.00000000.484041587.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                  Source: 00000013.00000002.598077257.00000000007B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                  Source: 00000013.00000002.598077257.00000000007B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                  Source: 0000000C.00000002.542191970.0000000000C50000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                  Source: 0000000C.00000002.542191970.0000000000C50000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                  Source: 0000000C.00000002.542282401.0000000000DD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                  Source: 0000000C.00000002.542282401.0000000000DD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                  Source: 00000000.00000002.489573896.0000000003C6A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                  Source: 00000000.00000002.489573896.0000000003C6A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                  Source: 00000000.00000002.489676903.0000000003D04000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                  Source: 00000000.00000002.489676903.0000000003D04000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                  Source: 0000000C.00000002.538565739.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                  Source: 0000000C.00000002.538565739.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                  Source: 12.2.bVsKNuwn30.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                  Source: 12.2.bVsKNuwn30.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                  Source: 0.2.bVsKNuwn30.exe.3b961c0.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                  Source: 0.2.bVsKNuwn30.exe.3b961c0.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                  Source: 12.0.bVsKNuwn30.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                  Source: 12.0.bVsKNuwn30.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                  Source: 12.0.bVsKNuwn30.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                  Source: 12.0.bVsKNuwn30.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                  Source: 12.2.bVsKNuwn30.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                  Source: 12.2.bVsKNuwn30.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                  Source: bVsKNuwn30.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: bVsKNuwn30.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: classification engineClassification label: mal100.troj.evad.winEXE@7/3@0/0
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\bVsKNuwn30.exe.logJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5560:120:WilError_01
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeFile created: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeJump to behavior
                  Source: bVsKNuwn30.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: bVsKNuwn30.exeVirustotal: Detection: 51%
                  Source: bVsKNuwn30.exeMetadefender: Detection: 20%
                  Source: bVsKNuwn30.exeReversingLabs: Detection: 55%
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeFile read: C:\Users\user\Desktop\bVsKNuwn30.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\bVsKNuwn30.exe 'C:\Users\user\Desktop\bVsKNuwn30.exe'
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess created: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe
                  Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
                  Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe'
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess created: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe'Jump to behavior
                  Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32Jump to behavior
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: bVsKNuwn30.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: bVsKNuwn30.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: bVsKNuwn30.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: msiexec.pdb source: bVsKNuwn30.exe, 0000000C.00000002.542351925.0000000000E20000.00000040.00000001.sdmp
                  Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000E.00000000.506028471.0000000007BA0000.00000002.00000001.sdmp
                  Source: Binary string: msiexec.pdbGCTL source: bVsKNuwn30.exe, 0000000C.00000002.542351925.0000000000E20000.00000040.00000001.sdmp
                  Source: Binary string: wntdll.pdbUGP source: bVsKNuwn30.exe, 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, msiexec.exe, 00000013.00000002.599901876.0000000004ADF000.00000040.00000001.sdmp
                  Source: Binary string: wntdll.pdb source: bVsKNuwn30.exe, msiexec.exe
                  Source: Binary string: wscui.pdb source: explorer.exe, 0000000E.00000000.506028471.0000000007BA0000.00000002.00000001.sdmp

                  Data Obfuscation:

                  barindex
                  Yara detected Costura Assembly LoaderShow sources
                  Source: Yara matchFile source: bVsKNuwn30.exe, type: SAMPLE
                  Source: Yara matchFile source: 0000000C.00000000.482709799.0000000000662000.00000002.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000000.484079723.0000000000662000.00000002.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.481505916.0000000000CB7000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000002.601052355.0000000004EEF000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.486485678.0000000002A41000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.331883063.00000000006F2000.00000002.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.484632271.00000000006F2000.00000002.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000002.599515980.000000000469F000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.539491426.0000000000662000.00000002.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: bVsKNuwn30.exe PID: 5612, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: bVsKNuwn30.exe PID: 6700, type: MEMORY
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe, type: DROPPED
                  Source: Yara matchFile source: 12.2.bVsKNuwn30.exe.660000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 19.2.msiexec.exe.4eef834.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.bVsKNuwn30.exe.6f0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.0.bVsKNuwn30.exe.660000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.0.bVsKNuwn30.exe.660000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.bVsKNuwn30.exe.6f0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 19.2.msiexec.exe.4eef834.4.unpack, type: UNPACKEDPE
                  Source: bVsKNuwn30.exeStatic PE information: 0xD669075E [Tue Dec 28 08:16:30 2083 UTC]
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeCode function: 0_2_00F962B5 push 8BFFFFFEh; retf 0_2_00F962BB
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeCode function: 0_2_00F95265 push ecx; retf 0_2_00F9526C
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeCode function: 0_2_00F94E5C pushad ; iretd 0_2_00F94E5D
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_00417B68 push ebx; ret 12_2_00417B69
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0041CEB5 push eax; ret 12_2_0041CF08
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0041CF6C push eax; ret 12_2_0041CF72
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0041CF02 push eax; ret 12_2_0041CF08
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0041CF0B push eax; ret 12_2_0041CF72
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_004167E2 push esi; retf 12_2_004167F5
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0040C78D push ecx; iretd 12_2_0040C78E
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011BD0D1 push ecx; ret 12_2_011BD0E4
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A3D0D1 push ecx; ret 19_2_04A3D0E4
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_007C7B68 push ebx; ret 19_2_007C7B69
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_007CCEB5 push eax; ret 19_2_007CCF08
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_007CCF6C push eax; ret 19_2_007CCF72
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_007CCF0B push eax; ret 19_2_007CCF72
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_007CCF02 push eax; ret 19_2_007CCF08
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_007C67E2 push esi; retf 19_2_007C67F5
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_007BC78D push ecx; iretd 19_2_007BC78E
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.99300765862
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.99300765862
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeFile created: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeJump to dropped file

                  Hooking and other Techniques for Hiding and Protection:

                  barindex
                  Modifies the prolog of user mode functions (user mode inline hooks)Show sources
                  Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x85 0x5E 0xE8
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion:

                  barindex
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                  Source: bVsKNuwn30.exe, 00000000.00000002.486485678.0000000002A41000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL0SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE
                  Tries to detect virtualization through RDTSC time measurementsShow sources
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
                  Source: C:\Windows\SysWOW64\msiexec.exeRDTSC instruction interceptor: First address: 00000000007B98E4 second address: 00000000007B98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
                  Source: C:\Windows\SysWOW64\msiexec.exeRDTSC instruction interceptor: First address: 00000000007B9B5E second address: 00000000007B9B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_00409A90 rdtsc 12_2_00409A90
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exe TID: 6732Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: explorer.exe, 0000000E.00000000.506523200.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
                  Source: explorer.exe, 0000000E.00000000.506479476.00000000083EB000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
                  Source: bVsKNuwn30.exe, 00000000.00000002.486485678.0000000002A41000.00000004.00000001.sdmpBinary or memory string: 0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
                  Source: explorer.exe, 0000000E.00000000.509250519.000000000D462000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}`1
                  Source: bVsKNuwn30.exe, 00000000.00000002.491304602.0000000004FE0000.00000002.00000001.sdmp, explorer.exe, 0000000E.00000000.525625235.0000000005D50000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                  Source: explorer.exe, 0000000E.00000000.527417475.000000000641D000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                  Source: bVsKNuwn30.exe, 00000000.00000002.486485678.0000000002A41000.00000004.00000001.sdmpBinary or memory string: vmware
                  Source: explorer.exe, 0000000E.00000000.506479476.00000000083EB000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
                  Source: explorer.exe, 0000000E.00000000.527417475.000000000641D000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                  Source: explorer.exe, 0000000E.00000000.506355991.00000000082E2000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
                  Source: explorer.exe, 0000000E.00000000.509250519.000000000D462000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}P1
                  Source: bVsKNuwn30.exe, 00000000.00000002.486485678.0000000002A41000.00000004.00000001.sdmpBinary or memory string: model0Microsoft|VMWare|Virtual
                  Source: bVsKNuwn30.exe, 00000000.00000002.491304602.0000000004FE0000.00000002.00000001.sdmp, explorer.exe, 0000000E.00000000.525625235.0000000005D50000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                  Source: bVsKNuwn30.exe, 00000000.00000002.491304602.0000000004FE0000.00000002.00000001.sdmp, explorer.exe, 0000000E.00000000.525625235.0000000005D50000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                  Source: explorer.exe, 0000000E.00000000.509250519.000000000D462000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}82eb45d9c96749644b820
                  Source: explorer.exe, 0000000E.00000000.506355991.00000000082E2000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
                  Source: explorer.exe, 0000000E.00000000.506523200.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
                  Source: explorer.exe, 0000000E.00000000.509250519.000000000D462000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}.Microsoft.WBT
                  Source: bVsKNuwn30.exe, 00000000.00000002.491304602.0000000004FE0000.00000002.00000001.sdmp, explorer.exe, 0000000E.00000000.525625235.0000000005D50000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                  Source: explorer.exe, 0000000E.00000000.514555681.000000000095C000.00000004.00000020.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_00409A90 rdtsc 12_2_00409A90
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeCode function: 0_2_00F91120 LdrInitializeThunk,0_2_00F91120
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01169100 mov eax, dword ptr fs:[00000030h]12_2_01169100
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01169100 mov eax, dword ptr fs:[00000030h]12_2_01169100
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01169100 mov eax, dword ptr fs:[00000030h]12_2_01169100
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01238D34 mov eax, dword ptr fs:[00000030h]12_2_01238D34
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01194D3B mov eax, dword ptr fs:[00000030h]12_2_01194D3B
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01194D3B mov eax, dword ptr fs:[00000030h]12_2_01194D3B
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01194D3B mov eax, dword ptr fs:[00000030h]12_2_01194D3B
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0119513A mov eax, dword ptr fs:[00000030h]12_2_0119513A
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0119513A mov eax, dword ptr fs:[00000030h]12_2_0119513A
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01173D34 mov eax, dword ptr fs:[00000030h]12_2_01173D34
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01173D34 mov eax, dword ptr fs:[00000030h]12_2_01173D34
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01173D34 mov eax, dword ptr fs:[00000030h]12_2_01173D34
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01173D34 mov eax, dword ptr fs:[00000030h]12_2_01173D34
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01173D34 mov eax, dword ptr fs:[00000030h]12_2_01173D34
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01173D34 mov eax, dword ptr fs:[00000030h]12_2_01173D34
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01173D34 mov eax, dword ptr fs:[00000030h]12_2_01173D34
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01173D34 mov eax, dword ptr fs:[00000030h]12_2_01173D34
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01173D34 mov eax, dword ptr fs:[00000030h]12_2_01173D34
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01173D34 mov eax, dword ptr fs:[00000030h]12_2_01173D34
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01173D34 mov eax, dword ptr fs:[00000030h]12_2_01173D34
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01173D34 mov eax, dword ptr fs:[00000030h]12_2_01173D34
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01173D34 mov eax, dword ptr fs:[00000030h]12_2_01173D34
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0116AD30 mov eax, dword ptr fs:[00000030h]12_2_0116AD30
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01184120 mov eax, dword ptr fs:[00000030h]12_2_01184120
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01184120 mov eax, dword ptr fs:[00000030h]12_2_01184120
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01184120 mov eax, dword ptr fs:[00000030h]12_2_01184120
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01184120 mov eax, dword ptr fs:[00000030h]12_2_01184120
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01184120 mov ecx, dword ptr fs:[00000030h]12_2_01184120
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01187D50 mov eax, dword ptr fs:[00000030h]12_2_01187D50
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A3D43 mov eax, dword ptr fs:[00000030h]12_2_011A3D43
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0118B944 mov eax, dword ptr fs:[00000030h]12_2_0118B944
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0118B944 mov eax, dword ptr fs:[00000030h]12_2_0118B944
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011E3540 mov eax, dword ptr fs:[00000030h]12_2_011E3540
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0116B171 mov eax, dword ptr fs:[00000030h]12_2_0116B171
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0116B171 mov eax, dword ptr fs:[00000030h]12_2_0116B171
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0118C577 mov eax, dword ptr fs:[00000030h]12_2_0118C577
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0118C577 mov eax, dword ptr fs:[00000030h]12_2_0118C577
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0119FD9B mov eax, dword ptr fs:[00000030h]12_2_0119FD9B
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0119FD9B mov eax, dword ptr fs:[00000030h]12_2_0119FD9B
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0118C182 mov eax, dword ptr fs:[00000030h]12_2_0118C182
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0119A185 mov eax, dword ptr fs:[00000030h]12_2_0119A185
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01162D8A mov eax, dword ptr fs:[00000030h]12_2_01162D8A
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01162D8A mov eax, dword ptr fs:[00000030h]12_2_01162D8A
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01162D8A mov eax, dword ptr fs:[00000030h]12_2_01162D8A
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01162D8A mov eax, dword ptr fs:[00000030h]12_2_01162D8A
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01162D8A mov eax, dword ptr fs:[00000030h]12_2_01162D8A
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011935A1 mov eax, dword ptr fs:[00000030h]12_2_011935A1
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01218DF1 mov eax, dword ptr fs:[00000030h]12_2_01218DF1
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0116B1E1 mov eax, dword ptr fs:[00000030h]12_2_0116B1E1
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0116B1E1 mov eax, dword ptr fs:[00000030h]12_2_0116B1E1
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0116B1E1 mov eax, dword ptr fs:[00000030h]12_2_0116B1E1
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011E7016 mov eax, dword ptr fs:[00000030h]12_2_011E7016
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011E7016 mov eax, dword ptr fs:[00000030h]12_2_011E7016
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011E7016 mov eax, dword ptr fs:[00000030h]12_2_011E7016
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011E6C0A mov eax, dword ptr fs:[00000030h]12_2_011E6C0A
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011E6C0A mov eax, dword ptr fs:[00000030h]12_2_011E6C0A
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011E6C0A mov eax, dword ptr fs:[00000030h]12_2_011E6C0A
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011E6C0A mov eax, dword ptr fs:[00000030h]12_2_011E6C0A
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01221C06 mov eax, dword ptr fs:[00000030h]12_2_01221C06
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01221C06 mov eax, dword ptr fs:[00000030h]12_2_01221C06
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01221C06 mov eax, dword ptr fs:[00000030h]12_2_01221C06
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01221C06 mov eax, dword ptr fs:[00000030h]12_2_01221C06
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01221C06 mov eax, dword ptr fs:[00000030h]12_2_01221C06
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01221C06 mov eax, dword ptr fs:[00000030h]12_2_01221C06
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01221C06 mov eax, dword ptr fs:[00000030h]12_2_01221C06
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01221C06 mov eax, dword ptr fs:[00000030h]12_2_01221C06
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01221C06 mov eax, dword ptr fs:[00000030h]12_2_01221C06
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01221C06 mov eax, dword ptr fs:[00000030h]12_2_01221C06
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01221C06 mov eax, dword ptr fs:[00000030h]12_2_01221C06
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01221C06 mov eax, dword ptr fs:[00000030h]12_2_01221C06
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01221C06 mov eax, dword ptr fs:[00000030h]12_2_01221C06
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01221C06 mov eax, dword ptr fs:[00000030h]12_2_01221C06
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0123740D mov eax, dword ptr fs:[00000030h]12_2_0123740D
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0123740D mov eax, dword ptr fs:[00000030h]12_2_0123740D
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0123740D mov eax, dword ptr fs:[00000030h]12_2_0123740D
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0119BC2C mov eax, dword ptr fs:[00000030h]12_2_0119BC2C
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01234015 mov eax, dword ptr fs:[00000030h]12_2_01234015
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01234015 mov eax, dword ptr fs:[00000030h]12_2_01234015
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0117B02A mov eax, dword ptr fs:[00000030h]12_2_0117B02A
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0117B02A mov eax, dword ptr fs:[00000030h]12_2_0117B02A
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0117B02A mov eax, dword ptr fs:[00000030h]12_2_0117B02A
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0117B02A mov eax, dword ptr fs:[00000030h]12_2_0117B02A
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01180050 mov eax, dword ptr fs:[00000030h]12_2_01180050
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01180050 mov eax, dword ptr fs:[00000030h]12_2_01180050
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011FC450 mov eax, dword ptr fs:[00000030h]12_2_011FC450
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011FC450 mov eax, dword ptr fs:[00000030h]12_2_011FC450
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01222073 mov eax, dword ptr fs:[00000030h]12_2_01222073
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01231074 mov eax, dword ptr fs:[00000030h]12_2_01231074
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0118746D mov eax, dword ptr fs:[00000030h]12_2_0118746D
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01169080 mov eax, dword ptr fs:[00000030h]12_2_01169080
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011E3884 mov eax, dword ptr fs:[00000030h]12_2_011E3884
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011E3884 mov eax, dword ptr fs:[00000030h]12_2_011E3884
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0119F0BF mov ecx, dword ptr fs:[00000030h]12_2_0119F0BF
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0119F0BF mov eax, dword ptr fs:[00000030h]12_2_0119F0BF
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0119F0BF mov eax, dword ptr fs:[00000030h]12_2_0119F0BF
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A90AF mov eax, dword ptr fs:[00000030h]12_2_011A90AF
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011FB8D0 mov eax, dword ptr fs:[00000030h]12_2_011FB8D0
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011FB8D0 mov ecx, dword ptr fs:[00000030h]12_2_011FB8D0
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011FB8D0 mov eax, dword ptr fs:[00000030h]12_2_011FB8D0
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011FB8D0 mov eax, dword ptr fs:[00000030h]12_2_011FB8D0
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011FB8D0 mov eax, dword ptr fs:[00000030h]12_2_011FB8D0
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011FB8D0 mov eax, dword ptr fs:[00000030h]12_2_011FB8D0
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_012214FB mov eax, dword ptr fs:[00000030h]12_2_012214FB
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01238CD6 mov eax, dword ptr fs:[00000030h]12_2_01238CD6
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011FFF10 mov eax, dword ptr fs:[00000030h]12_2_011FFF10
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011FFF10 mov eax, dword ptr fs:[00000030h]12_2_011FFF10
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0119E730 mov eax, dword ptr fs:[00000030h]12_2_0119E730
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0123070D mov eax, dword ptr fs:[00000030h]12_2_0123070D
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0123070D mov eax, dword ptr fs:[00000030h]12_2_0123070D
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01164F2E mov eax, dword ptr fs:[00000030h]12_2_01164F2E
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01164F2E mov eax, dword ptr fs:[00000030h]12_2_01164F2E
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0122131B mov eax, dword ptr fs:[00000030h]12_2_0122131B
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01238F6A mov eax, dword ptr fs:[00000030h]12_2_01238F6A
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0116F358 mov eax, dword ptr fs:[00000030h]12_2_0116F358
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0116DB40 mov eax, dword ptr fs:[00000030h]12_2_0116DB40
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0117EF40 mov eax, dword ptr fs:[00000030h]12_2_0117EF40
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01193B7A mov eax, dword ptr fs:[00000030h]12_2_01193B7A
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01193B7A mov eax, dword ptr fs:[00000030h]12_2_01193B7A
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0116DB60 mov ecx, dword ptr fs:[00000030h]12_2_0116DB60
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0117FF60 mov eax, dword ptr fs:[00000030h]12_2_0117FF60
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01238B58 mov eax, dword ptr fs:[00000030h]12_2_01238B58
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01235BA5 mov eax, dword ptr fs:[00000030h]12_2_01235BA5
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01171B8F mov eax, dword ptr fs:[00000030h]12_2_01171B8F
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01171B8F mov eax, dword ptr fs:[00000030h]12_2_01171B8F
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0121D380 mov ecx, dword ptr fs:[00000030h]12_2_0121D380
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0122138A mov eax, dword ptr fs:[00000030h]12_2_0122138A
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0116C600 mov eax, dword ptr fs:[00000030h]12_2_0116C600
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0116C600 mov eax, dword ptr fs:[00000030h]12_2_0116C600
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0116C600 mov eax, dword ptr fs:[00000030h]12_2_0116C600
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0121FE3F mov eax, dword ptr fs:[00000030h]12_2_0121FE3F
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0116E620 mov eax, dword ptr fs:[00000030h]12_2_0116E620
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0121B260 mov eax, dword ptr fs:[00000030h]12_2_0121B260
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0121B260 mov eax, dword ptr fs:[00000030h]12_2_0121B260
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01238A62 mov eax, dword ptr fs:[00000030h]12_2_01238A62
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01169240 mov eax, dword ptr fs:[00000030h]12_2_01169240
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01169240 mov eax, dword ptr fs:[00000030h]12_2_01169240
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01169240 mov eax, dword ptr fs:[00000030h]12_2_01169240
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01169240 mov eax, dword ptr fs:[00000030h]12_2_01169240
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01177E41 mov eax, dword ptr fs:[00000030h]12_2_01177E41
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01177E41 mov eax, dword ptr fs:[00000030h]12_2_01177E41
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01177E41 mov eax, dword ptr fs:[00000030h]12_2_01177E41
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01177E41 mov eax, dword ptr fs:[00000030h]12_2_01177E41
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01177E41 mov eax, dword ptr fs:[00000030h]12_2_01177E41
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01177E41 mov eax, dword ptr fs:[00000030h]12_2_01177E41
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A927A mov eax, dword ptr fs:[00000030h]12_2_011A927A
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0117766D mov eax, dword ptr fs:[00000030h]12_2_0117766D
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01230EA5 mov eax, dword ptr fs:[00000030h]12_2_01230EA5
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01230EA5 mov eax, dword ptr fs:[00000030h]12_2_01230EA5
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01230EA5 mov eax, dword ptr fs:[00000030h]12_2_01230EA5
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0119D294 mov eax, dword ptr fs:[00000030h]12_2_0119D294
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0119D294 mov eax, dword ptr fs:[00000030h]12_2_0119D294
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011FFE87 mov eax, dword ptr fs:[00000030h]12_2_011FFE87
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0119FAB0 mov eax, dword ptr fs:[00000030h]12_2_0119FAB0
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011652A5 mov eax, dword ptr fs:[00000030h]12_2_011652A5
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011652A5 mov eax, dword ptr fs:[00000030h]12_2_011652A5
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011652A5 mov eax, dword ptr fs:[00000030h]12_2_011652A5
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011652A5 mov eax, dword ptr fs:[00000030h]12_2_011652A5
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011652A5 mov eax, dword ptr fs:[00000030h]12_2_011652A5
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011E46A7 mov eax, dword ptr fs:[00000030h]12_2_011E46A7
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011936CC mov eax, dword ptr fs:[00000030h]12_2_011936CC
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0121FEC0 mov eax, dword ptr fs:[00000030h]12_2_0121FEC0
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01238ED6 mov eax, dword ptr fs:[00000030h]12_2_01238ED6
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011776E2 mov eax, dword ptr fs:[00000030h]12_2_011776E2
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011916E0 mov ecx, dword ptr fs:[00000030h]12_2_011916E0
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A120A0 mov eax, dword ptr fs:[00000030h]19_2_04A120A0
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A120A0 mov eax, dword ptr fs:[00000030h]19_2_04A120A0
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A120A0 mov eax, dword ptr fs:[00000030h]19_2_04A120A0
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A120A0 mov eax, dword ptr fs:[00000030h]19_2_04A120A0
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A120A0 mov eax, dword ptr fs:[00000030h]19_2_04A120A0
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A120A0 mov eax, dword ptr fs:[00000030h]19_2_04A120A0
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049F849B mov eax, dword ptr fs:[00000030h]19_2_049F849B
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A290AF mov eax, dword ptr fs:[00000030h]19_2_04A290AF
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049E9080 mov eax, dword ptr fs:[00000030h]19_2_049E9080
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A1F0BF mov ecx, dword ptr fs:[00000030h]19_2_04A1F0BF
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A1F0BF mov eax, dword ptr fs:[00000030h]19_2_04A1F0BF
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A1F0BF mov eax, dword ptr fs:[00000030h]19_2_04A1F0BF
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A63884 mov eax, dword ptr fs:[00000030h]19_2_04A63884
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A63884 mov eax, dword ptr fs:[00000030h]19_2_04A63884
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AA14FB mov eax, dword ptr fs:[00000030h]19_2_04AA14FB
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A66CF0 mov eax, dword ptr fs:[00000030h]19_2_04A66CF0
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A66CF0 mov eax, dword ptr fs:[00000030h]19_2_04A66CF0
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A66CF0 mov eax, dword ptr fs:[00000030h]19_2_04A66CF0
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049E58EC mov eax, dword ptr fs:[00000030h]19_2_049E58EC
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A7B8D0 mov eax, dword ptr fs:[00000030h]19_2_04A7B8D0
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A7B8D0 mov ecx, dword ptr fs:[00000030h]19_2_04A7B8D0
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A7B8D0 mov eax, dword ptr fs:[00000030h]19_2_04A7B8D0
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A7B8D0 mov eax, dword ptr fs:[00000030h]19_2_04A7B8D0
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A7B8D0 mov eax, dword ptr fs:[00000030h]19_2_04A7B8D0
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A7B8D0 mov eax, dword ptr fs:[00000030h]19_2_04A7B8D0
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AB8CD6 mov eax, dword ptr fs:[00000030h]19_2_04AB8CD6
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A1002D mov eax, dword ptr fs:[00000030h]19_2_04A1002D
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A1002D mov eax, dword ptr fs:[00000030h]19_2_04A1002D
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A1002D mov eax, dword ptr fs:[00000030h]19_2_04A1002D
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A1002D mov eax, dword ptr fs:[00000030h]19_2_04A1002D
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A1002D mov eax, dword ptr fs:[00000030h]19_2_04A1002D
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A1BC2C mov eax, dword ptr fs:[00000030h]19_2_04A1BC2C
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AB740D mov eax, dword ptr fs:[00000030h]19_2_04AB740D
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AB740D mov eax, dword ptr fs:[00000030h]19_2_04AB740D
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AB740D mov eax, dword ptr fs:[00000030h]19_2_04AB740D
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AA1C06 mov eax, dword ptr fs:[00000030h]19_2_04AA1C06
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AA1C06 mov eax, dword ptr fs:[00000030h]19_2_04AA1C06
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AA1C06 mov eax, dword ptr fs:[00000030h]19_2_04AA1C06
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AA1C06 mov eax, dword ptr fs:[00000030h]19_2_04AA1C06
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AA1C06 mov eax, dword ptr fs:[00000030h]19_2_04AA1C06
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AA1C06 mov eax, dword ptr fs:[00000030h]19_2_04AA1C06
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AA1C06 mov eax, dword ptr fs:[00000030h]19_2_04AA1C06
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AA1C06 mov eax, dword ptr fs:[00000030h]19_2_04AA1C06
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AA1C06 mov eax, dword ptr fs:[00000030h]19_2_04AA1C06
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AA1C06 mov eax, dword ptr fs:[00000030h]19_2_04AA1C06
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AA1C06 mov eax, dword ptr fs:[00000030h]19_2_04AA1C06
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AA1C06 mov eax, dword ptr fs:[00000030h]19_2_04AA1C06
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AA1C06 mov eax, dword ptr fs:[00000030h]19_2_04AA1C06
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AA1C06 mov eax, dword ptr fs:[00000030h]19_2_04AA1C06
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A66C0A mov eax, dword ptr fs:[00000030h]19_2_04A66C0A
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A66C0A mov eax, dword ptr fs:[00000030h]19_2_04A66C0A
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A66C0A mov eax, dword ptr fs:[00000030h]19_2_04A66C0A
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A66C0A mov eax, dword ptr fs:[00000030h]19_2_04A66C0A
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A67016 mov eax, dword ptr fs:[00000030h]19_2_04A67016
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A67016 mov eax, dword ptr fs:[00000030h]19_2_04A67016
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A67016 mov eax, dword ptr fs:[00000030h]19_2_04A67016
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049FB02A mov eax, dword ptr fs:[00000030h]19_2_049FB02A
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049FB02A mov eax, dword ptr fs:[00000030h]19_2_049FB02A
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049FB02A mov eax, dword ptr fs:[00000030h]19_2_049FB02A
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049FB02A mov eax, dword ptr fs:[00000030h]19_2_049FB02A
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AB4015 mov eax, dword ptr fs:[00000030h]19_2_04AB4015
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AB4015 mov eax, dword ptr fs:[00000030h]19_2_04AB4015
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A0746D mov eax, dword ptr fs:[00000030h]19_2_04A0746D
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AA2073 mov eax, dword ptr fs:[00000030h]19_2_04AA2073
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AB1074 mov eax, dword ptr fs:[00000030h]19_2_04AB1074
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A1A44B mov eax, dword ptr fs:[00000030h]19_2_04A1A44B
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A00050 mov eax, dword ptr fs:[00000030h]19_2_04A00050
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A00050 mov eax, dword ptr fs:[00000030h]19_2_04A00050
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A7C450 mov eax, dword ptr fs:[00000030h]19_2_04A7C450
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A7C450 mov eax, dword ptr fs:[00000030h]19_2_04A7C450
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A135A1 mov eax, dword ptr fs:[00000030h]19_2_04A135A1
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A669A6 mov eax, dword ptr fs:[00000030h]19_2_04A669A6
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A161A0 mov eax, dword ptr fs:[00000030h]19_2_04A161A0
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A161A0 mov eax, dword ptr fs:[00000030h]19_2_04A161A0
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AB05AC mov eax, dword ptr fs:[00000030h]19_2_04AB05AC
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AB05AC mov eax, dword ptr fs:[00000030h]19_2_04AB05AC
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049E2D8A mov eax, dword ptr fs:[00000030h]19_2_049E2D8A
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049E2D8A mov eax, dword ptr fs:[00000030h]19_2_049E2D8A
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049E2D8A mov eax, dword ptr fs:[00000030h]19_2_049E2D8A
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049E2D8A mov eax, dword ptr fs:[00000030h]19_2_049E2D8A
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049E2D8A mov eax, dword ptr fs:[00000030h]19_2_049E2D8A
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A11DB5 mov eax, dword ptr fs:[00000030h]19_2_04A11DB5
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A11DB5 mov eax, dword ptr fs:[00000030h]19_2_04A11DB5
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A11DB5 mov eax, dword ptr fs:[00000030h]19_2_04A11DB5
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A651BE mov eax, dword ptr fs:[00000030h]19_2_04A651BE
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A651BE mov eax, dword ptr fs:[00000030h]19_2_04A651BE
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A651BE mov eax, dword ptr fs:[00000030h]19_2_04A651BE
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A651BE mov eax, dword ptr fs:[00000030h]19_2_04A651BE
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A12581 mov eax, dword ptr fs:[00000030h]19_2_04A12581
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A12581 mov eax, dword ptr fs:[00000030h]19_2_04A12581
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A12581 mov eax, dword ptr fs:[00000030h]19_2_04A12581
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A12581 mov eax, dword ptr fs:[00000030h]19_2_04A12581
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A0C182 mov eax, dword ptr fs:[00000030h]19_2_04A0C182
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A1A185 mov eax, dword ptr fs:[00000030h]19_2_04A1A185
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A12990 mov eax, dword ptr fs:[00000030h]19_2_04A12990
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A1FD9B mov eax, dword ptr fs:[00000030h]19_2_04A1FD9B
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A1FD9B mov eax, dword ptr fs:[00000030h]19_2_04A1FD9B
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A741E8 mov eax, dword ptr fs:[00000030h]19_2_04A741E8
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A98DF1 mov eax, dword ptr fs:[00000030h]19_2_04A98DF1
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A66DC9 mov eax, dword ptr fs:[00000030h]19_2_04A66DC9
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A66DC9 mov eax, dword ptr fs:[00000030h]19_2_04A66DC9
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A66DC9 mov eax, dword ptr fs:[00000030h]19_2_04A66DC9
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A66DC9 mov ecx, dword ptr fs:[00000030h]19_2_04A66DC9
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A66DC9 mov eax, dword ptr fs:[00000030h]19_2_04A66DC9
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A66DC9 mov eax, dword ptr fs:[00000030h]19_2_04A66DC9
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049EB1E1 mov eax, dword ptr fs:[00000030h]19_2_049EB1E1
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049EB1E1 mov eax, dword ptr fs:[00000030h]19_2_049EB1E1
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049EB1E1 mov eax, dword ptr fs:[00000030h]19_2_049EB1E1
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049FD5E0 mov eax, dword ptr fs:[00000030h]19_2_049FD5E0
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049FD5E0 mov eax, dword ptr fs:[00000030h]19_2_049FD5E0
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A04120 mov eax, dword ptr fs:[00000030h]19_2_04A04120
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A04120 mov eax, dword ptr fs:[00000030h]19_2_04A04120
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A04120 mov eax, dword ptr fs:[00000030h]19_2_04A04120
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A04120 mov eax, dword ptr fs:[00000030h]19_2_04A04120
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A04120 mov ecx, dword ptr fs:[00000030h]19_2_04A04120
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A6A537 mov eax, dword ptr fs:[00000030h]19_2_04A6A537
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A14D3B mov eax, dword ptr fs:[00000030h]19_2_04A14D3B
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A14D3B mov eax, dword ptr fs:[00000030h]19_2_04A14D3B
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A14D3B mov eax, dword ptr fs:[00000030h]19_2_04A14D3B
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A1513A mov eax, dword ptr fs:[00000030h]19_2_04A1513A
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A1513A mov eax, dword ptr fs:[00000030h]19_2_04A1513A
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049E9100 mov eax, dword ptr fs:[00000030h]19_2_049E9100
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049E9100 mov eax, dword ptr fs:[00000030h]19_2_049E9100
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049E9100 mov eax, dword ptr fs:[00000030h]19_2_049E9100
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AB8D34 mov eax, dword ptr fs:[00000030h]19_2_04AB8D34
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049F3D34 mov eax, dword ptr fs:[00000030h]19_2_049F3D34
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049F3D34 mov eax, dword ptr fs:[00000030h]19_2_049F3D34
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049F3D34 mov eax, dword ptr fs:[00000030h]19_2_049F3D34
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049F3D34 mov eax, dword ptr fs:[00000030h]19_2_049F3D34
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049F3D34 mov eax, dword ptr fs:[00000030h]19_2_049F3D34
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049F3D34 mov eax, dword ptr fs:[00000030h]19_2_049F3D34
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049F3D34 mov eax, dword ptr fs:[00000030h]19_2_049F3D34
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049F3D34 mov eax, dword ptr fs:[00000030h]19_2_049F3D34
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049F3D34 mov eax, dword ptr fs:[00000030h]19_2_049F3D34
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049F3D34 mov eax, dword ptr fs:[00000030h]19_2_049F3D34
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049F3D34 mov eax, dword ptr fs:[00000030h]19_2_049F3D34
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049F3D34 mov eax, dword ptr fs:[00000030h]19_2_049F3D34
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049F3D34 mov eax, dword ptr fs:[00000030h]19_2_049F3D34
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049EAD30 mov eax, dword ptr fs:[00000030h]19_2_049EAD30
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A0C577 mov eax, dword ptr fs:[00000030h]19_2_04A0C577
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A0C577 mov eax, dword ptr fs:[00000030h]19_2_04A0C577
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A23D43 mov eax, dword ptr fs:[00000030h]19_2_04A23D43
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A0B944 mov eax, dword ptr fs:[00000030h]19_2_04A0B944
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A0B944 mov eax, dword ptr fs:[00000030h]19_2_04A0B944
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A63540 mov eax, dword ptr fs:[00000030h]19_2_04A63540
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049EB171 mov eax, dword ptr fs:[00000030h]19_2_049EB171
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049EB171 mov eax, dword ptr fs:[00000030h]19_2_049EB171
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A07D50 mov eax, dword ptr fs:[00000030h]19_2_04A07D50
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049EC962 mov eax, dword ptr fs:[00000030h]19_2_049EC962
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A646A7 mov eax, dword ptr fs:[00000030h]19_2_04A646A7
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AB0EA5 mov eax, dword ptr fs:[00000030h]19_2_04AB0EA5
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AB0EA5 mov eax, dword ptr fs:[00000030h]19_2_04AB0EA5
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AB0EA5 mov eax, dword ptr fs:[00000030h]19_2_04AB0EA5
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A1FAB0 mov eax, dword ptr fs:[00000030h]19_2_04A1FAB0
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A7FE87 mov eax, dword ptr fs:[00000030h]19_2_04A7FE87
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049FAAB0 mov eax, dword ptr fs:[00000030h]19_2_049FAAB0
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049FAAB0 mov eax, dword ptr fs:[00000030h]19_2_049FAAB0
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A1D294 mov eax, dword ptr fs:[00000030h]19_2_04A1D294
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A1D294 mov eax, dword ptr fs:[00000030h]19_2_04A1D294
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049E52A5 mov eax, dword ptr fs:[00000030h]19_2_049E52A5
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049E52A5 mov eax, dword ptr fs:[00000030h]19_2_049E52A5
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049E52A5 mov eax, dword ptr fs:[00000030h]19_2_049E52A5
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049E52A5 mov eax, dword ptr fs:[00000030h]19_2_049E52A5
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049E52A5 mov eax, dword ptr fs:[00000030h]19_2_049E52A5
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A116E0 mov ecx, dword ptr fs:[00000030h]19_2_04A116E0
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A12AE4 mov eax, dword ptr fs:[00000030h]19_2_04A12AE4
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A28EC7 mov eax, dword ptr fs:[00000030h]19_2_04A28EC7
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A9FEC0 mov eax, dword ptr fs:[00000030h]19_2_04A9FEC0
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A12ACB mov eax, dword ptr fs:[00000030h]19_2_04A12ACB
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A136CC mov eax, dword ptr fs:[00000030h]19_2_04A136CC
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AB8ED6 mov eax, dword ptr fs:[00000030h]19_2_04AB8ED6
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049F76E2 mov eax, dword ptr fs:[00000030h]19_2_049F76E2
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049EAA16 mov eax, dword ptr fs:[00000030h]19_2_049EAA16
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049EAA16 mov eax, dword ptr fs:[00000030h]19_2_049EAA16
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A24A2C mov eax, dword ptr fs:[00000030h]19_2_04A24A2C
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A24A2C mov eax, dword ptr fs:[00000030h]19_2_04A24A2C
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049E5210 mov eax, dword ptr fs:[00000030h]19_2_049E5210
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049E5210 mov ecx, dword ptr fs:[00000030h]19_2_049E5210
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049E5210 mov eax, dword ptr fs:[00000030h]19_2_049E5210
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049E5210 mov eax, dword ptr fs:[00000030h]19_2_049E5210
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049F8A0A mov eax, dword ptr fs:[00000030h]19_2_049F8A0A
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A9FE3F mov eax, dword ptr fs:[00000030h]19_2_04A9FE3F
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049EC600 mov eax, dword ptr fs:[00000030h]19_2_049EC600
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049EC600 mov eax, dword ptr fs:[00000030h]19_2_049EC600
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049EC600 mov eax, dword ptr fs:[00000030h]19_2_049EC600
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A18E00 mov eax, dword ptr fs:[00000030h]19_2_04A18E00
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A03A1C mov eax, dword ptr fs:[00000030h]19_2_04A03A1C
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A1A61C mov eax, dword ptr fs:[00000030h]19_2_04A1A61C
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A1A61C mov eax, dword ptr fs:[00000030h]19_2_04A1A61C
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049EE620 mov eax, dword ptr fs:[00000030h]19_2_049EE620
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A9B260 mov eax, dword ptr fs:[00000030h]19_2_04A9B260
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A9B260 mov eax, dword ptr fs:[00000030h]19_2_04A9B260
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AB8A62 mov eax, dword ptr fs:[00000030h]19_2_04AB8A62
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A0AE73 mov eax, dword ptr fs:[00000030h]19_2_04A0AE73
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A0AE73 mov eax, dword ptr fs:[00000030h]19_2_04A0AE73
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A0AE73 mov eax, dword ptr fs:[00000030h]19_2_04A0AE73
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A0AE73 mov eax, dword ptr fs:[00000030h]19_2_04A0AE73
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A0AE73 mov eax, dword ptr fs:[00000030h]19_2_04A0AE73
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A2927A mov eax, dword ptr fs:[00000030h]19_2_04A2927A
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049E9240 mov eax, dword ptr fs:[00000030h]19_2_049E9240
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049E9240 mov eax, dword ptr fs:[00000030h]19_2_049E9240
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049E9240 mov eax, dword ptr fs:[00000030h]19_2_049E9240
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049E9240 mov eax, dword ptr fs:[00000030h]19_2_049E9240
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049F7E41 mov eax, dword ptr fs:[00000030h]19_2_049F7E41
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049F7E41 mov eax, dword ptr fs:[00000030h]19_2_049F7E41
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049F7E41 mov eax, dword ptr fs:[00000030h]19_2_049F7E41
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049F7E41 mov eax, dword ptr fs:[00000030h]19_2_049F7E41
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049F7E41 mov eax, dword ptr fs:[00000030h]19_2_049F7E41
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049F7E41 mov eax, dword ptr fs:[00000030h]19_2_049F7E41
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A74257 mov eax, dword ptr fs:[00000030h]19_2_04A74257
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049F766D mov eax, dword ptr fs:[00000030h]19_2_049F766D
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049F8794 mov eax, dword ptr fs:[00000030h]19_2_049F8794
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A14BAD mov eax, dword ptr fs:[00000030h]19_2_04A14BAD
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A14BAD mov eax, dword ptr fs:[00000030h]19_2_04A14BAD
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A14BAD mov eax, dword ptr fs:[00000030h]19_2_04A14BAD
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AB5BA5 mov eax, dword ptr fs:[00000030h]19_2_04AB5BA5
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049F1B8F mov eax, dword ptr fs:[00000030h]19_2_049F1B8F
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049F1B8F mov eax, dword ptr fs:[00000030h]19_2_049F1B8F
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AA138A mov eax, dword ptr fs:[00000030h]19_2_04AA138A
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A9D380 mov ecx, dword ptr fs:[00000030h]19_2_04A9D380
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A1B390 mov eax, dword ptr fs:[00000030h]19_2_04A1B390
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A67794 mov eax, dword ptr fs:[00000030h]19_2_04A67794
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A67794 mov eax, dword ptr fs:[00000030h]19_2_04A67794
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A67794 mov eax, dword ptr fs:[00000030h]19_2_04A67794
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A12397 mov eax, dword ptr fs:[00000030h]19_2_04A12397
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A103E2 mov eax, dword ptr fs:[00000030h]19_2_04A103E2
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A103E2 mov eax, dword ptr fs:[00000030h]19_2_04A103E2
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A103E2 mov eax, dword ptr fs:[00000030h]19_2_04A103E2
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A103E2 mov eax, dword ptr fs:[00000030h]19_2_04A103E2
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A103E2 mov eax, dword ptr fs:[00000030h]19_2_04A103E2
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A103E2 mov eax, dword ptr fs:[00000030h]19_2_04A103E2
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A0DBE9 mov eax, dword ptr fs:[00000030h]19_2_04A0DBE9
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A237F5 mov eax, dword ptr fs:[00000030h]19_2_04A237F5
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A653CA mov eax, dword ptr fs:[00000030h]19_2_04A653CA
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A653CA mov eax, dword ptr fs:[00000030h]19_2_04A653CA
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A1E730 mov eax, dword ptr fs:[00000030h]19_2_04A1E730
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AB070D mov eax, dword ptr fs:[00000030h]19_2_04AB070D
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AB070D mov eax, dword ptr fs:[00000030h]19_2_04AB070D
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A1A70E mov eax, dword ptr fs:[00000030h]19_2_04A1A70E
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A1A70E mov eax, dword ptr fs:[00000030h]19_2_04A1A70E
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049E4F2E mov eax, dword ptr fs:[00000030h]19_2_049E4F2E
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049E4F2E mov eax, dword ptr fs:[00000030h]19_2_049E4F2E
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AA131B mov eax, dword ptr fs:[00000030h]19_2_04AA131B
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A0F716 mov eax, dword ptr fs:[00000030h]19_2_04A0F716
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A7FF10 mov eax, dword ptr fs:[00000030h]19_2_04A7FF10
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A7FF10 mov eax, dword ptr fs:[00000030h]19_2_04A7FF10
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AB8F6A mov eax, dword ptr fs:[00000030h]19_2_04AB8F6A
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049EF358 mov eax, dword ptr fs:[00000030h]19_2_049EF358
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A13B7A mov eax, dword ptr fs:[00000030h]19_2_04A13B7A
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A13B7A mov eax, dword ptr fs:[00000030h]19_2_04A13B7A
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049EDB40 mov eax, dword ptr fs:[00000030h]19_2_049EDB40
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049FEF40 mov eax, dword ptr fs:[00000030h]19_2_049FEF40
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AB8B58 mov eax, dword ptr fs:[00000030h]19_2_04AB8B58
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049EDB60 mov ecx, dword ptr fs:[00000030h]19_2_049EDB60
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049FFF60 mov eax, dword ptr fs:[00000030h]19_2_049FFF60
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion:

                  barindex
                  Maps a DLL or memory area into another processShow sources
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeSection loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and writeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeSection loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and writeJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
                  Modifies the context of a thread in another process (thread injection)Show sources
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeThread register set: target process: 3440Jump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeThread register set: target process: 3440Jump to behavior
                  Queues an APC in another process (thread injection)Show sources
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
                  Sample uses process hollowing techniqueShow sources
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 10D0000Jump to behavior
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess created: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe'Jump to behavior
                  Source: explorer.exe, 0000000E.00000000.515063746.0000000000EE0000.00000002.00000001.sdmp, msiexec.exe, 00000013.00000002.599304772.0000000003280000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                  Source: explorer.exe, 0000000E.00000000.514299657.00000000008B8000.00000004.00000020.sdmp, msiexec.exe, 00000013.00000002.599304772.0000000003280000.00000002.00000001.sdmpBinary or memory string: Progman
                  Source: explorer.exe, 0000000E.00000000.515063746.0000000000EE0000.00000002.00000001.sdmp, msiexec.exe, 00000013.00000002.599304772.0000000003280000.00000002.00000001.sdmpBinary or memory string: &Program Manager
                  Source: explorer.exe, 0000000E.00000000.515063746.0000000000EE0000.00000002.00000001.sdmp, msiexec.exe, 00000013.00000002.599304772.0000000003280000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeQueries volume information: C:\Users\user\Desktop\bVsKNuwn30.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information:

                  barindex
                  Yara detected FormBookShow sources
                  Source: Yara matchFile source: 00000013.00000002.598613776.0000000000D20000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000002.598554261.0000000000CF0000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.489441014.0000000003B96000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000000.484041587.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000002.598077257.00000000007B0000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.542191970.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.542282401.0000000000DD0000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.489573896.0000000003C6A000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.489676903.0000000003D04000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.538565739.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 12.2.bVsKNuwn30.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.bVsKNuwn30.exe.3b961c0.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.0.bVsKNuwn30.exe.400000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.0.bVsKNuwn30.exe.400000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.bVsKNuwn30.exe.400000.0.raw.unpack, type: UNPACKEDPE

                  Remote Access Functionality:

                  barindex
                  Yara detected FormBookShow sources
                  Source: Yara matchFile source: 00000013.00000002.598613776.0000000000D20000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000002.598554261.0000000000CF0000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.489441014.0000000003B96000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000000.484041587.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000002.598077257.00000000007B0000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.542191970.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.542282401.0000000000DD0000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.489573896.0000000003C6A000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.489676903.0000000003D04000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.538565739.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 12.2.bVsKNuwn30.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.bVsKNuwn30.exe.3b961c0.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.0.bVsKNuwn30.exe.400000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.0.bVsKNuwn30.exe.400000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.bVsKNuwn30.exe.400000.0.raw.unpack, type: UNPACKEDPE

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid AccountsShared Modules1DLL Side-Loading1Process Injection412Rootkit1Credential API Hooking1Security Software Discovery321Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsDLL Side-Loading1Masquerading1Input Capture1Process Discovery2Remote Desktop ProtocolInput Capture1Exfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesArchive Collected Data1Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion31NTDSSystem Information Discovery112Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection412LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information4DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                  Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing3Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                  Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Timestomp1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                  Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)DLL Side-Loading1Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  bVsKNuwn30.exe51%VirustotalBrowse
                  bVsKNuwn30.exe26%MetadefenderBrowse
                  bVsKNuwn30.exe55%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                  bVsKNuwn30.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe51%VirustotalBrowse
                  C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe26%MetadefenderBrowse
                  C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe55%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                  Unpacked PE Files

                  SourceDetectionScannerLabelLinkDownload
                  12.2.bVsKNuwn30.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
                  12.0.bVsKNuwn30.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://ocsp.sectigo.com00%URL Reputationsafe
                  http://ocsp.sectigo.com00%URL Reputationsafe
                  http://ocsp.sectigo.com00%URL Reputationsafe
                  http://ocsp.sectigo.com00%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  https://sectigo.com/CPS0U0%URL Reputationsafe
                  https://sectigo.com/CPS0U0%URL Reputationsafe
                  https://sectigo.com/CPS0U0%URL Reputationsafe
                  https://sectigo.com/CPS0U0%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
                  http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
                  http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
                  http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  www.bucksnortneola.com/gw2/1%VirustotalBrowse
                  www.bucksnortneola.com/gw2/0%Avira URL Cloudsafe
                  http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
                  http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
                  http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
                  http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  https://sectigo.com/CPS0D0%URL Reputationsafe
                  https://sectigo.com/CPS0D0%URL Reputationsafe
                  https://sectigo.com/CPS0D0%URL Reputationsafe
                  https://sectigo.com/CPS0D0%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe

                  Domains and IPs

                  Contacted Domains

                  No contacted domains info

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  www.bucksnortneola.com/gw2/true
                  • 1%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		low

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://www.autoitscript.com/autoit3/Jexplorer.exe, 0000000E.00000000.514555681.000000000095C000.00000004.00000020.sdmpfalse
                    		high
                    http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpfalse
                      		high
                      http://www.fontbureau.comexplorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpfalse
                        		high
                        http://www.fontbureau.com/designersGexplorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpfalse
                          		high
                          http://www.fontbureau.com/designers/?explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn/bTheexplorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://ocsp.sectigo.com0bVsKNuwn30.exefalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers?explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpfalse
                              		high
                              http://www.tiro.comexplorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designersexplorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpfalse
                                		high
                                http://www.goodfont.co.krexplorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://sectigo.com/CPS0UbVsKNuwn30.exefalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.carterandcone.comlexplorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.sajatypeworks.comexplorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.typography.netDexplorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0tbVsKNuwn30.exefalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.founder.com.cn/cn/cTheexplorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://fontfabrik.comexplorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cnexplorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpfalse
                                    		high
                                    http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#bVsKNuwn30.exefalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.jiyu-kobo.co.jp/explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://sectigo.com/CPS0DbVsKNuwn30.exefalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.galapagosdesign.com/DPleaseexplorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers8explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpfalse
                                      		high
                                      https://secure.comodo.com/CPS0LbVsKNuwn30.exefalse
                                        		high
                                        http://www.fonts.comexplorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpfalse
                                          		high
                                          http://www.sandoll.co.krexplorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.urwpp.deDPleaseexplorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.zhongyicts.com.cnexplorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.sakkal.comexplorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://us1.unwiredlabs.com/v2/process.phpbVsKNuwn30.exefalse
                                            		high
                                            http://us1.unwiredlabs.com/v2/process.php?application/json;bVsKNuwn30.exefalse
                                              		high

                                              Contacted IPs

                                              No contacted IP infos

                                              General Information

                                              Joe Sandbox Version:32.0.0 Black Diamond
                                              Analysis ID:433069
                                              Start date:11.06.2021
                                              Start time:08:49:25
                                              Joe Sandbox Product:CloudBasic
                                              Overall analysis duration:0h 10m 27s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Sample file name:bVsKNuwn30 (renamed file extension from none to exe)
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                              Number of analysed new started processes analysed:24
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:1
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • HDC enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Detection:MAL
                                              Classification:mal100.troj.evad.winEXE@7/3@0/0
                                              EGA Information:Failed
                                              HDC Information:
                                              • Successful, ratio: 15.5% (good quality ratio 13.9%)
                                              • Quality average: 74.7%
                                              • Quality standard deviation: 31.3%
                                              HCA Information:
                                              • Successful, ratio: 96%
                                              • Number of executed functions: 86
                                              • Number of non-executed functions: 106
                                              Cookbook Comments:
                                              • Adjust boot time
                                              • Enable AMSI
                                              Warnings:
                                              Show All
                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                              • Not all processes where analyzed, report is missing behavior information

                                              Simulations

                                              Behavior and APIs

                                              No simulations

                                              Joe Sandbox View / Context

                                              IPs

                                              No context

                                              Domains

                                              No context

                                              ASN

                                              No context

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeRFL_PO 69002.docGet hashmaliciousBrowse

                                                Created / dropped Files

                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\bVsKNuwn30.exe.log
                                                Process:C:\Users\user\Desktop\bVsKNuwn30.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:modified
                                                Size (bytes):425
                                                Entropy (8bit):5.340009400190196
                                                Encrypted:false
                                                SSDEEP:12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhav:ML9E4Ks2wKDE4KhK3VZ9pKhk
                                                MD5:CC144808DBAF00E03294347EADC8E779
                                                SHA1:A3434FC71BA82B7512C813840427C687ADDB5AEA
                                                SHA-256:3FC7B9771439E777A8F8B8579DD499F3EB90859AD30EFD8A765F341403FC7101
                                                SHA-512:A4F9EB98200BCAF388F89AABAF7EA57661473687265597B13192C24F06638C6339A3BD581DF4E002F26EE1BA09410F6A2BBDB4DA0CD40B59D63A09BAA1AADD3D
                                                Malicious:true
                                                Reputation:moderate, very likely benign file
                                                Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..
                                                C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe
                                                Process:C:\Users\user\Desktop\bVsKNuwn30.exe
                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Category:dropped
                                                Size (bytes):533488
                                                Entropy (8bit):7.949126101574067
                                                Encrypted:false
                                                SSDEEP:12288:A4tWKG1Gu7iTQezjBwaxITEI3ENCYyuqoTGYA6TJqiU1:A4tc1Gu7KzurgI3FBOAmqb1
                                                MD5:3C88C6EF1A906BC81FC6B5B7FC478E0C
                                                SHA1:1007EA59D9C209F367A1873AE6DA2EAC5FAD81EF
                                                SHA-256:1754283E0B6BBBBEB69F165E54E3795D3E34CA14AA7BD8BD3B7DCDD97F7DFCA8
                                                SHA-512:87841B94DB9F67D856CBCC4E14BE6AB56716FFFCA161ADCF23EA5931ED3A2843C5207004E0E5AE7E9E764D9D2825993E2565BE10600134B89677F7734457A0F0
                                                Malicious:true
                                                Yara Hits:
                                                • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe, Author: Joe Security
                                                Antivirus:
                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                • Antivirus: Virustotal, Detection: 51%, Browse
                                                • Antivirus: Metadefender, Detection: 26%, Browse
                                                • Antivirus: ReversingLabs, Detection: 55%
                                                Joe Sandbox View:
                                                • Filename: RFL_PO 69002.doc, Detection: malicious, Browse
                                                Reputation:low
                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...^.i...............0......J........... ........@.. .......................`............@.....................................S........F...............'...@......l................................................ ............... ..H............text....... ...................... ..`.rsrc....F.......H..................@..@.reloc.......@......................@..B........................H..................&....*..............................................(1...*..(....(...........s....o......}....*.0..F.......(....r...po.....s.......o....(.....o....o........,..o......,..o......*...........0..........*:.......~....*.......*..0..'..........+. ....(......Y..-.s....o.....{....*.*..(....*..{....*"..}....*..{....*"..}....*>..(......(....*..{....*"..}....*..{....*"..}....*>..(......(....*..(.0..b........s......s.....r9..p.o.........(....(....r]..p.o.........(...
                                                C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe:Zone.Identifier
                                                Process:C:\Users\user\Desktop\bVsKNuwn30.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):26
                                                Entropy (8bit):3.95006375643621
                                                Encrypted:false
                                                SSDEEP:3:ggPYV:rPYV
                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                Malicious:true
                                                Reputation:high, very likely benign file
                                                Preview: [ZoneTransfer]....ZoneId=0

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Entropy (8bit):7.949126101574067
                                                TrID:
                                                • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                • Win32 Executable (generic) a (10002005/4) 49.97%
                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                • DOS Executable Generic (2002/1) 0.01%
                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                File name:bVsKNuwn30.exe
                                                File size:533488
                                                MD5:3c88c6ef1a906bc81fc6b5b7fc478e0c
                                                SHA1:1007ea59d9c209f367a1873ae6da2eac5fad81ef
                                                SHA256:1754283e0b6bbbbeb69f165e54e3795d3e34ca14aa7bd8bd3b7dcdd97f7dfca8
                                                SHA512:87841b94db9f67d856cbcc4e14be6ab56716fffca161adcf23ea5931ed3a2843c5207004e0e5ae7e9e764d9d2825993e2565be10600134b89677f7734457a0f0
                                                SSDEEP:12288:A4tWKG1Gu7iTQezjBwaxITEI3ENCYyuqoTGYA6TJqiU1:A4tc1Gu7KzurgI3FBOAmqb1
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...^.i...............0......J........... ........@.. .......................`............@................................

                                                File Icon

                                                Icon Hash:23d8dcd2d8d85047

                                                Static PE Info

                                                General

                                                Entrypoint:0x47cfde
                                                Entrypoint Section:.text
                                                Digitally signed:true
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                Time Stamp:0xD669075E [Tue Dec 28 08:16:30 2083 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:v4.0.30319
                                                OS Version Major:4
                                                OS Version Minor:0
                                                File Version Major:4
                                                File Version Minor:0
                                                Subsystem Version Major:4
                                                Subsystem Version Minor:0
                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                Authenticode Signature

                                                Signature Valid:false
                                                Signature Issuer:CN=COMODO RSA Extended Validation Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
                                                Signature Validation Error:The digital signature of the object did not verify
                                                Error Number:-2146869232
                                                Not Before, Not After
                                                • 10/6/2019 5:00:00 PM 10/6/2022 4:59:59 PM
                                                Subject Chain
                                                • CN=Telegram FZ-LLC, O=Telegram FZ-LLC, STREET="Business Central Towers, Tower A, Office 2301 2303", L=Dubai, S=Dubai, C=AE, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=AE, SERIALNUMBER=94349
                                                Version:3
                                                Thumbprint MD5:034F2391B5CE85A7D99BC43FE240F70F
                                                Thumbprint SHA-1:D4C89B25D3E92D05B44BC32C0CBFD7693613F3EE
                                                Thumbprint SHA-256:E31F1B9C3DDD0EDEFDF96F85B8FFD1DB976573BB262CC6E1154AD8FDC4D55449
                                                Serial:1F3216F428F850BE2C66CAA056F6D821

                                                Entrypoint Preview

                                                Instruction
                                                jmp dword ptr [00402000h]
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x7cf880x53.text
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x7e0000x46e8.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x7fc000x27f0.rsrc
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x840000xc.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x7cf6c0x1c.text
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x20000x7afe40x7b000False0.988739758003data7.99300765862IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                .rsrc0x7e0000x46e80x4800False0.0667860243056data2.5375520699IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0x840000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountry
                                                RT_ICON0x7e1000x4028data
                                                RT_GROUP_ICON0x821380x14data
                                                RT_VERSION0x8215c0x38cPGP symmetric key encrypted data - Plaintext or unencrypted data
                                                RT_MANIFEST0x824f80x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                Imports

                                                DLLImport
                                                mscoree.dll_CorExeMain

                                                Version Infos

                                                DescriptionData
                                                Translation0x0000 0x04b0
                                                LegalCopyrightCopyright (C) 2014-2021
                                                Assembly Version2.7.4.0
                                                InternalNameRFL_0769002.exe
                                                FileVersion2.7.4.0
                                                CompanyNameTelegram FZ-LLC
                                                LegalTrademarks
                                                CommentsTelegram Desktop
                                                ProductNameTelegram Desktop
                                                ProductVersion2.7.4.0
                                                FileDescriptionTelegram Desktop
                                                OriginalFilenameRFL_0769002.exe

                                                Network Behavior

                                                No network behavior found

                                                Code Manipulations

                                                User Modules

                                                Hook Summary

                                                Function NameHook TypeActive in Processes
                                                PeekMessageAINLINEexplorer.exe
                                                PeekMessageWINLINEexplorer.exe
                                                GetMessageWINLINEexplorer.exe
                                                GetMessageAINLINEexplorer.exe

                                                Processes

                                                Process: explorer.exe, Module: user32.dll
                                                Function NameHook TypeNew Data
                                                PeekMessageAINLINE0x48 0x8B 0xB8 0x85 0x5E 0xE8
                                                PeekMessageWINLINE0x48 0x8B 0xB8 0x8D 0xDE 0xE8
                                                GetMessageWINLINE0x48 0x8B 0xB8 0x8D 0xDE 0xE8
                                                GetMessageAINLINE0x48 0x8B 0xB8 0x85 0x5E 0xE8

                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                Analysis Process: bVsKNuwn30.exe PID: 6700 Parent PID: 6008

                                                General

                                                Start time:08:50:21
                                                Start date:11/06/2021
                                                Path:C:\Users\user\Desktop\bVsKNuwn30.exe
                                                Wow64 process (32bit):true
                                                Commandline:'C:\Users\user\Desktop\bVsKNuwn30.exe'
                                                Imagebase:0x6f0000
                                                File size:533488 bytes
                                                MD5 hash:3C88C6EF1A906BC81FC6B5B7FC478E0C
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.489441014.0000000003B96000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.489441014.0000000003B96000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.489441014.0000000003B96000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000003.481505916.0000000000CB7000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.486485678.0000000002A41000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000000.331883063.00000000006F2000.00000002.00020000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.484632271.00000000006F2000.00000002.00020000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.489573896.0000000003C6A000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.489573896.0000000003C6A000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.489573896.0000000003C6A000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.489676903.0000000003D04000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.489676903.0000000003D04000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.489676903.0000000003D04000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                Reputation:low

                                                Chronological Activities

                                                Analysis Process: bVsKNuwn30.exe PID: 5612 Parent PID: 6700

                                                General

                                                Start time:08:51:31
                                                Start date:11/06/2021
                                                Path:C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe
                                                Imagebase:0x7ff7ae910000
                                                File size:533488 bytes
                                                MD5 hash:3C88C6EF1A906BC81FC6B5B7FC478E0C
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000C.00000000.482709799.0000000000662000.00000002.00020000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000C.00000000.484079723.0000000000662000.00000002.00020000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000000.484041587.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000000.484041587.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000000.484041587.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.542191970.0000000000C50000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.542191970.0000000000C50000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.542191970.0000000000C50000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.542282401.0000000000DD0000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.542282401.0000000000DD0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.542282401.0000000000DD0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000C.00000002.539491426.0000000000662000.00000002.00020000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.538565739.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.538565739.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.538565739.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe, Author: Joe Security
                                                Antivirus matches:
                                                • Detection: 100%, Joe Sandbox ML
                                                • Detection: 51%, Virustotal, Browse
                                                • Detection: 26%, Metadefender, Browse
                                                • Detection: 55%, ReversingLabs
                                                Reputation:low

                                                Chronological Activities

                                                Analysis Process: explorer.exe PID: 3440 Parent PID: 5612

                                                General

                                                Start time:08:51:34
                                                Start date:11/06/2021
                                                Path:C:\Windows\explorer.exe
                                                Wow64 process (32bit):false
                                                Commandline:
                                                Imagebase:0x7ff6f22f0000
                                                File size:3933184 bytes
                                                MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Chronological Activities

                                                Analysis Process: msiexec.exe PID: 3532 Parent PID: 3440

                                                General

                                                Start time:08:51:54
                                                Start date:11/06/2021
                                                Path:C:\Windows\SysWOW64\msiexec.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\SysWOW64\msiexec.exe
                                                Imagebase:0x10d0000
                                                File size:59904 bytes
                                                MD5 hash:12C17B5A5C2A7B97342C362CA467E9A2
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.598613776.0000000000D20000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.598613776.0000000000D20000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.598613776.0000000000D20000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.598554261.0000000000CF0000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.598554261.0000000000CF0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.598554261.0000000000CF0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000013.00000002.601052355.0000000004EEF000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.598077257.00000000007B0000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.598077257.00000000007B0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.598077257.00000000007B0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000013.00000002.599515980.000000000469F000.00000004.00000001.sdmp, Author: Joe Security
                                                Reputation:high

                                                Chronological Activities

                                                Analysis Process: cmd.exe PID: 5548 Parent PID: 3532

                                                General

                                                Start time:08:52:00
                                                Start date:11/06/2021
                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                Wow64 process (32bit):true
                                                Commandline:/c del 'C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe'
                                                Imagebase:0x2a0000
                                                File size:232960 bytes
                                                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Chronological Activities

                                                Analysis Process: conhost.exe PID: 5560 Parent PID: 5548

                                                General

                                                Start time:08:52:00
                                                Start date:11/06/2021
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff61de10000
                                                File size:625664 bytes
                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Chronological Activities

                                                Disassembly

                                                Code Analysis

                                                Reset < >

                                                  Analysis Process: bVsKNuwn30.exe PID: 6700 Parent PID: 6008 bVsKNuwn30.exeCOMMON

                                                  Executed Functions

                                                  Function 00F91120, Relevance: 1.6, APIs: 1, Instructions: 50libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.486105302.0000000000F90000.00000040.00000001.sdmp, Offset: 00F90000, based on PE: false
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 947df174c38b418c815b075521886a34b8bacc546b4fffb6f602820856e6cb09
                                                  • Instruction ID: e860a8806eb6781235983ee7d24fe3df3b66a9922d53dcb75655e06ac59b7ac7
                                                  • Opcode Fuzzy Hash: 947df174c38b418c815b075521886a34b8bacc546b4fffb6f602820856e6cb09
                                                  • Instruction Fuzzy Hash: 76111834A002158FDB54DB68C458A9D7BF5AF8D714F201069E106EB760DF759C41CBA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0528F528, Relevance: 1.4, Strings: 1, Instructions: 176COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.491981925.0000000005280000.00000040.00000001.sdmp, Offset: 05280000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: W b
                                                  • API String ID: 0-1316484958
                                                  • Opcode ID: 5664d954976bdd5531339695fa0915532365b073c47180008c057e8ac90ccf40
                                                  • Instruction ID: b32108495cce267a266b137b88e31003d0c996cf70ae9846026127ac2b1c9cfb
                                                  • Opcode Fuzzy Hash: 5664d954976bdd5531339695fa0915532365b073c47180008c057e8ac90ccf40
                                                  • Instruction Fuzzy Hash: 32610374E26218CFDB14DFE5D584AEDBBF6BF49300F20912AD80AA72A4DB745846CF10
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05286B28, Relevance: 1.0, Instructions: 1020COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.491981925.0000000005280000.00000040.00000001.sdmp, Offset: 05280000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1729f9b665e138dd16a44aa89cb113bd1aaf1a186b06d794f0b2dffcef728315
                                                  • Instruction ID: b1849f5bd7fef7f44b89847b5b69721072102f2372fb253f15c4cbf0ec2a4683
                                                  • Opcode Fuzzy Hash: 1729f9b665e138dd16a44aa89cb113bd1aaf1a186b06d794f0b2dffcef728315
                                                  • Instruction Fuzzy Hash: F5B2D575A00228CFDB64DF69C984B99BBB2FF89304F1481E9D509AB365DB319E81CF50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00F91795, Relevance: .2, Instructions: 192COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.486105302.0000000000F90000.00000040.00000001.sdmp, Offset: 00F90000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c20670ce62db1d1e7a9d2d23f0a04d18b051f0deb97b3edf518a6b9eb6b86462
                                                  • Instruction ID: e0efc491474d131462fdb9b0d416543fa910c371a9db1871329e1cac6ad297de
                                                  • Opcode Fuzzy Hash: c20670ce62db1d1e7a9d2d23f0a04d18b051f0deb97b3edf518a6b9eb6b86462
                                                  • Instruction Fuzzy Hash: 0D812D74E042488FDB48EFAAE85168A7BF2EFCA304F04C429D404DB269DF755806DF52
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00F917B0, Relevance: .2, Instructions: 181COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.486105302.0000000000F90000.00000040.00000001.sdmp, Offset: 00F90000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ac38c7ff401cda6a071fbe11a9701d3d242f9ef3864b27fef7e4e3a4530e3e01
                                                  • Instruction ID: 9ad219357721895233e4203bc509d6c205834c0f287d20c3e7288abd6d31134e
                                                  • Opcode Fuzzy Hash: ac38c7ff401cda6a071fbe11a9701d3d242f9ef3864b27fef7e4e3a4530e3e01
                                                  • Instruction Fuzzy Hash: 3681FC74E042488FDB48EFA6E85168A7BF2EFCA304F14C439D504DB268EF755906DB52
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0528FAB8, Relevance: 2.7, Strings: 2, Instructions: 223COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.491981925.0000000005280000.00000040.00000001.sdmp, Offset: 05280000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 8^l$8^l
                                                  • API String ID: 0-1938954265
                                                  • Opcode ID: ea8f0d7cc83a221d8a27603be42d0518d7989e40f7fb72ac0ccd4f4232eb17b5
                                                  • Instruction ID: 64ca30e3d3425186898d38bd5440ef14c1e1f9d47195c94528cbbf8f1b9f6db7
                                                  • Opcode Fuzzy Hash: ea8f0d7cc83a221d8a27603be42d0518d7989e40f7fb72ac0ccd4f4232eb17b5
                                                  • Instruction Fuzzy Hash: 6B912474E26208CFCB14EFE4DA94AADBBB2FF89304F204029D509A7395DB745945CF11
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00F9FD30, Relevance: 1.6, APIs: 1, Instructions: 107fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CopyFileW.KERNELBASE(?,?,?), ref: 00F9FE06
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.486105302.0000000000F90000.00000040.00000001.sdmp, Offset: 00F90000, based on PE: false
                                                  Similarity
                                                  • API ID: CopyFile
                                                  • String ID:
                                                  • API String ID: 1304948518-0
                                                  • Opcode ID: a234ace0526dd1bd3b7d27273cbca62cf3cc2aa04ed5f0891ef1269a36d38d08
                                                  • Instruction ID: b94fe2ca12a6480f76a29e171d1efa525587b104ac0d0c865817e4484b07e99e
                                                  • Opcode Fuzzy Hash: a234ace0526dd1bd3b7d27273cbca62cf3cc2aa04ed5f0891ef1269a36d38d08
                                                  • Instruction Fuzzy Hash: 2341CBB4D002599FCF10CFAAD484AEEFBF1BB49310F14806AE418B7261D734AA86CF54
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00F9F880, Relevance: 1.6, APIs: 1, Instructions: 96memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VirtualProtect.KERNELBASE(?,?,?,?), ref: 00F9F924
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.486105302.0000000000F90000.00000040.00000001.sdmp, Offset: 00F90000, based on PE: false
                                                  Similarity
                                                  • API ID: ProtectVirtual
                                                  • String ID:
                                                  • API String ID: 544645111-0
                                                  • Opcode ID: 2156b40ab0b7a7e9b59bb8308183bc6df2fd43cb5ddc5ba58325560012f7f3e7
                                                  • Instruction ID: fa203de00d09e9bb25d3b52d5e303c2bfaecfd95b7a13db62620686279d54d37
                                                  • Opcode Fuzzy Hash: 2156b40ab0b7a7e9b59bb8308183bc6df2fd43cb5ddc5ba58325560012f7f3e7
                                                  • Instruction Fuzzy Hash: 3331A8B4D01258AFCF10DFA9D980ADEFBB0BB49314F14942AE814B7210D735A945CF94
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00F9FB50, Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ResumeThread.KERNELBASE(?), ref: 00F9FBCE
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.486105302.0000000000F90000.00000040.00000001.sdmp, Offset: 00F90000, based on PE: false
                                                  Similarity
                                                  • API ID: ResumeThread
                                                  • String ID:
                                                  • API String ID: 947044025-0
                                                  • Opcode ID: 14204b8c19b27b573ea3cd88c8e53aef4d6499eefd702adba65a1dd8f3302781
                                                  • Instruction ID: e3de38daefc606c4be801e624295b56f51a53e2bc8c87f53e57e0ba04a2b5573
                                                  • Opcode Fuzzy Hash: 14204b8c19b27b573ea3cd88c8e53aef4d6499eefd702adba65a1dd8f3302781
                                                  • Instruction Fuzzy Hash: D931BDB5D052189FCF14DFA9E884ADEFBB4AF49314F14842AE815B7300DB74A945CFA4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00F4D01C, Relevance: 1.6, APIs: 1, Instructions: 70windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.485961943.0000000000F4D000.00000040.00000001.sdmp, Offset: 00F4D000, based on PE: false
                                                  Similarity
                                                  • API ID: DrawIcon
                                                  • String ID:
                                                  • API String ID: 3753536421-0
                                                  • Opcode ID: 1bd60555d29a42a4988f6a4c9c9db67abd4e22f638d3993ce7248eb38f0900ed
                                                  • Instruction ID: cf6f2d3bf2a9350b9ea25e2ddafa1e4bdfe7aa3f0e4488bb9b1318398e704e73
                                                  • Opcode Fuzzy Hash: 1bd60555d29a42a4988f6a4c9c9db67abd4e22f638d3993ce7248eb38f0900ed
                                                  • Instruction Fuzzy Hash: A9210572A08240DFDB10DF18D9C0B26BFA5FB94324F34C669EC094B249C736D807D662
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00F4D005, Relevance: 1.6, APIs: 1, Instructions: 60windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.485961943.0000000000F4D000.00000040.00000001.sdmp, Offset: 00F4D000, based on PE: false
                                                  Similarity
                                                  • API ID: DrawIcon
                                                  • String ID:
                                                  • API String ID: 3753536421-0
                                                  • Opcode ID: 35015b6f44721fae405128334b98e6e2fd2d33699f914d5de68e1670d111849b
                                                  • Instruction ID: cb0997a3d07b180cd66478af2bcfc745ce617c750138d6de735898c135451e72
                                                  • Opcode Fuzzy Hash: 35015b6f44721fae405128334b98e6e2fd2d33699f914d5de68e1670d111849b
                                                  • Instruction Fuzzy Hash: 3521A5715093C08FC712DF24D594715BF71EB86324F29C1EBC8858B657C33A980AC762
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00F91110, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.486105302.0000000000F90000.00000040.00000001.sdmp, Offset: 00F90000, based on PE: false
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 88951508428ab9b61ccd72ef614f2ed1b5435864fcae57cbda7fe02a673b0c37
                                                  • Instruction ID: 05747d5038d1fdff445e31df2f006a8143d35179249b069bfd2835562a262be0
                                                  • Opcode Fuzzy Hash: 88951508428ab9b61ccd72ef614f2ed1b5435864fcae57cbda7fe02a673b0c37
                                                  • Instruction Fuzzy Hash: 91116D34A002148FCB54DBA8C459AAE7BF1AF89718F2000A9D006EB7A1DB719C45CBA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00F9FEC0, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.486105302.0000000000F90000.00000040.00000001.sdmp, Offset: 00F90000, based on PE: false
                                                  Similarity
                                                  • API ID: QueueStatus
                                                  • String ID:
                                                  • API String ID: 611517440-0
                                                  • Opcode ID: 8597cacf0a3df9351d9143635382ae0f60a058c70a74715e1d0811b8a8cfc325
                                                  • Instruction ID: 31317fae0d22ff4125b5006216c95eaf8e5d3a39cd8f05e2ce345e09e42d68a7
                                                  • Opcode Fuzzy Hash: 8597cacf0a3df9351d9143635382ae0f60a058c70a74715e1d0811b8a8cfc325
                                                  • Instruction Fuzzy Hash: C9E0863490520CEFCB04DF94D940AADBB78EB45310F10C0A9DC0463351C7325E56EB85
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05289460, Relevance: 1.3, Strings: 1, Instructions: 65COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.491981925.0000000005280000.00000040.00000001.sdmp, Offset: 05280000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 8^l
                                                  • API String ID: 0-2344173580
                                                  • Opcode ID: 9502360f86eb4f53a6b93c01aafaffa1185783647c60c3299e2b37c932dabbbe
                                                  • Instruction ID: cc57eb342934425c78ee5c0fa9b6af73bec59ed2d1fbc92cff099d4484638da1
                                                  • Opcode Fuzzy Hash: 9502360f86eb4f53a6b93c01aafaffa1185783647c60c3299e2b37c932dabbbe
                                                  • Instruction Fuzzy Hash: 27210770D16208CBDB18EFA5D4547EEBBB6EF89308F20952DC0196B391CBBA4945CF91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0528A200, Relevance: .2, Instructions: 183COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.491981925.0000000005280000.00000040.00000001.sdmp, Offset: 05280000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7ef4f7879f4b0d6e7c0bb401dae4938c892ced83960e1918514d8d5db80bd16e
                                                  • Instruction ID: aab894642c35b568597888d6a9c9923253fac5e64bec865dae3898db29084f43
                                                  • Opcode Fuzzy Hash: 7ef4f7879f4b0d6e7c0bb401dae4938c892ced83960e1918514d8d5db80bd16e
                                                  • Instruction Fuzzy Hash: 5881C474E00218CFCB14EFA5D990A9DBBB2FF89314F208069E409AB765DB31AC46CF51
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00F3D544, Relevance: .1, Instructions: 75COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.485845929.0000000000F3D000.00000040.00000001.sdmp, Offset: 00F3D000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5608b4923fd31555b37b2e2509f9f046f4322f972f0e30fdc3387f2a42678268
                                                  • Instruction ID: 2e349d09f440ba112450839207a816d725428a429467c3f5b04eafd9e707fa26
                                                  • Opcode Fuzzy Hash: 5608b4923fd31555b37b2e2509f9f046f4322f972f0e30fdc3387f2a42678268
                                                  • Instruction Fuzzy Hash: 2B2125B2904244DFCB11DF14E9C0F26BB65FB88338F28C569E9094B246C736D856EBA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00F3D53F, Relevance: .1, Instructions: 56COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.485845929.0000000000F3D000.00000040.00000001.sdmp, Offset: 00F3D000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c01c435ae5d42b7d36ca4077b1cfa8425bf2c0d5b74066c90e0bd1c1ef6731ee
                                                  • Instruction ID: 6ff26c0f482adda230a46334a0591236ea5d624be202f06e06f8b0ac90143320
                                                  • Opcode Fuzzy Hash: c01c435ae5d42b7d36ca4077b1cfa8425bf2c0d5b74066c90e0bd1c1ef6731ee
                                                  • Instruction Fuzzy Hash: 9211B176804280DFCB11CF10E9C4B16BF71FB94334F28C6A9D8094B616C336D85ADBA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05287C98, Relevance: .0, Instructions: 43COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.491981925.0000000005280000.00000040.00000001.sdmp, Offset: 05280000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7f3220f58e43b9f11c0643fb099e90f46077d28608433a0cec49f261b7db21d8
                                                  • Instruction ID: 37fb899477c550a705d17f57e72ee34f711e28ff4dc7eb62313bdc27330046b3
                                                  • Opcode Fuzzy Hash: 7f3220f58e43b9f11c0643fb099e90f46077d28608433a0cec49f261b7db21d8
                                                  • Instruction Fuzzy Hash: 1C011272E6A209DBD704FFF6D4446BDBBF9FF49200F2894659409D3291EA769600DA00
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0528A1B0, Relevance: .0, Instructions: 22COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.491981925.0000000005280000.00000040.00000001.sdmp, Offset: 05280000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c18e563e31643c409165e2c624b8e3c61bb18e3174916a14d7e4c0e005b1cd3a
                                                  • Instruction ID: d550564882670be0cccc492a295061cbc507ea53d0e6594dbe96265f1bee2987
                                                  • Opcode Fuzzy Hash: c18e563e31643c409165e2c624b8e3c61bb18e3174916a14d7e4c0e005b1cd3a
                                                  • Instruction Fuzzy Hash: 8AE0E574E15208EFCB84EFE8D9406ACBBF5EB49214F10C0AA8C1893340DB75AA12DF41
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0528F4D8, Relevance: .0, Instructions: 22COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.491981925.0000000005280000.00000040.00000001.sdmp, Offset: 05280000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c18e563e31643c409165e2c624b8e3c61bb18e3174916a14d7e4c0e005b1cd3a
                                                  • Instruction ID: 834901482c8cf3b4f95641d0b68d2aa5e7cb7179469155bbec9fcf4c62e12ff5
                                                  • Opcode Fuzzy Hash: c18e563e31643c409165e2c624b8e3c61bb18e3174916a14d7e4c0e005b1cd3a
                                                  • Instruction Fuzzy Hash: 31E0E574E15208EFCB44EFE8D540AACBBF4EB49204F20C0AA8C1D93340D7759A42CF41
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0528FA28, Relevance: .0, Instructions: 20COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.491981925.0000000005280000.00000040.00000001.sdmp, Offset: 05280000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f5b90c3e3dbabeb95f590a74252e815e02551ab1346071d95a2175f69d72b705
                                                  • Instruction ID: 991e5e4dde889a4b164a35ce24d72cfc8343b9ab3b1e1b47a8d701a0126f4010
                                                  • Opcode Fuzzy Hash: f5b90c3e3dbabeb95f590a74252e815e02551ab1346071d95a2175f69d72b705
                                                  • Instruction Fuzzy Hash: 9EE0C27191610CEFC700FFF0C9046AE7BE8EF05308F0044A5D90AA3290EE724E04ABA2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0528FF98, Relevance: .0, Instructions: 20COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.491981925.0000000005280000.00000040.00000001.sdmp, Offset: 05280000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 83fa6c122ad0c4b31f8271810b1a68a14dfa4ba73bbf5146dcd1bfe57024c00b
                                                  • Instruction ID: f2382957139b53ded603585a57fe1dd5f6f91304a13301fbdce1f6c64cca09d8
                                                  • Opcode Fuzzy Hash: 83fa6c122ad0c4b31f8271810b1a68a14dfa4ba73bbf5146dcd1bfe57024c00b
                                                  • Instruction Fuzzy Hash: 2AE0C27191210CEFC710FFF0C9046AE7BE8EF02308F1044A5D906A72A0EE314A14ABA2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05286AD8, Relevance: .0, Instructions: 20COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.491981925.0000000005280000.00000040.00000001.sdmp, Offset: 05280000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d312857a6f398b9f2f78cc6217f7793e69af21fe0a32f8f8366f64b9e98745eb
                                                  • Instruction ID: 878358e19ec630d693ce3e2f26f2ad6e9f76a88ac5b5047642b3898969f99dd9
                                                  • Opcode Fuzzy Hash: d312857a6f398b9f2f78cc6217f7793e69af21fe0a32f8f8366f64b9e98745eb
                                                  • Instruction Fuzzy Hash: 7AE08C7180620CEFC700FFF0D9086AE7AA8EF06205F1084A5D80AA3160EF315A00ABA2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0528FA78, Relevance: .0, Instructions: 19COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.491981925.0000000005280000.00000040.00000001.sdmp, Offset: 05280000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 75b1bcd274a36168d20e141570fc731909a63fafda0c62c92661d3895ada8549
                                                  • Instruction ID: 2e49d8ba2bc5d7624c7f63efedf28c651cccb996a4eb3ae83d97dfc0e200d58d
                                                  • Opcode Fuzzy Hash: 75b1bcd274a36168d20e141570fc731909a63fafda0c62c92661d3895ada8549
                                                  • Instruction Fuzzy Hash: D0E08634915109DFC704DFD4D54197CBBB9AB45315F10C0E88C0817340C6325D02CB41
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05287BE8, Relevance: .0, Instructions: 17COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.491981925.0000000005280000.00000040.00000001.sdmp, Offset: 05280000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9178edaf53e8bd626593391b8a7666d10610ad42806e3bd3d49cd1a7c99df08f
                                                  • Instruction ID: e26ffd6685e990e0885eb10164f26bab8b6fcb64d68ebfb8fa254e6da6c55213
                                                  • Opcode Fuzzy Hash: 9178edaf53e8bd626593391b8a7666d10610ad42806e3bd3d49cd1a7c99df08f
                                                  • Instruction Fuzzy Hash: FDD05E3451A108EFC704DBD4D900B79B76DEB46204F2880988C0943381CA739D42CB81
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Non-executed Functions

                                                  Function 00F91C28, Relevance: .1, Instructions: 129COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.486105302.0000000000F90000.00000040.00000001.sdmp, Offset: 00F90000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4ae22b9af52b466c306a649e9b00150d60d6395c14943d5d16fece8104a3954a
                                                  • Instruction ID: 986e257b3e2a86dc763ded5d4af85a632daae1c0d657e34e28f8b58f65728171
                                                  • Opcode Fuzzy Hash: 4ae22b9af52b466c306a649e9b00150d60d6395c14943d5d16fece8104a3954a
                                                  • Instruction Fuzzy Hash: 59514B75D056298BEB2CCF278D446DAFAF3AFC9300F14C1FA991CA6254DB700A819F40
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00F9F430, Relevance: .1, Instructions: 114COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.486105302.0000000000F90000.00000040.00000001.sdmp, Offset: 00F90000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 230af9f587a31e3f3954b9f2f29f0f5c968602d3cd5a76cb746d20f11e7aaf36
                                                  • Instruction ID: 0a4c4dacabd7eafc62185754290abddfd7dc0761dcf0079b09e82ea1fbd50689
                                                  • Opcode Fuzzy Hash: 230af9f587a31e3f3954b9f2f29f0f5c968602d3cd5a76cb746d20f11e7aaf36
                                                  • Instruction Fuzzy Hash: 2C41E2B4D003488FDF14CFA9D885A9EBBF1BB49314F24952AE419AB250D7749849CF45
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00F91C18, Relevance: .1, Instructions: 112COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.486105302.0000000000F90000.00000040.00000001.sdmp, Offset: 00F90000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a8a01fddbdd21e3963d610fbb2e70fc0632a27e4747de45668f13d9af19c6e38
                                                  • Instruction ID: 19259e020ca2c574fccd336f0a39bce332a0282e0ab3206331eec6145a9b1597
                                                  • Opcode Fuzzy Hash: a8a01fddbdd21e3963d610fbb2e70fc0632a27e4747de45668f13d9af19c6e38
                                                  • Instruction Fuzzy Hash: 21517271D056598BEB2CCF6B8D452CAFAF3AFC9300F14C1FA990CA6264DB3009868F41
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05280007, Relevance: .1, Instructions: 88COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.491981925.0000000005280000.00000040.00000001.sdmp, Offset: 05280000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 87c1f7bc481b8ebc093c151f16d4a45ea3b6c92ed183c560354e10a9fe371c3f
                                                  • Instruction ID: 3231b683bfc0bcca95216a63e2f51fed411318ad8bf46ad9b0402b84f31198c1
                                                  • Opcode Fuzzy Hash: 87c1f7bc481b8ebc093c151f16d4a45ea3b6c92ed183c560354e10a9fe371c3f
                                                  • Instruction Fuzzy Hash: 0741DA71D097588BEB19CF6BCC54799BBF3AFC9204F08C0EAC40CAA295DB7419858F51
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05280040, Relevance: .1, Instructions: 83COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.491981925.0000000005280000.00000040.00000001.sdmp, Offset: 05280000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7ccd3e23f537d2b2da0a5c4aa3c5705795d3e969157f9ed85131ce070f5c3352
                                                  • Instruction ID: 9eab496f511dd7e913a83d97828a7e27dab968b8926e7841954f6ef91057bf63
                                                  • Opcode Fuzzy Hash: 7ccd3e23f537d2b2da0a5c4aa3c5705795d3e969157f9ed85131ce070f5c3352
                                                  • Instruction Fuzzy Hash: BE4145B1D156288BEB58CF5BCC4479DFAF7AFC8304F04C1A9D40CA6254DB791A858F51
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Analysis Process: bVsKNuwn30.exe PID: 5612 Parent PID: 6700 bVsKNuwn30.exeCOMMON

                                                  Executed Functions

                                                  Function 00419E10, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36filenativeCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 37%
                                                  			E00419E10(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E0041A960(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x414d42
				_t12 =  &_a8; // 0x414d42
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t18;
			}






                                                  0x00419e13
                                                  0x00419e1f
                                                  0x00419e27
                                                  0x00419e32
                                                  0x00419e4d
                                                  0x00419e55
                                                  0x00419e59

                                                  APIs
                                                  • NtReadFile.NTDLL(BMA,5EB6522D,FFFFFFFF,00414A01,?,?,BMA,?,00414A01,FFFFFFFF,5EB6522D,00414D42,?,00000000), ref: 00419E55
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.538565739.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FileRead
                                                  • String ID: BMA$BMA
                                                  • API String ID: 2738559852-2163208940
                                                  • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                  • Instruction ID: bd248b349f18b2ced93d1e709abaf342431bbeaaaaa26160fd0c904447d41470
                                                  • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                  • Instruction Fuzzy Hash: 45F0B7B2210208AFCB14DF89DC81EEB77ADEF8C754F158649BE1DA7241D630E851CBA4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00419D5A, Relevance: 1.5, APIs: 1, Instructions: 42filenativeCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 53%
                                                  			E00419D5A(void* __eax, intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t23;
				void* _t33;

				asm("lodsd");
				asm("aas");
				asm("sbb eax, 0xec8b5539");
				_t17 = _a4;
				_t3 = _t17 + 0xc40; // 0xc40
				E0041A960(_t33, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t23 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t23;
			}





                                                  0x00419d5a
                                                  0x00419d5b
                                                  0x00419d5e
                                                  0x00419d63
                                                  0x00419d6f
                                                  0x00419d77
                                                  0x00419dad
                                                  0x00419db1

                                                  APIs
                                                  • NtCreateFile.NTDLL(00000060,00409CD3,?,00414B87,00409CD3,FFFFFFFF,?,?,FFFFFFFF,00409CD3,00414B87,?,00409CD3,00000060,00000000,00000000), ref: 00419DAD
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.538565739.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateFile
                                                  • String ID:
                                                  • API String ID: 823142352-0
                                                  • Opcode ID: 6b97a3953c1a83f53d72e5c861b38b15ff57c4cf81a703307256ba1b6eb43e6d
                                                  • Instruction ID: 92c2d68909df4bc7bd2149faf843854d3223713b586296fdba58bb900926941b
                                                  • Opcode Fuzzy Hash: 6b97a3953c1a83f53d72e5c861b38b15ff57c4cf81a703307256ba1b6eb43e6d
                                                  • Instruction Fuzzy Hash: 0B01BDB6211108ABCB08CF89DD84EEB37A9EF8C754F158649FA0DA7241C630E851CBA4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00419D60, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00419D60(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E0041A960(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}





                                                  0x00419d6f
                                                  0x00419d77
                                                  0x00419dad
                                                  0x00419db1

                                                  APIs
                                                  • NtCreateFile.NTDLL(00000060,00409CD3,?,00414B87,00409CD3,FFFFFFFF,?,?,FFFFFFFF,00409CD3,00414B87,?,00409CD3,00000060,00000000,00000000), ref: 00419DAD
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.538565739.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateFile
                                                  • String ID:
                                                  • API String ID: 823142352-0
                                                  • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                  • Instruction ID: 5d405ca8330a7760d33d8cb8f94c0e61ce0ec213ce21d6c827413d184fac496c
                                                  • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                  • Instruction Fuzzy Hash: F1F0B2B2211208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00419F40, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00419F40(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E0041A960(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}





                                                  0x00419f4f
                                                  0x00419f57
                                                  0x00419f79
                                                  0x00419f7d

                                                  APIs
                                                  • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AB34,?,00000000,?,00003000,00000040,00000000,00000000,00409CD3), ref: 00419F79
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.538565739.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AllocateMemoryVirtual
                                                  • String ID:
                                                  • API String ID: 2167126740-0
                                                  • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                  • Instruction ID: 9c08e1581e5817f7e91e4b21b7a397560e598f802d56d9274a49c90b7c070efe
                                                  • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                  • Instruction Fuzzy Hash: 1EF015B2210208ABCB14DF89CC81EEB77ADEF88754F158549BE08A7241C630F810CBA4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00419F3A, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00419F3A(void* __edi, void* __esi, intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t15;
				void* _t23;

				_t23 = __edi + 1;
				_t11 = _a4;
				_t4 = _t11 + 0xc60; // 0xca0
				E0041A960(_t23, _a4, _t4,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t15 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t15;
			}





                                                  0x00419f3a
                                                  0x00419f43
                                                  0x00419f4f
                                                  0x00419f57
                                                  0x00419f79
                                                  0x00419f7d

                                                  APIs
                                                  • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AB34,?,00000000,?,00003000,00000040,00000000,00000000,00409CD3), ref: 00419F79
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.538565739.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AllocateMemoryVirtual
                                                  • String ID:
                                                  • API String ID: 2167126740-0
                                                  • Opcode ID: c2cae57aaee24a481e8bf3b568ab94294137be15859ec3a95c4a17b099f9b3d9
                                                  • Instruction ID: 6151ee63175769fd7de7b386ef41124cc57c16587030c0e0f1d920e5aff715eb
                                                  • Opcode Fuzzy Hash: c2cae57aaee24a481e8bf3b568ab94294137be15859ec3a95c4a17b099f9b3d9
                                                  • Instruction Fuzzy Hash: D8F01CB5200208AFDB14DF99CC80EEB77ADEF88354F15865DFA9997281C630E951CBA4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00419E8B, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 72%
                                                  			E00419E8B(void* __esi, intOrPtr _a4, void* _a8) {
				long _t9;
				void* _t12;
				signed int _t16;
				signed int _t17;

				_t17 = _t16 ^  *(__esi + 0x55cf8bad);
				_push(_t17);
				_t6 = _a4;
				_t3 = _t6 + 0x10; // 0x300
				_push(__esi);
				_t4 = _t6 + 0xc50; // 0x40a923
				E0041A960(_t12, _a4, _t4,  *_t3, 0, 0x2c);
				_t9 = NtClose(_a8); // executed
				return _t9;
			}







                                                  0x00419e8b
                                                  0x00419e90
                                                  0x00419e93
                                                  0x00419e96
                                                  0x00419e99
                                                  0x00419e9f
                                                  0x00419ea7
                                                  0x00419eb5
                                                  0x00419eb9

                                                  APIs
                                                  • NtClose.NTDLL(00414D20,?,?,00414D20,00409CD3,FFFFFFFF), ref: 00419EB5
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.538565739.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Close
                                                  • String ID:
                                                  • API String ID: 3535843008-0
                                                  • Opcode ID: 100398fba52e7feea808e8bccf14b3dbf07a115ae67c9ec5509accb19f9d5474
                                                  • Instruction ID: c9f6a35a11f8b28d2a18b47e172cff47c300e51633a10ff867553d80559cc8d5
                                                  • Opcode Fuzzy Hash: 100398fba52e7feea808e8bccf14b3dbf07a115ae67c9ec5509accb19f9d5474
                                                  • Instruction Fuzzy Hash: 66E08C75200308AFD710EB94CC85E977768EF48760F058499BA585B242C670F65086D0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00419E90, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00419E90(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x40a923
				E0041A960(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}





                                                  0x00419e93
                                                  0x00419e96
                                                  0x00419e9f
                                                  0x00419ea7
                                                  0x00419eb5
                                                  0x00419eb9

                                                  APIs
                                                  • NtClose.NTDLL(00414D20,?,?,00414D20,00409CD3,FFFFFFFF), ref: 00419EB5
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.538565739.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Close
                                                  • String ID:
                                                  • API String ID: 3535843008-0
                                                  • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                  • Instruction ID: e68336ecf97fcbff1cce52d5eab911d0c0d253976a6ab71543f56f2ca0e2158f
                                                  • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                  • Instruction Fuzzy Hash: 6CD012752002146BD710EB99CC85ED7776CEF44760F154459BA5C5B242C530F55086E0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 011A9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: ee65166d476b7715e71bd466b4daff693e7995298398bf882b81b9c060aac11e
                                                  • Instruction ID: b6d8ca751e84b9b3afb4f8d80388d6c1ca5c7f5b162d7fdb085066322d389a7c
                                                  • Opcode Fuzzy Hash: ee65166d476b7715e71bd466b4daff693e7995298398bf882b81b9c060aac11e
                                                  • Instruction Fuzzy Hash: 0D9002B120100403D588719955447860005E7D0345F51C025E5055554EC7999DD576A5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 011A9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: c69651b2cffec1f2f43b18cd04555f697cd44a297c0f55153d17cfc1fd65f1ad
                                                  • Instruction ID: 0ec25abb0b94eacf4f03b5c14d70688db8161cc32e6232c63904f053efdb6a92
                                                  • Opcode Fuzzy Hash: c69651b2cffec1f2f43b18cd04555f697cd44a297c0f55153d17cfc1fd65f1ad
                                                  • Instruction Fuzzy Hash: E390047531100003054DF5DD17445470047F7D53D5351C035F1007550CD771DC717171
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 011A99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 09e4334ceb554feb62bf110e71b8febb0dd06cf8445f060543739d22cd1d1cf6
                                                  • Instruction ID: dd6ed8281cabd604dcbe7baf82d6abf056cba971a5fb2627cd11fd7b619e400f
                                                  • Opcode Fuzzy Hash: 09e4334ceb554feb62bf110e71b8febb0dd06cf8445f060543739d22cd1d1cf6
                                                  • Instruction Fuzzy Hash: 5A9002A134100443D54861995554B460005E7E1345F51C029E1055554DC759DC527166
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 011A95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 4cbf01e72e0be7761393511a8d32e696a23ee248b5d2c8a6f03204ee8f04ccbb
                                                  • Instruction ID: 3dc4a762218318a6737caaf6cf68976f5696086ac63b7999f1466c36c848cd31
                                                  • Opcode Fuzzy Hash: 4cbf01e72e0be7761393511a8d32e696a23ee248b5d2c8a6f03204ee8f04ccbb
                                                  • Instruction Fuzzy Hash: 699002A120200003454D71995554656400AE7E0245B51C035E1005590DC66598917165
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 011A9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: dbf348a0ca8fa5a8e41179c1815fbffccd0247e87bd366d28e2eccab53f48086
                                                  • Instruction ID: ea295397eb8559096765b34e0c2f1d2d20e4dc91b305e21025210fa38d542918
                                                  • Opcode Fuzzy Hash: dbf348a0ca8fa5a8e41179c1815fbffccd0247e87bd366d28e2eccab53f48086
                                                  • Instruction Fuzzy Hash: 5B90026124204153598DB19955445474006F7E0285791C026E1405950CC666A856E661
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 011A9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 0559212eaf8b3868c6379567c807fed28345a96cb4a354d8c28ab843640d3f88
                                                  • Instruction ID: 3ec87c42c598201c4eac6f5e516c76d9ea35cde3f758c0c4d0406ae7fcff7b0e
                                                  • Opcode Fuzzy Hash: 0559212eaf8b3868c6379567c807fed28345a96cb4a354d8c28ab843640d3f88
                                                  • Instruction Fuzzy Hash: 1B90027120100413D559619956447470009E7D0285F91C426E0415558DD7969952B161
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 011A98F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 9662d0fac835609aefc103bb37faed15856860ca17661ade07d7b6313bf9ab98
                                                  • Instruction ID: ae75bb328cd53dfef1e9b3532fb15ac7d0a805485ec22a91c855fd679709bb5d
                                                  • Opcode Fuzzy Hash: 9662d0fac835609aefc103bb37faed15856860ca17661ade07d7b6313bf9ab98
                                                  • Instruction Fuzzy Hash: AE90026160100503D54971995544656000AE7D0285F91C036E1015555ECB659992B171
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 011A9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: f8fbaa79d1022570dea905dcb76697c71f33686bab3bbc62313cfe2552fd5668
                                                  • Instruction ID: c2b00995af8098c9a2ba1c1aa3bdcf21bb50a91c9d2c562ccfedbc0a5ee2f570
                                                  • Opcode Fuzzy Hash: f8fbaa79d1022570dea905dcb76697c71f33686bab3bbc62313cfe2552fd5668
                                                  • Instruction Fuzzy Hash: AD90027120100403D54865D965486860005E7E0345F51D025E5015555EC7A598917171
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 011A9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 4980ad626d68e7c34af4d7085591c56ebb0d1212c4554af05ca0863a599f8f4e
                                                  • Instruction ID: 86209ec0fa02ff8e2929c1872a827bf9cc4090ca5fe30922bb11a7bde31a92a7
                                                  • Opcode Fuzzy Hash: 4980ad626d68e7c34af4d7085591c56ebb0d1212c4554af05ca0863a599f8f4e
                                                  • Instruction Fuzzy Hash: FF90026921300003D5C87199654864A0005E7D1246F91D429E0006558CCA5598696361
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 011A97A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 6eda8745b8d66fd605d88d9c5c745d67ab256f72d4e34aeb975d8b8f96fae5af
                                                  • Instruction ID: b2b5868d0e61326473e67150e97830ae9638072c9f0df93ba9989776851d9a04
                                                  • Opcode Fuzzy Hash: 6eda8745b8d66fd605d88d9c5c745d67ab256f72d4e34aeb975d8b8f96fae5af
                                                  • Instruction Fuzzy Hash: 7090026130100003D588719965586464005F7E1345F51D025E0405554CDA5598566262
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 011A9A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: d9dec0cd6bff376e59eddaef1c51900036a3414929e422c96fb6af55c5702051
                                                  • Instruction ID: e77a806fabaace1800a6504e1ca22ecbbf82289f89fda58d96519021f5cb5f83
                                                  • Opcode Fuzzy Hash: d9dec0cd6bff376e59eddaef1c51900036a3414929e422c96fb6af55c5702051
                                                  • Instruction Fuzzy Hash: 9C90027120140403D5486199595474B0005E7D0346F51C025E1155555DC765985175B1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 011A9A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: b49187d6d4c4d691158397c723a88f10ea8f7634c5c5ea401edcc0934628bd85
                                                  • Instruction ID: c50e7cf762807d52331a9898387e3135629c2679acc51237117f9af7962555bf
                                                  • Opcode Fuzzy Hash: b49187d6d4c4d691158397c723a88f10ea8f7634c5c5ea401edcc0934628bd85
                                                  • Instruction Fuzzy Hash: FB90026160100043458871A999849464005FBE1255751C135E0989550DC699986566A5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 011A9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: a0ca4401d31aedadd4e89dcc7247ecaa9917c4868c9a9830ad616f0c67908a84
                                                  • Instruction ID: a64113d704aea8b9bc05e221b6b4cd76f97fdb920fc9176fa1d56808ae4eea25
                                                  • Opcode Fuzzy Hash: a0ca4401d31aedadd4e89dcc7247ecaa9917c4868c9a9830ad616f0c67908a84
                                                  • Instruction Fuzzy Hash: 7590026121180043D64865A95D54B470005E7D0347F51C129E0145554CCA5598616561
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 011A9660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: a974ad99f1f42144d722f3e8d060811d84559f6837550514cd8d58b2dc950a57
                                                  • Instruction ID: ff67fa2371acd340d8437568044765192f80468ecd7195dae23e30fbc410c896
                                                  • Opcode Fuzzy Hash: a974ad99f1f42144d722f3e8d060811d84559f6837550514cd8d58b2dc950a57
                                                  • Instruction Fuzzy Hash: 4690027120100803D5C87199554468A0005E7D1345F91C029E0016654DCB559A5977E1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 011A96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: d377c8b69dee8a44620fa65e12cf76fece6886c845453443eab08de3d62e32a3
                                                  • Instruction ID: 2a2603fbdee8d52e0a29eb69e5aebb3e6526c75d662947b30b61c83657668a21
                                                  • Opcode Fuzzy Hash: d377c8b69dee8a44620fa65e12cf76fece6886c845453443eab08de3d62e32a3
                                                  • Instruction Fuzzy Hash: F790027120108803D5586199954478A0005E7D0345F55C425E4415658DC7D598917161
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00409A90, Relevance: .1, Instructions: 92COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.538565739.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1da3a0a51de53f8e4f95f41efafe70bd92c6e1b826fb8f0c5d51986441d80343
                                                  • Instruction ID: 3804b4b6881f0f279124858c5e35b72bf87e4fbc11d5a75f000cd7e24852ad46
                                                  • Opcode Fuzzy Hash: 1da3a0a51de53f8e4f95f41efafe70bd92c6e1b826fb8f0c5d51986441d80343
                                                  • Instruction Fuzzy Hash: 64213CB2D4020857CB25D664AD42AEF737CEB54308F04017FE949A3182F7387E49CBA5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004082F0, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 82%
                                                  			E004082F0(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				E0041B860( &_v67, 0, 0x3f);
				E0041C400( &_v68, 3);
				_t12 = E0040ACD0(_t30, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00414E20(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E0040A460(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}












                                                  0x004082f0
                                                  0x004082ff
                                                  0x00408303
                                                  0x0040830e
                                                  0x0040831e
                                                  0x0040832e
                                                  0x00408333
                                                  0x0040833a
                                                  0x0040833d
                                                  0x0040834a
                                                  0x0040834c
                                                  0x0040834e
                                                  0x0040836b
                                                  0x0040836b
                                                  0x00000000
                                                  0x0040836d
                                                  0x00408372

                                                  APIs
                                                  • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.538565739.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: MessagePostThread
                                                  • String ID:
                                                  • API String ID: 1836367815-0
                                                  • Opcode ID: afab1aa1c4a0f2d606ceb08e1db99e52839e25c93945885a0af06a200761294b
                                                  • Instruction ID: 99221eaed4bb2b1c73ef210b546efabe7985b039c1aa6a3efaa8447a865c7254
                                                  • Opcode Fuzzy Hash: afab1aa1c4a0f2d606ceb08e1db99e52839e25c93945885a0af06a200761294b
                                                  • Instruction Fuzzy Hash: 7601D831A8031876E720A6959C43FFE772C6B40F54F044019FF04BA1C1D6A8691646EA
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040ACD0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E0040ACD0(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041C650( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041CA70(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041CCF0( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E0041AEA0(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}













                                                  0x0040acec
                                                  0x0040acef
                                                  0x0040acf4
                                                  0x0040acf9
                                                  0x0040ad03
                                                  0x0040ad08
                                                  0x0040ad0b
                                                  0x0040ad0d
                                                  0x0040ad15
                                                  0x0040ad1a
                                                  0x0040ad1a
                                                  0x0040ad21
                                                  0x0040ad29
                                                  0x0040ad2c
                                                  0x0040ad2e
                                                  0x0040ad42
                                                  0x00000000
                                                  0x0040ad44
                                                  0x0040ad4a
                                                  0x0040acfe
                                                  0x0040acfe
                                                  0x0040acfe

                                                  APIs
                                                  • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD42
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.538565739.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Load
                                                  • String ID:
                                                  • API String ID: 2234796835-0
                                                  • Opcode ID: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
                                                  • Instruction ID: b21dceb9c17b581325113e7f9749888d8b8163c3e846858d6705abbd9991eecb
                                                  • Opcode Fuzzy Hash: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
                                                  • Instruction Fuzzy Hash: A8015EB5D4020DBBDF10DBA5DC82FDEB3789F54308F0041AAE909A7281F635EB548B96
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0041A1CA, Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 58%
                                                  			E0041A1CA(void* __ecx, intOrPtr* __edi, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;

				asm("int 0x6");
				 *__edi =  *__edi + __ecx;
				asm("adc eax, 0xec8b55e0");
				E0041A960(__edi, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}




                                                  0x0041a1ca
                                                  0x0041a1cc
                                                  0x0041a1ce
                                                  0x0041a1ea
                                                  0x0041a200
                                                  0x0041a204

                                                  APIs
                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1A2,0040F1A2,0000003C,00000000,?,00409D45), ref: 0041A200
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.538565739.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: LookupPrivilegeValue
                                                  • String ID:
                                                  • API String ID: 3899507212-0
                                                  • Opcode ID: 131a6b07d639c62d6ddbb1ce3adc025a54b69d71e4c423c4e38fae939afdb419
                                                  • Instruction ID: cdc875e40a44d32b62258e73030a2dee29117498ea5ba48aacb67c36d30eb2cb
                                                  • Opcode Fuzzy Hash: 131a6b07d639c62d6ddbb1ce3adc025a54b69d71e4c423c4e38fae939afdb419
                                                  • Instruction Fuzzy Hash: D4E09AB2200204ABEB14DF44CC80EE73369EF84360F018159F90CAB341C634E920CBB1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0041A070, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E0041A070(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E0041A960(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}





                                                  0x0041a07f
                                                  0x0041a087
                                                  0x0041a09d
                                                  0x0041a0a1

                                                  APIs
                                                  • RtlFreeHeap.NTDLL(00000060,00409CD3,?,?,00409CD3,00000060,00000000,00000000,?,?,00409CD3,?,00000000), ref: 0041A09D
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.538565739.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FreeHeap
                                                  • String ID:
                                                  • API String ID: 3298025750-0
                                                  • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                  • Instruction ID: ebe44f756a2289fd31ae4d5b5361048190c1dc89d00c79db85c43397b2838655
                                                  • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                  • Instruction Fuzzy Hash: 81E01AB12102086BD714DF59CC45EA777ACEF88750F018559B90857241C630E9108AB0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0041A030, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E0041A030(intOrPtr _a4, void* _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E0041A960(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t10 = RtlAllocateHeap(_a8, _a12, _a16); // executed
				return _t10;
			}





                                                  0x0041a047
                                                  0x0041a05d
                                                  0x0041a061

                                                  APIs
                                                  • RtlAllocateHeap.NTDLL(00414506,?,00414C7F,00414C7F,?,00414506,?,?,?,?,?,00000000,00409CD3,?), ref: 0041A05D
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.538565739.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AllocateHeap
                                                  • String ID:
                                                  • API String ID: 1279760036-0
                                                  • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                  • Instruction ID: 0bf4e0d92ddb4de2ba6a166865ddf054dca1a4f918bcd24d9368b88a9b8aca1a
                                                  • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                  • Instruction Fuzzy Hash: F1E012B1210208ABDB14EF99CC81EA777ACEF88664F158559BA086B242C630F9108AB0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0041A1D0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E0041A1D0(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E0041A960(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}





                                                  0x0041a1ea
                                                  0x0041a200
                                                  0x0041a204

                                                  APIs
                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1A2,0040F1A2,0000003C,00000000,?,00409D45), ref: 0041A200
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.538565739.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: LookupPrivilegeValue
                                                  • String ID:
                                                  • API String ID: 3899507212-0
                                                  • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                  • Instruction ID: 46e8f913edfca5d9b668009ee454d724baa27d6f5a7db77fbc9955010344b6d9
                                                  • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                  • Instruction Fuzzy Hash: 22E01AB12002086BDB10DF49CC85EE737ADEF88650F018555BA0C67241C934E8508BF5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0041A0B0, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E0041A0B0(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E0041A960(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}




                                                  0x0041a0b3
                                                  0x0041a0ca
                                                  0x0041a0d8

                                                  APIs
                                                  • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A0D8
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.538565739.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExitProcess
                                                  • String ID:
                                                  • API String ID: 621844428-0
                                                  • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                  • Instruction ID: eb2c75e7f7166c4cf28644cd9339eacac336c717648a3dafe3de7fd5e277bb7f
                                                  • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                  • Instruction Fuzzy Hash: 4CD017726102187BD620EB99CC85FD777ACDF48BA0F0584A9BA5C6B242C531BA108AE1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0041A0AB, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 58%
                                                  			E0041A0AB() {
				int _v0;
				intOrPtr _v4;
				void* _t12;
				void* _t13;
				void* _t16;

				_push(cs);
				_push(ss);
				 *((intOrPtr*)(_t13 + _t12 + 0x55)) =  *((intOrPtr*)(_t13 + _t12 + 0x55)) + _t13;
				_t9 = _v4;
				E0041A960(_t16, _v4, _v4 + 0xc7c,  *((intOrPtr*)(_t9 + 0xa14)), 0, 0x36);
				ExitProcess(_v0);
			}








                                                  0x0041a0ab
                                                  0x0041a0ac
                                                  0x0041a0ad
                                                  0x0041a0b3
                                                  0x0041a0ca
                                                  0x0041a0d8

                                                  APIs
                                                  • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A0D8
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.538565739.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExitProcess
                                                  • String ID:
                                                  • API String ID: 621844428-0
                                                  • Opcode ID: c6efede2c070eaae59d3048d9418ec93fcbe09ce7ced92260ac7675bdc28153c
                                                  • Instruction ID: b9840f356cb120c73094856d59e30393323f19d8eb46d810b69287c16ada661f
                                                  • Opcode Fuzzy Hash: c6efede2c070eaae59d3048d9418ec93fcbe09ce7ced92260ac7675bdc28153c
                                                  • Instruction Fuzzy Hash: 74E0C2746003047BC320DF68CCCAFC73BA89F08750F058599B9482B242C530EA00C7E1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 011A967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: b0e7cb68ba0f49fc357aba434f9b32f2cbe45a24d58097748a42285a65f6b5aa
                                                  • Instruction ID: 171a5aca3f01c79bd2ce14acfc9358f75b077417f056922dad641f83f4285569
                                                  • Opcode Fuzzy Hash: b0e7cb68ba0f49fc357aba434f9b32f2cbe45a24d58097748a42285a65f6b5aa
                                                  • Instruction Fuzzy Hash: 21B09BB19014D5C6DA5AD7A457087177D00BBD4745F56C065D1060641B8778D0D1F5B5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Non-executed Functions

                                                  Function 0121B260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  • an invalid address, %p, xrefs: 0121B4CF
                                                  • This means that the I/O device reported an I/O error. Check your hardware., xrefs: 0121B476
                                                  • The resource is owned shared by %d threads, xrefs: 0121B37E
                                                  • The instruction at %p referenced memory at %p., xrefs: 0121B432
                                                  • The instruction at %p tried to %s , xrefs: 0121B4B6
                                                  • *** enter .exr %p for the exception record, xrefs: 0121B4F1
                                                  • *** enter .cxr %p for the context, xrefs: 0121B50D
                                                  • The resource is owned exclusively by thread %p, xrefs: 0121B374
                                                  • This failed because of error %Ix., xrefs: 0121B446
                                                  • a NULL pointer, xrefs: 0121B4E0
                                                  • *** Resource timeout (%p) in %ws:%s, xrefs: 0121B352
                                                  • If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 0121B314
                                                  • This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 0121B484
                                                  • *** A stack buffer overrun occurred in %ws:%s, xrefs: 0121B2F3
                                                  • write to, xrefs: 0121B4A6
                                                  • The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 0121B323
                                                  • *** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 0121B53F
                                                  • *** then kb to get the faulting stack, xrefs: 0121B51C
                                                  • Go determine why that thread has not released the critical section., xrefs: 0121B3C5
                                                  • <unknown>, xrefs: 0121B27E, 0121B2D1, 0121B350, 0121B399, 0121B417, 0121B48E
                                                  • *** Critical Section Timeout (%p) in %ws:%s, xrefs: 0121B39B
                                                  • read from, xrefs: 0121B4AD, 0121B4B2
                                                  • This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 0121B47D
                                                  • *** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 0121B2DC
                                                  • *** An Access Violation occurred in %ws:%s, xrefs: 0121B48F
                                                  • The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0121B3D6
                                                  • This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 0121B305
                                                  • *** Inpage error in %ws:%s, xrefs: 0121B418
                                                  • The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0121B38F
                                                  • The critical section is owned by thread %p., xrefs: 0121B3B9
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
                                                  • API String ID: 0-108210295
                                                  • Opcode ID: d8c2af083a1962175fd97a3cc043b344771ac4f4d687aae99319aec8d40c4b80
                                                  • Instruction ID: 2015bdaecea01978ec7fbbc91b9e4934b589fa41b9f751fbd81a3767449839bc
                                                  • Opcode Fuzzy Hash: d8c2af083a1962175fd97a3cc043b344771ac4f4d687aae99319aec8d40c4b80
                                                  • Instruction Fuzzy Hash: D9818734A50201FFDF69AB4AEC86E6B3F76EF26794F40404CFA042B116D3A19451CBB2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 01221C06, Relevance: 31.4, Strings: 25, Instructions: 195COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
                                                  • API String ID: 0-2897834094
                                                  • Opcode ID: 4d4d1ca1c65ba2a4d9bdfb7e104d2dd5588eea93197e1c7c45d61f791fb33a1a
                                                  • Instruction ID: 17f8edae507400f08096a71162980459a8391282dc7a5f40e6aa7974e4911211
                                                  • Opcode Fuzzy Hash: 4d4d1ca1c65ba2a4d9bdfb7e104d2dd5588eea93197e1c7c45d61f791fb33a1a
                                                  • Instruction Fuzzy Hash: B2610B37A35155FFD35D9B45E589E38B3A8E704938B0D806EF909AB300D77199A0CB1E
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 01173D34, Relevance: 6.7, Strings: 5, Instructions: 435COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  • Kernel-MUI-Language-SKU, xrefs: 01173F70
                                                  • WindowsExcludedProcs, xrefs: 01173D6F
                                                  • Kernel-MUI-Language-Allowed, xrefs: 01173DC0
                                                  • Kernel-MUI-Language-Disallowed, xrefs: 01173E97
                                                  • Kernel-MUI-Number-Allowed, xrefs: 01173D8C
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                  • API String ID: 0-258546922
                                                  • Opcode ID: 236f01014889a5ff94f0f2abcf5aa90d31295d35ca7cb41f2ed8e931c2604e51
                                                  • Instruction ID: 79500bc89d96e224c0f3ec172d35612cb081fed38874b3bb487abd4931436e96
                                                  • Opcode Fuzzy Hash: 236f01014889a5ff94f0f2abcf5aa90d31295d35ca7cb41f2ed8e931c2604e51
                                                  • Instruction Fuzzy Hash: 5FF18F76D00619EFCB1ADF98C980EEEBBB9FF18A50F15405AE505A7750E7349E01CBA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 01177E41, Relevance: 3.9, Strings: 3, Instructions: 174COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  • minkernel\ntdll\ldrmap.c, xrefs: 011C98A2
                                                  • LdrpCompleteMapModule, xrefs: 011C9898
                                                  • Could not validate the crypto signature for DLL %wZ, xrefs: 011C9891
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
                                                  • API String ID: 0-1676968949
                                                  • Opcode ID: db1c7a19222a12b055cfb39d00c6215127cd6ddaaa7eae9422223d41fe511c3b
                                                  • Instruction ID: e25d076595834d68c3b2a3ecbf667260fca2cda36cbe091424d24f2da1745005
                                                  • Opcode Fuzzy Hash: db1c7a19222a12b055cfb39d00c6215127cd6ddaaa7eae9422223d41fe511c3b
                                                  • Instruction Fuzzy Hash: 17512331600749DBE72DCB6CC948B7A7BF4AB01718F140A69E9519B3E1DB34ED00CB91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0116E620, Relevance: 3.9, Strings: 3, Instructions: 165COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  • \Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 0116E68C
                                                  • InstallLanguageFallback, xrefs: 0116E6DB
                                                  • @, xrefs: 0116E6C0
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
                                                  • API String ID: 0-1757540487
                                                  • Opcode ID: 7b5da6affaab9df59bfd05cd81f386a87fdaee6651518ca8c3aa155f9a12076b
                                                  • Instruction ID: 5b9db1081c2fc7611a5c35a14f5d9a498eb83d7334196ba770df2ab4bf1ca630
                                                  • Opcode Fuzzy Hash: 7b5da6affaab9df59bfd05cd81f386a87fdaee6651518ca8c3aa155f9a12076b
                                                  • Instruction Fuzzy Hash: EA5125766093469BD71CDF28C440BABB7E9BF98A18F45092EF985D7240F734E904C7A2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0118B944, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0118B9A5
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                  • String ID:
                                                  • API String ID: 885266447-0
                                                  • Opcode ID: 9cfaccfd8013874d1ae2027e83bf5b5c89d8548def5a8cd19e45409e2b250184
                                                  • Instruction ID: fb29b706463fb38ff8f74610cc113593ba3d4bfa7ff39d71cf15b4d6f0dab32e
                                                  • Opcode Fuzzy Hash: 9cfaccfd8013874d1ae2027e83bf5b5c89d8548def5a8cd19e45409e2b250184
                                                  • Instruction Fuzzy Hash: A0517871A08741CFC728EF29C08092AFBE5FB88614F55896EF69587345E770E844CF96
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0116B171, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID: _vswprintf_s
                                                  • String ID:
                                                  • API String ID: 677850445-0
                                                  • Opcode ID: d03c9a416ef9e4d660e54f0e460a1ec8acd33f12cb1d4f205f750af76e7431d8
                                                  • Instruction ID: edcfdc38d5f106294b23bf5a9eac0630191b96ffb7e1aef08f0022d234e767b0
                                                  • Opcode Fuzzy Hash: d03c9a416ef9e4d660e54f0e460a1ec8acd33f12cb1d4f205f750af76e7431d8
                                                  • Instruction Fuzzy Hash: BB510575D082698FEF39CFA8C850BEEBBB0BF14B14F1041ADD8599B682D7714941CB91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0119FAB0, Relevance: 1.6, Strings: 1, Instructions: 306COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  • *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 011DBE0F
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
                                                  • API String ID: 0-865735534
                                                  • Opcode ID: 0fa0b9c95d4bce680c8475107053f70647a0155a3e2a8490e3837cf65389d534
                                                  • Instruction ID: 2dfa727a2b983f818a8c99ca545a5a1ed489119da269e8720aad83f2ea457176
                                                  • Opcode Fuzzy Hash: 0fa0b9c95d4bce680c8475107053f70647a0155a3e2a8490e3837cf65389d534
                                                  • Instruction Fuzzy Hash: 72A12731B00647ABEF2DCF68C450B7EBBB5AF49724F054569D926CB781DB30D8428B91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 01162D8A, Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID: RTL: Re-Waiting
                                                  • API String ID: 0-316354757
                                                  • Opcode ID: d1f6e438c77674fedac8a66bd1bfa3656629afad537587007a061f577b4073ba
                                                  • Instruction ID: fb054c3143062cc64a3f6e447267e4f3f4c29d014e1bd25510c1719264d3532b
                                                  • Opcode Fuzzy Hash: d1f6e438c77674fedac8a66bd1bfa3656629afad537587007a061f577b4073ba
                                                  • Instruction Fuzzy Hash: 25615631A00606AFEB3EDF6CCCC0BBEBBA8EB40714F154269E911972C1C7359902C792
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 01230EA5, Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID: `
                                                  • API String ID: 0-2679148245
                                                  • Opcode ID: de5b1632839e2b4ace6d651763e25d25d109bccbe7314111d0ab62909407c11a
                                                  • Instruction ID: fe8d23a27d8dce0ce0015bb14880a232904c4da3ec96015e978083fbff158c98
                                                  • Opcode Fuzzy Hash: de5b1632839e2b4ace6d651763e25d25d109bccbe7314111d0ab62909407c11a
                                                  • Instruction Fuzzy Hash: 9651C3B13243429FD325DF28D884B2BBBE5EBC4704F04092CFA9697290DB71E805CB66
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0119F0BF, Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID: @
                                                  • API String ID: 0-2766056989
                                                  • Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                                                  • Instruction ID: f3ae11669da30a643ca10dc44e6714ad5aa1f0a6c7925faca2fa9f0fcbe340e6
                                                  • Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                                                  • Instruction Fuzzy Hash: 2F519C71104712AFC324DF18C840A6BBBF8FF58714F00892EFAA587690E7B4E945CB92
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 011E3540, Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID: BinaryHash
                                                  • API String ID: 0-2202222882
                                                  • Opcode ID: 206b8de6804f392461bdb7b5b25c15a5ae253c524a0a1403a094b394c37c9d37
                                                  • Instruction ID: ba860f7953dd693d36ea90458fc350896cd2b951730a1ee7ee1caeaec7941421
                                                  • Opcode Fuzzy Hash: 206b8de6804f392461bdb7b5b25c15a5ae253c524a0a1403a094b394c37c9d37
                                                  • Instruction Fuzzy Hash: 104166B1D1052D9BDB25DAA0CC84FEEB77CAB44718F0045A5E619AB240DB309F88CF94
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 011E3884, Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID: BinaryName
                                                  • API String ID: 0-215506332
                                                  • Opcode ID: c38861ebfd697b05bf6c7ad59a4ca8d20477195777849fc6388bbc83ee6450d3
                                                  • Instruction ID: 31c224b914eba85dcea27d3e81eeca5ff41ecf4661f9896ae54c8ad94034ad7a
                                                  • Opcode Fuzzy Hash: c38861ebfd697b05bf6c7ad59a4ca8d20477195777849fc6388bbc83ee6450d3
                                                  • Instruction Fuzzy Hash: C6310A72D0091ABFDB1DDA98C949E6FBBB4FF40720F024169E924A7280E7309E00C7A1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0119D294, Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID: @
                                                  • API String ID: 0-2766056989
                                                  • Opcode ID: 03e87d7a3ac8fdb8fdd65ef0dca1006a56e72443560d3ac35849b3657e48a041
                                                  • Instruction ID: 94dff9327d4a28d555f5fa3f49ff24e7748da010ccbdd5eb181dfa60be309dbe
                                                  • Opcode Fuzzy Hash: 03e87d7a3ac8fdb8fdd65ef0dca1006a56e72443560d3ac35849b3657e48a041
                                                  • Instruction Fuzzy Hash: A931E2B550C3059FCB19DF68D88096FBBE8EB85654F41092EF9A483250D734DE08CB93
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 01171B8F, Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID: WindowsExcludedProcs
                                                  • API String ID: 0-3583428290
                                                  • Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                                                  • Instruction ID: 1959a61c031ece0d51e603d2880d5934c728239c7166852b577f738519789fac
                                                  • Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                                                  • Instruction Fuzzy Hash: 0A21F83A500129BBDB2A9AD9D840FAB7BBDAF51A50F064425FA049B300D730DD00DBA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 01218DF1, Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  • Critical error detected %lx, xrefs: 01218E21
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID: Critical error detected %lx
                                                  • API String ID: 0-802127002
                                                  • Opcode ID: 677faf6035931d5b0e308db721ae7a99f1923982aa229786954d8042136a7657
                                                  • Instruction ID: 92ad26c61899ce9a598812e629a1f31ae043601779c04db17917f1a7520eea9f
                                                  • Opcode Fuzzy Hash: 677faf6035931d5b0e308db721ae7a99f1923982aa229786954d8042136a7657
                                                  • Instruction Fuzzy Hash: 3A118B71D24349DBDF28DFA895857DCBBF1BB14318F20426DE628AB282C3700602CF14
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 011FFF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  • NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 011FFF60
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
                                                  • API String ID: 0-1911121157
                                                  • Opcode ID: 81e1ae7205b41c9feb26242408462f137e8e387a284d168128f4c50979bd3b44
                                                  • Instruction ID: 0139bcdbb243c7daed9fe2841be1d1b72ae01517041e2ba904fc4dd897d03ccf
                                                  • Opcode Fuzzy Hash: 81e1ae7205b41c9feb26242408462f137e8e387a284d168128f4c50979bd3b44
                                                  • Instruction Fuzzy Hash: 7311E173910245EFDF2EDB54C888F9C7BB1BB04718F148058E60867161C7789941CB91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 01235BA5, Relevance: .6, Instructions: 592COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 15163a8abd8202b7cdf82fa0ae8ac2bbc5c28a097876fb0750777eaca1461413
                                                  • Instruction ID: 9abd215088d618adc958fa2d6cf89aa03703d2fc97393ff285bcb702eb560315
                                                  • Opcode Fuzzy Hash: 15163a8abd8202b7cdf82fa0ae8ac2bbc5c28a097876fb0750777eaca1461413
                                                  • Instruction Fuzzy Hash: 26427FB591021ADFDB24CF68C880BA9BBB5FF85304F1481AAD94DEB342D7709A85CF50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 01184120, Relevance: .4, Instructions: 444COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 050c7ae341c3fedbbb34526d37fc808be1585867049a293e6db6d44cc22506b8
                                                  • Instruction ID: f4b44ae77cfc0ecd2318939127ee8384e9d3b7211f55f95783789e892f9bb71b
                                                  • Opcode Fuzzy Hash: 050c7ae341c3fedbbb34526d37fc808be1585867049a293e6db6d44cc22506b8
                                                  • Instruction Fuzzy Hash: B8F17E746082128FD72CDF59C480B7ABBE2EF98714F15892EF985C7650EB34D891CB52
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0119513A, Relevance: .3, Instructions: 258COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5c9dab5a25592ee254c1bf56cd714d478f821ac75d1b2b310a4734b781f5ecd3
                                                  • Instruction ID: cbaca72262e8e3ca97c6913959ac40a13e41480ab57fe12ecc34e8945cda1983
                                                  • Opcode Fuzzy Hash: 5c9dab5a25592ee254c1bf56cd714d478f821ac75d1b2b310a4734b781f5ecd3
                                                  • Instruction Fuzzy Hash: 23C123755083818FD759CF28C580A6AFBF2BF88304F148A6EF9999B352D771E845CB42
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0116C600, Relevance: .2, Instructions: 225COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 477e0a1644c6bf082b6f68e1c668149b0d240cdfbbff359be5431ce3fba2ab53
                                                  • Instruction ID: 4db4e85af6e90d9013fab0e9965020e4d9bbfafd20ba124cc268b52a5cbb137b
                                                  • Opcode Fuzzy Hash: 477e0a1644c6bf082b6f68e1c668149b0d240cdfbbff359be5431ce3fba2ab53
                                                  • Instruction Fuzzy Hash: A48195766042429BDB2ECE58C880B7B77E5FF84358F19485AEE459B285E330DD41CBA3
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 011FB8D0, Relevance: .2, Instructions: 199COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b7c1a80e7e2e65fbc6b70ac7d964c37abba0a7075d97c94d851d4cd24f774674
                                                  • Instruction ID: 12e23226ad775aa8628361abeee815456c7b4af67509aab1339a91349a4cb294
                                                  • Opcode Fuzzy Hash: b7c1a80e7e2e65fbc6b70ac7d964c37abba0a7075d97c94d851d4cd24f774674
                                                  • Instruction Fuzzy Hash: F2713F76204B06AFE73ADF18C844F66BBE5EB40724F21452CE7558B2A0EB71E945CB44
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 011652A5, Relevance: .2, Instructions: 161COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5581007c82fcf16c775eb28db1915ecc659e0e265412c5bdce7c08a23eabd3d6
                                                  • Instruction ID: dbb7cdc24e475dc4f1b88571cb7c8498e67f1a5b75a5d72a68a36ce76575a5b3
                                                  • Opcode Fuzzy Hash: 5581007c82fcf16c775eb28db1915ecc659e0e265412c5bdce7c08a23eabd3d6
                                                  • Instruction Fuzzy Hash: 83511E30145742EBD329EF68C840B2BBBE9FF64B18F14081EF49583651E770E854CBA2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0117EF40, Relevance: .1, Instructions: 147COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                                                  • Instruction ID: 6a90e997a384a52d4f775d1787e107402dcaa1c53659b68e5f5216f2eb6c6c06
                                                  • Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                                                  • Instruction Fuzzy Hash: 08511830E05246DFDB2ECB6CC0D07AEBBF2AF05314F1481A8C56597382C375A989C752
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0123740D, Relevance: .1, Instructions: 141COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                                                  • Instruction ID: 5479618b00f7763651e042aa1e4870329f0685cde3fb7c8677b000700b12f787
                                                  • Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                                                  • Instruction Fuzzy Hash: CF518FB1610646DFDF1ACF18D480A55BBF5FF85304F14C0AAEA089F252E771E946CB90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 01194D3B, Relevance: .1, Instructions: 131COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4da3d4689885cb540a4d49e6f5e1a7b33ab6553cffbafe15dc8963370050a63a
                                                  • Instruction ID: bbf7bd0baa90dbc4c83ae4a31a9794510636a5373cb292e7c512c984f4a33670
                                                  • Opcode Fuzzy Hash: 4da3d4689885cb540a4d49e6f5e1a7b33ab6553cffbafe15dc8963370050a63a
                                                  • Instruction Fuzzy Hash: 86415775A443289FEF3ADF18CD80FAAB7B9EB14704F000099E91597681D774DD41CB92
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 011A3D43, Relevance: .1, Instructions: 106COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9e0926027d330f3b8fc36ade5b58cafb73c81abe9d98ac05678abf0d2f44452c
                                                  • Instruction ID: eb5400d3a8b62c5035065d1dc9f1502fc15960c5aa2a3b1e7bc1c702de0a1be0
                                                  • Opcode Fuzzy Hash: 9e0926027d330f3b8fc36ade5b58cafb73c81abe9d98ac05678abf0d2f44452c
                                                  • Instruction Fuzzy Hash: EF31BA39A11621DBD72D8F2DC841B6ABFB5FF45700B86806AEA59CB350E730D840C7D1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0118C182, Relevance: .1, Instructions: 104COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                                                  • Instruction ID: 7396b52897649e1f1fb0dc0c9c37eefc8ccc123ace8adfd64cf799f7bee5cee1
                                                  • Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                                                  • Instruction Fuzzy Hash: FA31087260558BAED70DFBB4C480BEAFB65BF62208F14815AD42C47341DB746A46CFE1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 011E7016, Relevance: .1, Instructions: 104COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8f01e44a4628cb33db6945a92d1a2b60a6f1bdd0e6702da5142c7082b36be207
                                                  • Instruction ID: cd7ce9cfc1ce8e0b8468fa34fdd439babd55d8a3ae01acd1ebd52ccdfc6c1a95
                                                  • Opcode Fuzzy Hash: 8f01e44a4628cb33db6945a92d1a2b60a6f1bdd0e6702da5142c7082b36be207
                                                  • Instruction Fuzzy Hash: EB31E676604B519BD329DF68C844A6AB7E5FFC8700F044A29F995876D0E730E904CBE5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0119E730, Relevance: .1, Instructions: 89COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: fabe1cc979438b8c40c16672c8d1a0b2e508b257dcd301830d0d2ec653529ed4
                                                  • Instruction ID: 28fe6075b706a319a903845a75305d09896fe35d56dd6d2b9e88df1cbc927874
                                                  • Opcode Fuzzy Hash: fabe1cc979438b8c40c16672c8d1a0b2e508b257dcd301830d0d2ec653529ed4
                                                  • Instruction Fuzzy Hash: 4A314F75A14249EFDB48CF58D841B9ABBE4FB09314F15826AF914CB341E731ED90CBA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0119BC2C, Relevance: .1, Instructions: 88COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 67e2e5788374fc7021185a734a63b3937840b80ef46129f4f267818d51d04ad0
                                                  • Instruction ID: b2cecd239883f1eb7e1ff5acfd1b9a4a8446063349c0d353e872692a3428c338
                                                  • Opcode Fuzzy Hash: 67e2e5788374fc7021185a734a63b3937840b80ef46129f4f267818d51d04ad0
                                                  • Instruction Fuzzy Hash: C731FF326046569FCB15DF58E4C0BAA73B4FB18328F454078ED14DB205EB74D9458B85
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 01169100, Relevance: .1, Instructions: 87COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 22ded1c54d799e1ade8a06d0ea3f5374e6f09dfa728855058df3a82ff0aeedcc
                                                  • Instruction ID: 8c12c457fb8ceaac0b153da72e38d82a3f9f254544e1f9f6e2da2900013ff16f
                                                  • Opcode Fuzzy Hash: 22ded1c54d799e1ade8a06d0ea3f5374e6f09dfa728855058df3a82ff0aeedcc
                                                  • Instruction Fuzzy Hash: 62310871A01349DFDB2DDF6CC1887ACBBF5BB58328F24814DC51467241C372A990CB62
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 01180050, Relevance: .1, Instructions: 81COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0f449bf00ab9f196c3b8b971e629501a3256670f1ed2f72eb0021eb5f24b71e3
                                                  • Instruction ID: 8af80d36e068b4207e82908bd3e1ca261475a672243fc3b8e037f3f1965808b7
                                                  • Opcode Fuzzy Hash: 0f449bf00ab9f196c3b8b971e629501a3256670f1ed2f72eb0021eb5f24b71e3
                                                  • Instruction Fuzzy Hash: 6B31BF35201B08CFD72ADF28C844B5AB7E5FF88754F14856DE59A87790DB35AC06CB90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 011E6C0A, Relevance: .1, Instructions: 79COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a42a363a0d0c8e0a6d868b4aaf2412307cd2cc5632b13f6957f5a932433fdda8
                                                  • Instruction ID: 1f87c742769d8bd7badd556cd9ff26e9c356f8cd7c47f3bf0b44246de3e28eb2
                                                  • Opcode Fuzzy Hash: a42a363a0d0c8e0a6d868b4aaf2412307cd2cc5632b13f6957f5a932433fdda8
                                                  • Instruction Fuzzy Hash: 4A219AB1A00A45ABD719DFA8D884E2ABBE8FF58704F1440A9F904C7790E734E950CBA4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 011A90AF, Relevance: .1, Instructions: 76COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                                                  • Instruction ID: 00cda7b8dd92d8d8cd50144b2dda5fcd2cd8cf560483cdcb2a06e81358c8c54f
                                                  • Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                                                  • Instruction Fuzzy Hash: AF218375A00209EFDB25DF59C444AAAFBF8EB54368F15846AE94597201D330ED40CB50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 01193B7A, Relevance: .1, Instructions: 75COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4ba8012990676a4063f7d921483f415bd612bafc6e29f2ad45b37fb9386585fc
                                                  • Instruction ID: e5adc606289740795a0dbfa24f725a1fe6cd6b8cbfb51496014a4780590b591b
                                                  • Opcode Fuzzy Hash: 4ba8012990676a4063f7d921483f415bd612bafc6e29f2ad45b37fb9386585fc
                                                  • Instruction Fuzzy Hash: A721A472600505AFCB18DF98DD81F6ABBBDFB44748F250069EA05AB251D771ED01CBA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0123070D, Relevance: .1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                                                  • Instruction ID: 6ba7d82ae163a47ce4c97524a3ce972588ac2104744bf5c423ce1504dd07291c
                                                  • Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                                                  • Instruction Fuzzy Hash: 4B214676214201AFD70ADF1CCC80F6ABBA5EFD0310F048669FA948B381DB30D819CBA5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0119FD9B, Relevance: .1, Instructions: 69COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                                                  • Instruction ID: ce429d9a9bfe8093392f22012d1747e612e0299d2927993642e232914477d686
                                                  • Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                                                  • Instruction Fuzzy Hash: 24217F75600642EFDB39CF0DC540A66BBE5EB94A10F26856EE965C7611D7309C01CB80
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 01169240, Relevance: .1, Instructions: 63COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 0e1e3a962e84f97fcf5317c41416fe1e1d82080c1f6e310d918372050270fa6c
                                                  • Instruction ID: 1acbe983982e39c010ec36918c38d3c771b4138220951cb1eb7598f0f8a29ebf
                                                  • Opcode Fuzzy Hash: 0e1e3a962e84f97fcf5317c41416fe1e1d82080c1f6e310d918372050270fa6c
                                                  • Instruction Fuzzy Hash: A3215731040A42DFC72AFF68CA44F5ABBF9FF28708F14856CE149866A2CB75E951CB54
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 011E46A7, Relevance: .1, Instructions: 59COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                                                  • Instruction ID: 18ee64e0fd44e9fdceb9c9c825ebf168bded892038591e4f4802dafc73491e9f
                                                  • Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                                                  • Instruction Fuzzy Hash: E8112572904608BBCB09AF9CD8808BEBBB9EF95304F1080AAF944C7350DB318D51C7A4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0117766D, Relevance: .1, Instructions: 54COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                                                  • Instruction ID: 1fc100f85ac4c6fb14c4e3b5cb0228dd4c8bae35158eb952aa79b0aa564dbeef
                                                  • Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                                                  • Instruction Fuzzy Hash: 3E018832700119ABEB289E5ECC55E5B7BBDEB85660F240524FA18CB394DB30DD81C7A0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 011FC450, Relevance: .1, Instructions: 53COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                                                  • Instruction ID: f625e408069946b7270c4503e8971b5e9ba8fd6306e9b7b89cf438fc96803594
                                                  • Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                                                  • Instruction Fuzzy Hash: 7B01B97514050ABFE719AF69CC80E62FB6DFF54358F504529F35442560D731ECA1DAE0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 01169080, Relevance: .1, Instructions: 53COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a3cfe23a02266b533106903e53f7d63731ab284043b2834e62a577bb3bb787b2
                                                  • Instruction ID: f6581a9c278a419d20416745894ba38758771407e2eba6645c349a758825c6f2
                                                  • Opcode Fuzzy Hash: a3cfe23a02266b533106903e53f7d63731ab284043b2834e62a577bb3bb787b2
                                                  • Instruction Fuzzy Hash: 4701A4725116099FD32D9F18E880B167BBDFB45328F254066E5058B792C775DC51CB90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 01234015, Relevance: .0, Instructions: 49COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 27bb7c66a44e8f2e0fa6338abec7d98d45d1b323147d20a70376030d7b581514
                                                  • Instruction ID: 59bfa70311c21eb9209652d00979785383e798f64050d2ae827b094ef96763f8
                                                  • Opcode Fuzzy Hash: 27bb7c66a44e8f2e0fa6338abec7d98d45d1b323147d20a70376030d7b581514
                                                  • Instruction Fuzzy Hash: AC018F72201946BFD359BB7ACD84E13B7ACFB95664B000229F61887A51DB74EC12CAE4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 012214FB, Relevance: .0, Instructions: 48COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3909491f38bb74b6fa1db4e3b738fd9ebef63d87799fd7c2fac16c2edd5e9ace
                                                  • Instruction ID: 99c6319d813918000da94293b7c693d6d1be8de47029c17112a638a2a08cc0ee
                                                  • Opcode Fuzzy Hash: 3909491f38bb74b6fa1db4e3b738fd9ebef63d87799fd7c2fac16c2edd5e9ace
                                                  • Instruction Fuzzy Hash: B4019E75A0025DBFCB14EFA8D846EAEBBB8EF44704F404066F914EB280DA74DA50CB94
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0122138A, Relevance: .0, Instructions: 48COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 786cfcdada0d542ea6fbb4d13974bdfa7e514555a2d8a995e2e67660d74b580c
                                                  • Instruction ID: 8cdeb148ad248f3568cc797485990ca1de4f10bc323ee83828cd09fc352b792b
                                                  • Opcode Fuzzy Hash: 786cfcdada0d542ea6fbb4d13974bdfa7e514555a2d8a995e2e67660d74b580c
                                                  • Instruction Fuzzy Hash: 43019275A0021DAFCB14DFA8D841EAEBBB8EF44700F404056F904EB281D7749A41CB94
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0117B02A, Relevance: .0, Instructions: 46COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                                                  • Instruction ID: a5aa5776508ac5a4bdd1b297b94f405f315f1045bf88788005b9a3bcd2290312
                                                  • Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                                                  • Instruction Fuzzy Hash: D301BC322049849FE32B875CD888F667BF8EF91A40F1900A5FA19CBB91E728DC40C625
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 01231074, Relevance: .0, Instructions: 46COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c64dcabbac2336bff7605202ab611ab1e1d0dd5573dca6dc0cb09539b566d01d
                                                  • Instruction ID: 65a33d712d2d1d474403b0daf284596bfb4ff3c1b4c14ccc23921866e0e99d32
                                                  • Opcode Fuzzy Hash: c64dcabbac2336bff7605202ab611ab1e1d0dd5573dca6dc0cb09539b566d01d
                                                  • Instruction Fuzzy Hash: 580128B26247429FC710EF69C944B2ABBD5ABD4210F04C619FD8583690EE70D450CBA2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0121FE3F, Relevance: .0, Instructions: 46COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: fe40288f6e248fd0c0e8a0cee16191bd005ca78458ffe67614adcdb85c7b3440
                                                  • Instruction ID: 7b5a363daf584637147372f9ff3a52c4d352f61b51b796f95a2df09024c86517
                                                  • Opcode Fuzzy Hash: fe40288f6e248fd0c0e8a0cee16191bd005ca78458ffe67614adcdb85c7b3440
                                                  • Instruction Fuzzy Hash: 9B01D471E0020DABCB18DFA8D845FAEBBB8EF50704F004066F900AB281DA709901CB94
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0121FEC0, Relevance: .0, Instructions: 46COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b30140139a8cbc5db0b53bda0d5930daee13929890c60b96cdbc87b57eb0d4dd
                                                  • Instruction ID: 08f707b4cb322af755dcab6d2bf3499d88a7e9d9c37d95ff10ecd0005b5db700
                                                  • Opcode Fuzzy Hash: b30140139a8cbc5db0b53bda0d5930daee13929890c60b96cdbc87b57eb0d4dd
                                                  • Instruction Fuzzy Hash: 0801D471A0020DABCB14DFA8D845FAEBBB8EF54704F404066F900AB280DA709A01CB94
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 01238A62, Relevance: .0, Instructions: 44COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 983bb7ec24a63966453c83091a68e8c9aa3734a7e156197229be646346ccff51
                                                  • Instruction ID: d53a339fa2183810ab3033acdd1ec7116ddd490e6d46a5d4133f63a3674b8112
                                                  • Opcode Fuzzy Hash: 983bb7ec24a63966453c83091a68e8c9aa3734a7e156197229be646346ccff51
                                                  • Instruction Fuzzy Hash: B4012CB5A1021DAFCB04DFA9D9419AEBBB8EF58314F50415AFA05EB341D734A901CBA4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 01238ED6, Relevance: .0, Instructions: 44COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 49ce20f936cdd00e686930c5227de1f5c7cfd84871e03440c0c101759bf84e49
                                                  • Instruction ID: ac7be58a0a8b4dfef5e9eeedf2bc922029ef54fc4b560cb82c237256c0a03c95
                                                  • Opcode Fuzzy Hash: 49ce20f936cdd00e686930c5227de1f5c7cfd84871e03440c0c101759bf84e49
                                                  • Instruction Fuzzy Hash: AF111274A102599FDB04DFA8D541BADBBF4FF08304F5442A6E518EB382D7349940CB90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0116DB60, Relevance: .0, Instructions: 43COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                                                  • Instruction ID: ecda70e33ec8c006714fcec257f7e684926cdfc307c59c8e98c3cab608248262
                                                  • Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                                                  • Instruction Fuzzy Hash: 07F0FC333015239BDB3E6AD95884F57BA9DCFD3A60F1A0035F6459B34CCB628C1286D2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0116B1E1, Relevance: .0, Instructions: 42COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                                                  • Instruction ID: a30b1a4a41328599d580fac112ab8ce487b885188c0146d9d8574d633d826181
                                                  • Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                                                  • Instruction Fuzzy Hash: 8F01D132308680EBE32E975DC804F697BDDEF61B54F0940A5FA15CBAB2D779D810C619
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 011FFE87, Relevance: .0, Instructions: 38COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d1954b836fd1aa47325f07d2bdabc62b1e1429f7c3d52034c8cdc03149359960
                                                  • Instruction ID: ca58ef7e0bd0db6a23e63dbc4435274f27be867f982f8a82e34d95c95f27d192
                                                  • Opcode Fuzzy Hash: d1954b836fd1aa47325f07d2bdabc62b1e1429f7c3d52034c8cdc03149359960
                                                  • Instruction Fuzzy Hash: 31016275A0021DEFCB18DFA8D555A6EBBF4EF04704F504199B914DB382D735D902CB40
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0122131B, Relevance: .0, Instructions: 36COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 133f928109ca1648f71af69af6eca8734137bb4ac854b15a2b12ed401179d867
                                                  • Instruction ID: e84da9da6b4b8f03f8dcf244ef6188767af21f80ba3ae9842a09aa37fbdd7154
                                                  • Opcode Fuzzy Hash: 133f928109ca1648f71af69af6eca8734137bb4ac854b15a2b12ed401179d867
                                                  • Instruction Fuzzy Hash: 29018C75A0025DAFCB04EFA8D545AAEBBF4FF08300F40805AF905EB381E6349A00CB94
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 01238F6A, Relevance: .0, Instructions: 36COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 72548d4e68cfcafb87b55bc7dadabfb7da75bbfc1e4cf0f4fb0b02cdd3f9326a
                                                  • Instruction ID: 7f623057430c647447ad5015cd85560a6f74f7ab0b60613ce04bda67b52b0fe0
                                                  • Opcode Fuzzy Hash: 72548d4e68cfcafb87b55bc7dadabfb7da75bbfc1e4cf0f4fb0b02cdd3f9326a
                                                  • Instruction Fuzzy Hash: C5014474A0420DAFDB04EFA8D545AAEBBF4EF58304F504159F905EB381DB74DA00CB94
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0118C577, Relevance: .0, Instructions: 33COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ba54b8fe4adccbcbadad2ece5acb4376b038e673211d8efe771a5af290205d1c
                                                  • Instruction ID: 07c1e965339ca4cad36dd57bcd832d16b1482b0af510eea39aec468b0b1bbdd9
                                                  • Opcode Fuzzy Hash: ba54b8fe4adccbcbadad2ece5acb4376b038e673211d8efe771a5af290205d1c
                                                  • Instruction Fuzzy Hash: 8CF09AB2B166949FEF3EA72CC004BA27FE89B05670F45C566E50687602C7A4D880CEF1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 01238D34, Relevance: .0, Instructions: 32COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4d1d3e7ebfde2431fd25b65662afd0dd8173f15fa25f59de9d1d6faac98ee33d
                                                  • Instruction ID: cc61955d056fcad3b9ee6f13b42ec185bf1a23b602c8a8ef8c19335783232a7c
                                                  • Opcode Fuzzy Hash: 4d1d3e7ebfde2431fd25b65662afd0dd8173f15fa25f59de9d1d6faac98ee33d
                                                  • Instruction Fuzzy Hash: 38F0BEB4A1460DAFDB18EFB8D546A6EBBB4EF58304F508099F905EB281EA34D900CB54
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 01222073, Relevance: .0, Instructions: 32COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 39c2a74c44940e0649278fa12c19581e58e5c931241942b0b6be42ab23334d2f
                                                  • Instruction ID: 0134a209ceb27ea4819b95325e64e38f971e339d4b9e7097a9a1c3fd6d38ffb3
                                                  • Opcode Fuzzy Hash: 39c2a74c44940e0649278fa12c19581e58e5c931241942b0b6be42ab23334d2f
                                                  • Instruction Fuzzy Hash: AAF05C2E8312A69ADF37AB3D31493F93FD1D775110F090045EA501B209C57F8A93CB11
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 011A927A, Relevance: .0, Instructions: 32COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                                                  • Instruction ID: 3ba35975e3e6a3db5d608731b885da2b4d91a28d0b5ee702861e6d0427731a02
                                                  • Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                                                  • Instruction Fuzzy Hash: D7E02B323405416BE7159E49CC80F573B5DDFD2728F004079B5001E242CBE5DC0987A0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0118746D, Relevance: .0, Instructions: 31COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e5201db59c7fb5df293567b05947edabc09d2cf6336536ad2ce762ca541b3fab
                                                  • Instruction ID: 2e312817a59e8383007ee01a258a8425c562e6acd480dbe0deba60cc19e41d0b
                                                  • Opcode Fuzzy Hash: e5201db59c7fb5df293567b05947edabc09d2cf6336536ad2ce762ca541b3fab
                                                  • Instruction Fuzzy Hash: 6CF0593450014DAACF0EB76CC840B79FFB1AF10698F25C119D851A71D1E3648801CF86
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 01238CD6, Relevance: .0, Instructions: 31COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0e6b4a8f1e332d094826bffe518e2ff45f6eb6d37383038bda40ed742502c9f2
                                                  • Instruction ID: d7c639e67c55a6069d826e5920dc1d404ae51a58f209d1cd7115205197ad9051
                                                  • Opcode Fuzzy Hash: 0e6b4a8f1e332d094826bffe518e2ff45f6eb6d37383038bda40ed742502c9f2
                                                  • Instruction Fuzzy Hash: 06F089B4A1424DABDB04DBB8D945D6E77B4EF58204F500199F515EB2C1DA34D900C754
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 01164F2E, Relevance: .0, Instructions: 31COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 54e03150c4766fffc620037abd283775985ffc3353ec688f286bbaba080fc1e0
                                                  • Instruction ID: 059137feee78fef5fbe0e043a3bce5cc4338fcb5381c3e73d00754a4503f28f4
                                                  • Opcode Fuzzy Hash: 54e03150c4766fffc620037abd283775985ffc3353ec688f286bbaba080fc1e0
                                                  • Instruction Fuzzy Hash: 48F0E93D522694DFD779DB1CC244B2277E4AB18F7CF054578F40587911C724ED40C650
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 01238B58, Relevance: .0, Instructions: 31COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 12c6f395d56f7102fe7a2cc58368269805e72eebf693d7c60f813f328d3edf51
                                                  • Instruction ID: 8824533841bd3502d5659d0a87f6c135c98c5497cf653446889f0b0c11986201
                                                  • Opcode Fuzzy Hash: 12c6f395d56f7102fe7a2cc58368269805e72eebf693d7c60f813f328d3edf51
                                                  • Instruction Fuzzy Hash: 62F0E2B0A1425EABDB08EBA8D906E6E77B4EF04304F400199FA05DB3C1FB34D900C798
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0116F358, Relevance: .0, Instructions: 28COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                                                  • Instruction ID: 7250746e001524929b3ed9173908b58a91f3f9035b7c005654c09393ad19a2c2
                                                  • Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                                                  • Instruction Fuzzy Hash: 5BE0C032A00219FBCB34A6CC9D01F9BBFBCDB44A60F010051FA04D7050D7319E00C2C0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0117FF60, Relevance: .0, Instructions: 22COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7e1876abc837d261dbeb05c20bf6d8b780013d9846c675e4219f271f885c21cb
                                                  • Instruction ID: 358856607f6705b2f59031ba553864794acf98d3715faf183a6859985435fddf
                                                  • Opcode Fuzzy Hash: 7e1876abc837d261dbeb05c20bf6d8b780013d9846c675e4219f271f885c21cb
                                                  • Instruction Fuzzy Hash: 4AE0D8B2105206DFD73DD759D140F2637BC9B51621F19801DF0188B602CB21D882C687
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0121D380, Relevance: .0, Instructions: 21COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                                                  • Instruction ID: 508429761e38d80b7b3d54bb98be3fc546bf3855af8699dc6c95ca35acef2316
                                                  • Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                                                  • Instruction Fuzzy Hash: 5DE0C231281609FBDB26AF84CC04F697B5ADB607A4F204031FE085A690C7759CA1DAC4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0119A185, Relevance: .0, Instructions: 20COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a792821ed5ab68acbcb132bb9111d9183922004052879042c57af09a52b3e154
                                                  • Instruction ID: 13762e44363ad5cf63fc6c8f6e2e7463f75aa8e7a272faf43fc33cce4d1f96e9
                                                  • Opcode Fuzzy Hash: a792821ed5ab68acbcb132bb9111d9183922004052879042c57af09a52b3e154
                                                  • Instruction Fuzzy Hash: 48D0C7A11300001ACB2D2360A8A8B213622FB846A0F74882CE2160B9A4EB708CD88208
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 011916E0, Relevance: .0, Instructions: 17COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6b5c378e0d6cc7233cf90831ce2eec1b081aae7dec99c5cecec3d9b784088fb1
                                                  • Instruction ID: b1188f749a3d5d05fcb0ef2fc120845446c290f8fcc3a3936ddd3cf394b48aa8
                                                  • Opcode Fuzzy Hash: 6b5c378e0d6cc7233cf90831ce2eec1b081aae7dec99c5cecec3d9b784088fb1
                                                  • Instruction Fuzzy Hash: 9ED0A731200103B2EF2D5B149844B143652EB907A9F78005CF217499C0DFF0CCD2E488
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 011935A1, Relevance: .0, Instructions: 12COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                                                  • Instruction ID: 3d5d44d51506a726572cb19d22ec0caa01c11e7e8569db1dd252a80e5960e14a
                                                  • Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                                                  • Instruction Fuzzy Hash: ADD0A9314621819AFF0EAB34C2187683BB2BB0820CF5820A6803246962C33A4A0ACE01
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0116DB40, Relevance: .0, Instructions: 11COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                                                  • Instruction ID: e2b8d3d50730f9023afcaa9b695ce3d21f89eeb99e5ae15aa7d24301898d5ebf
                                                  • Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                                                  • Instruction Fuzzy Hash: AEC08C30380A02AAEB2A2F20DD01B003BA4BB51B09F8400A06300DA4F0EB79D811EA00
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0116AD30, Relevance: .0, Instructions: 10COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                                                  • Instruction ID: 0c2b991fbe4703227d0453bcd0d330f45d625dfdf84730cdf803e192e18376b6
                                                  • Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                                                  • Instruction Fuzzy Hash: 2FC02B330C0648BBC7127F45CD00F017F2DE7A0B60F104020F6040B6B1CA32EC60D988
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 011936CC, Relevance: .0, Instructions: 10COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                                                  • Instruction ID: a38d788878a87fdaaf62366b10f2a369b57b56b5deca169a37807011c1299d1e
                                                  • Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                                                  • Instruction Fuzzy Hash: 61C02B70160440FBDB2D2F30CD00F147354F700A25F7403547230458F0EB28AC00D500
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 011776E2, Relevance: .0, Instructions: 10COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                                                  • Instruction ID: 91d9d116a7c2cde13b5795b1d62abfcdb788579fa6018bf5321620b931196278
                                                  • Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                                                  • Instruction Fuzzy Hash: 9BC08C701415805AFB2E670CCE28B203A60AB08608F98019CFB01096E2C368A823C608
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 01187D50, Relevance: .0, Instructions: 7COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                                  • Instruction ID: 03d023d2db6789a62be0f6910c6dd8850535bdc80a25ad29e3be0ab809394638
                                                  • Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                                  • Instruction Fuzzy Hash: B3B092353019408FCE1AEF18C080B1933E4BB44A40B9440D0E400CBA21D329E8008900
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 011AAD30, Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9ffa089bdfb26f0c5bf5201de194da2283fb75aa9babb1ab4334de5d661cb2a5
                                                  • Instruction ID: 3d15290c4bc718bad3f40323198e6734c331c131f7592ba6cd455a60d32bc0f8
                                                  • Opcode Fuzzy Hash: 9ffa089bdfb26f0c5bf5201de194da2283fb75aa9babb1ab4334de5d661cb2a5
                                                  • Instruction Fuzzy Hash: 17900271A05000139588719959546864006F7E0785B55C025E0505554CCA949A5563E1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 011A9520, Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: cc84aeaecb96bf7f0587d91810385e3fa65d7d5164aa91f6a681c9b00654cd67
                                                  • Instruction ID: 61da7cf8d757545a4f52153873753fa368765684c8792f9f224bc3d6718a00a7
                                                  • Opcode Fuzzy Hash: cc84aeaecb96bf7f0587d91810385e3fa65d7d5164aa91f6a681c9b00654cd67
                                                  • Instruction Fuzzy Hash: 669002E1201140934948A2999544B4A4505E7E0245B51C02AE1045560CC6659851A175
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 011A9950, Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0a03b4de51d1e16dc6ca5fabc9e5433ca233f280972f3bcd8d087950eddfb069
                                                  • Instruction ID: 5ed590fe42509a5a57d26df1df980d4b89a13de78b4b793a244a55167f3c73ae
                                                  • Opcode Fuzzy Hash: 0a03b4de51d1e16dc6ca5fabc9e5433ca233f280972f3bcd8d087950eddfb069
                                                  • Instruction Fuzzy Hash: E19002A120140403D588659959446470005E7D0346F51C025E2055555ECB699C517175
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 011A9560, Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ae6d7478bc1e3e7c49f5938d167518b40edb856aaebd63db0b39a547a1da6ace
                                                  • Instruction ID: dd4cd82563bba0b677235d621bb4b6c3486c6cea952d6f4e8bec7b12fc7851c9
                                                  • Opcode Fuzzy Hash: ae6d7478bc1e3e7c49f5938d167518b40edb856aaebd63db0b39a547a1da6ace
                                                  • Instruction Fuzzy Hash: 5E90026522100003058DA599174454B0445F7D6395391C029F1407590CC76198656361
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 011A99D0, Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 348dc4756b558d4d11163884157a26fbb9b0d057443d18a52a895bc09e68b474
                                                  • Instruction ID: e905e443be98d8d3a304752d3d16f7ed065e6050b27888e41beda7113580fd02
                                                  • Opcode Fuzzy Hash: 348dc4756b558d4d11163884157a26fbb9b0d057443d18a52a895bc09e68b474
                                                  • Instruction Fuzzy Hash: D29002A121100043D54C619955447460045E7E1245F51C026E2145554CC6699C616165
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 011A95F0, Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2a96a7720e69e61ad9e51e30d8ff7b2d833d0a072e32263c42ea3386c589281c
                                                  • Instruction ID: fdb336098819e36a74385ccae69ce45fd7df7bcdb37d5f1a23d72bef6a40ee2b
                                                  • Opcode Fuzzy Hash: 2a96a7720e69e61ad9e51e30d8ff7b2d833d0a072e32263c42ea3386c589281c
                                                  • Instruction Fuzzy Hash: 0290027120100803D54C619959446C60005E7D0345F51C025E6015655ED7A598917171
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 011A9820, Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: fe93ac93cef5546eceb02002d3a38c5f9076337a2bb3a4f6fbcd44b3ef13baf5
                                                  • Instruction ID: 603127a667529319619ddc5a5d354277c0011ea2053436bcf97fd4bb8074ac4e
                                                  • Opcode Fuzzy Hash: fe93ac93cef5546eceb02002d3a38c5f9076337a2bb3a4f6fbcd44b3ef13baf5
                                                  • Instruction Fuzzy Hash: 4090027124100403D589719955446460009F7D0285F91C026E0415554EC7959A56BAA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 011AB040, Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1d2f42e5e531c890a1430cbb3c24ffaf8cefd4f5914b8cc0b5e638425a9df4a9
                                                  • Instruction ID: b7c5ce971f158581f17d9d018db0b0f56f871ffcd92202434e115fa3bbd61bcf
                                                  • Opcode Fuzzy Hash: 1d2f42e5e531c890a1430cbb3c24ffaf8cefd4f5914b8cc0b5e638425a9df4a9
                                                  • Instruction Fuzzy Hash: 129002A1601140434988B19959444465015F7E1345391C135E0445560CC7A89855A2A5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 011A98A0, Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d6773e5aa487d70b4f085d93415278c3e88f96ad98f827491ffdb46cff36b10f
                                                  • Instruction ID: 03a7746dee09538f72a3bfbbaa86dad81dfcb6ca5b67184cb75ca7c765be1b5f
                                                  • Opcode Fuzzy Hash: d6773e5aa487d70b4f085d93415278c3e88f96ad98f827491ffdb46cff36b10f
                                                  • Instruction Fuzzy Hash: 0390026130100403D54A619955546460009E7D1389F91C026E1415555DC7659953B172
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 011AA710, Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: decc2608309d00342877b4da65b3fb123ac867b4b18bba5122bf1c070a07289a
                                                  • Instruction ID: 2909a0935aa6b26d19cf0d3d09fb9fba544970dde7b3de4229bd084ae60cd5ab
                                                  • Opcode Fuzzy Hash: decc2608309d00342877b4da65b3fb123ac867b4b18bba5122bf1c070a07289a
                                                  • Instruction Fuzzy Hash: 5B900271301000539948A6D96944A8A4105E7F0345B51D029E4005554CC69498616161
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 011A9B00, Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 174ad51cebec48c45e72de213658f0825c5c33d93a7799d3adbaad7db941dbd4
                                                  • Instruction ID: be4c216ccc36a45df50a574333741d44ddbbefa3eba6b809fec8f9d1c95accd9
                                                  • Opcode Fuzzy Hash: 174ad51cebec48c45e72de213658f0825c5c33d93a7799d3adbaad7db941dbd4
                                                  • Instruction Fuzzy Hash: 8F90026124100803D588719995547470006E7D0645F51C025E0015554DC756996576F1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 011A9730, Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7e2639864d5da41f929d0b49610751652bae141476ae352a0a391bd70c389a4d
                                                  • Instruction ID: 5f407bc2945f40654b47cd43e45bbf08c29389f22796e183d506b5860fe5076e
                                                  • Opcode Fuzzy Hash: 7e2639864d5da41f929d0b49610751652bae141476ae352a0a391bd70c389a4d
                                                  • Instruction Fuzzy Hash: D790026160500403D588719965587460015E7D0245F51D025E0015554DC7999A5576E1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 011A9770, Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 11de45f2f76b5cd8efefc546ac0808b8eb2aad72ce1555823b0c0ff0f16aabfe
                                                  • Instruction ID: d518039b3fdcae38cb20c67826ab4933c6cc01ba2e84264e5f17e0262cddc1e5
                                                  • Opcode Fuzzy Hash: 11de45f2f76b5cd8efefc546ac0808b8eb2aad72ce1555823b0c0ff0f16aabfe
                                                  • Instruction Fuzzy Hash: BA90026120504443D54865996548A460005E7D0249F51D025E1055595DC7759851B171
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 011AA770, Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 61697015d4629c374bd117813879f0fee3a272b50273bddac2387978bac1b2a8
                                                  • Instruction ID: cbe0d8d68e4744b8c74ac26f80fea97ce17a99a9375c40ef0d30563c40a34df9
                                                  • Opcode Fuzzy Hash: 61697015d4629c374bd117813879f0fee3a272b50273bddac2387978bac1b2a8
                                                  • Instruction Fuzzy Hash: 0D90027520504443D94865996944AC70005E7D0349F51D425E041559CDC7949861B161
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 011A9760, Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 28adf9c93c53ed8e8d1a3b9c4181e26dfef70043f9d6cc0d2d36e42f68233b42
                                                  • Instruction ID: 4b9c3b886f79abab8324321ee0ee25f3f9547515a76f4fc2c3277c0488ad3546
                                                  • Opcode Fuzzy Hash: 28adf9c93c53ed8e8d1a3b9c4181e26dfef70043f9d6cc0d2d36e42f68233b42
                                                  • Instruction Fuzzy Hash: E790027120100403D548619966487470005E7D0245F51D425E0415558DD79698517161
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 011AA3B0, Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8b79971d69e774be955cf51a641addf88ec34949acd9df800c891e908ee61da5
                                                  • Instruction ID: f01548569405cb87d068e711bd07f38973ecab016eb29102b5cf4b7998070519
                                                  • Opcode Fuzzy Hash: 8b79971d69e774be955cf51a641addf88ec34949acd9df800c891e908ee61da5
                                                  • Instruction Fuzzy Hash: 7990027120144003D5887199958464B5005F7E0345F51C425E0416554CC7559856A261
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 011A9FE0, Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 75d5179f93c006f9942064832698ff10592b73247205d1bfd69171277324faff
                                                  • Instruction ID: bee86a9179843bf1343f8e954e32cbd33f6cb5c15a6b224235c23e7072a71a6b
                                                  • Opcode Fuzzy Hash: 75d5179f93c006f9942064832698ff10592b73247205d1bfd69171277324faff
                                                  • Instruction Fuzzy Hash: B390027131114403D558619995447460005E7D1245F51C425E0815558DC7D598917162
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 011A9610, Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c48130912c013192bd3df24089a33d26e2dc386ac7319e837525a0f8ae642883
                                                  • Instruction ID: 014cb2f3df1d6a54a56521d0fd1ecfca6af63419119b0cd7b0f5ce61a51a7450
                                                  • Opcode Fuzzy Hash: c48130912c013192bd3df24089a33d26e2dc386ac7319e837525a0f8ae642883
                                                  • Instruction Fuzzy Hash: 2A90027160500803D598719955547860005E7D0345F51C025E0015654DC7959A5576E1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 011A9A10, Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5e889a27825bc2caa29524ab240fc3d7f5cf323c7a0ed6108d16eca5021046d8
                                                  • Instruction ID: 1ba66ccb93340ee5068b26079330870ce257f84efc73a19e554a147e156c913e
                                                  • Opcode Fuzzy Hash: 5e889a27825bc2caa29524ab240fc3d7f5cf323c7a0ed6108d16eca5021046d8
                                                  • Instruction Fuzzy Hash: E490027120140403D548619959487870005E7D0346F51C025E5155555EC7A5D8917571
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 011A9650, Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c596dff3970075cbe01e3323d760a0d8c0e381e55eb4123c39aa0d8742b7241f
                                                  • Instruction ID: 5491a3df8b8618806a23ae8f10a53a7d94f167490ee36239add107f24967f915
                                                  • Opcode Fuzzy Hash: c596dff3970075cbe01e3323d760a0d8c0e381e55eb4123c39aa0d8742b7241f
                                                  • Instruction Fuzzy Hash: 4C90027120504843D58871995544A860015E7D0349F51C025E0055694DD7659D55B6A1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 011A9A80, Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1234695b5002786c103961f79aea3e58c33da5425bb202469ce259e6677732a3
                                                  • Instruction ID: 16176b574b92fa46a3a5ce8bb8175b7903b537c2ceff4d32844376a79ed0fd15
                                                  • Opcode Fuzzy Hash: 1234695b5002786c103961f79aea3e58c33da5425bb202469ce259e6677732a3
                                                  • Instruction Fuzzy Hash: 2690026120144443D58862995944B4F4105E7E1246F91C02DE4147554CCA5598556761
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 011A96D0, Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 927dda0ad7de5f30039fb8557900bbfa7169bbee2a9aa7fe4d59438520896162
                                                  • Instruction ID: 6965af573ce0ec8139aed5ca698d0c31956b4e6a3a79cf797b3a3a6aec575bef
                                                  • Opcode Fuzzy Hash: 927dda0ad7de5f30039fb8557900bbfa7169bbee2a9aa7fe4d59438520896162
                                                  • Instruction Fuzzy Hash: CF90027120100843D54861995544B860005E7E0345F51C02AE0115654DC755D8517561
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 011A9670, Relevance: .0, Instructions: 2COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                  • Instruction ID: a1b56540dbe588d444911c3282f82f36083e3e5d7ddaeefae6ca056faa3b79ff
                                                  • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                  • Instruction Fuzzy Hash:
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 011FFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 011FFDFA
                                                  Strings
                                                  • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 011FFE2B
                                                  • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 011FFE01
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: true
                                                  Similarity
                                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                  • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                                  • API String ID: 885266447-3903918235
                                                  • Opcode ID: 634e121ed4b1fc051605067db1a361e87c197a7a4729060cfd4a0daebb09e2c3
                                                  • Instruction ID: 351c47debac9e86d6e8e9a276ed117477837565d04e49e7734683ee686e11348
                                                  • Opcode Fuzzy Hash: 634e121ed4b1fc051605067db1a361e87c197a7a4729060cfd4a0daebb09e2c3
                                                  • Instruction Fuzzy Hash: 60F0F637640602BFE7281A45DC02F23BF5AEB44B70F150318F728561D1EBA2F82086F0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Analysis Process: msiexec.exe PID: 3532 Parent PID: 3440 msiexec.exeCOMMON

                                                  Executed Functions

                                                  Function 007C9D5A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42filenativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtCreateFile.NTDLL(00000060,00000000,.z`,007C4B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,007C4B87,007A002E,00000000,00000060,00000000,00000000), ref: 007C9DAD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000013.00000002.598077257.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateFile
                                                  • String ID: .z`
                                                  • API String ID: 823142352-1441809116
                                                  • Opcode ID: 796e31357c7ca5ba65dbf94e6dae51b491815cee809bc0092698027b107e22df
                                                  • Instruction ID: 1bfcd08679e1f5fa531710d68be2b8d5894b9b087555c8d737e358025c6c8191
                                                  • Opcode Fuzzy Hash: 796e31357c7ca5ba65dbf94e6dae51b491815cee809bc0092698027b107e22df
                                                  • Instruction Fuzzy Hash: 4C01BDB6200108BBCB48CF88DD85EEB37A9EF8C754F15864CFA0DA7241C630E811CBA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 007C9D60, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtCreateFile.NTDLL(00000060,00000000,.z`,007C4B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,007C4B87,007A002E,00000000,00000060,00000000,00000000), ref: 007C9DAD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000013.00000002.598077257.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateFile
                                                  • String ID: .z`
                                                  • API String ID: 823142352-1441809116
                                                  • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                  • Instruction ID: cd6ccfa00a3214594b0d65c372c51b4367b6c3c1a59c1b7cc16ed20fd114302f
                                                  • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                  • Instruction Fuzzy Hash: C5F0B2B2200208ABCB48CF88DC85EEB77ADAF8C754F158248BA0D97241C630F8118BA4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 007C9E90, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20nativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtClose.NTDLL( M|,?,?,007C4D20,00000000,FFFFFFFF), ref: 007C9EB5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000013.00000002.598077257.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Close
                                                  • String ID: M|
                                                  • API String ID: 3535843008-3681063853
                                                  • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                  • Instruction ID: af9d26c89e8abdf887baf4438e7464e558c2e34580d164c6ace5e5b26c012f3f
                                                  • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                  • Instruction Fuzzy Hash: 37D01275200218BBD710EB98CC85F97775CEF44750F154459BA585B242C530F50086E0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 007C9E8B, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20nativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtClose.NTDLL( M|,?,?,007C4D20,00000000,FFFFFFFF), ref: 007C9EB5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000013.00000002.598077257.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Close
                                                  • String ID: M|
                                                  • API String ID: 3535843008-3681063853
                                                  • Opcode ID: 0b7fbf59db0a4c0214a3e78c7fb01f0ceee14cd594fcd3b8549a7ffc64ea6046
                                                  • Instruction ID: 8663e5b2f260f38bc79578db145e0a4e79bc4029ad7fb944985cb5baddf41aaa
                                                  • Opcode Fuzzy Hash: 0b7fbf59db0a4c0214a3e78c7fb01f0ceee14cd594fcd3b8549a7ffc64ea6046
                                                  • Instruction Fuzzy Hash: 17E08C75200308AFD710EB94CC89E977768EF48750F058498BA585B242C670F60086D0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 007C9E10, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtReadFile.NTDLL(?,?,FFFFFFFF,007C4A01,?,?,?,?,007C4A01,FFFFFFFF,?,BM|,?,00000000), ref: 007C9E55
                                                  Memory Dump Source
                                                  • Source File: 00000013.00000002.598077257.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FileRead
                                                  • String ID:
                                                  • API String ID: 2738559852-0
                                                  • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                  • Instruction ID: 9265ad34b625b7ddf1cae7c18782eca1cd713e9b7468e3f48dfecec68217772e
                                                  • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                  • Instruction Fuzzy Hash: 5DF0A4B2200208ABCB14DF89DC85EEB77ADEF8C754F158248BA1DA7241D630E8118BA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 007C9F40, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,007B2D11,00002000,00003000,00000004), ref: 007C9F79
                                                  Memory Dump Source
                                                  • Source File: 00000013.00000002.598077257.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AllocateMemoryVirtual
                                                  • String ID:
                                                  • API String ID: 2167126740-0
                                                  • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                  • Instruction ID: 2e6d0210d7dd0c591998ebc276b3f83d999a3dae8c2a93cd78def961729ee6a3
                                                  • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                  • Instruction Fuzzy Hash: 86F015B2200208ABCB14DF89CC81EAB77ADEF88754F118148BE08A7241C630F810CBA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 007C9F3A, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,007B2D11,00002000,00003000,00000004), ref: 007C9F79
                                                  Memory Dump Source
                                                  • Source File: 00000013.00000002.598077257.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AllocateMemoryVirtual
                                                  • String ID:
                                                  • API String ID: 2167126740-0
                                                  • Opcode ID: c7a4a1dce5e75cbeab3b3f3405e48302a382b82f3c0fa65069f38e40722e119f
                                                  • Instruction ID: 9c8987eb866b28b78aa988b26ede35af5c54d779408e0f1630abaac0b58ead3d
                                                  • Opcode Fuzzy Hash: c7a4a1dce5e75cbeab3b3f3405e48302a382b82f3c0fa65069f38e40722e119f
                                                  • Instruction Fuzzy Hash: 1CF01CB5200208BFDB14DF98CC85EAB77ADEF88354F15865CFA9997281C630E951CBA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04A29860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000013.00000002.599728004.00000000049C0000.00000040.00000001.sdmp, Offset: 049C0000, based on PE: true
                                                  • Associated: 00000013.00000002.599893831.0000000004ADB000.00000040.00000001.sdmp Download File
                                                  • Associated: 00000013.00000002.599901876.0000000004ADF000.00000040.00000001.sdmp Download File
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 9bf0e03921e89d204ad741bccc078701198cdede444fb0076cefe4d71a9c09b8
                                                  • Instruction ID: 8448a9438f2b16440001a7529940e347610dcea4eed2cf63a5805d1c886488a9
                                                  • Opcode Fuzzy Hash: 9bf0e03921e89d204ad741bccc078701198cdede444fb0076cefe4d71a9c09b8
                                                  • Instruction Fuzzy Hash: FD90027121100453F11161694504707000997D0687F91C412B0415558DE696D962B161
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04A29840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000013.00000002.599728004.00000000049C0000.00000040.00000001.sdmp, Offset: 049C0000, based on PE: true
                                                  • Associated: 00000013.00000002.599893831.0000000004ADB000.00000040.00000001.sdmp Download File
                                                  • Associated: 00000013.00000002.599901876.0000000004ADF000.00000040.00000001.sdmp Download File
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 30de05d75bdd44497f3c454a95383c208fed28b4f7b6bd246d0df772b7be2cba
                                                  • Instruction ID: f34e8ff3dc8ba76035e95c94617507d307731a26bdf96ff8499245ced29f50fb
                                                  • Opcode Fuzzy Hash: 30de05d75bdd44497f3c454a95383c208fed28b4f7b6bd246d0df772b7be2cba
                                                  • Instruction Fuzzy Hash: FA900261252041927545B16944045074006A7E0687B91C012B1405950CD566E866E661
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04A299A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000013.00000002.599728004.00000000049C0000.00000040.00000001.sdmp, Offset: 049C0000, based on PE: true
                                                  • Associated: 00000013.00000002.599893831.0000000004ADB000.00000040.00000001.sdmp Download File
                                                  • Associated: 00000013.00000002.599901876.0000000004ADF000.00000040.00000001.sdmp Download File
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 383c75bca130c29167404a1481c0bc88cfeec4e00c22ffec0eb0539bbcd0050f
                                                  • Instruction ID: 6a852ae5387f64ebcad44935c503ae6adae5d647af0a24a065f3ee541e5e023f
                                                  • Opcode Fuzzy Hash: 383c75bca130c29167404a1481c0bc88cfeec4e00c22ffec0eb0539bbcd0050f
                                                  • Instruction Fuzzy Hash: 579002A135100482F10061694414B060005D7E1747F51C015F1055554DD659DC627166
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04A295D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000013.00000002.599728004.00000000049C0000.00000040.00000001.sdmp, Offset: 049C0000, based on PE: true
                                                  • Associated: 00000013.00000002.599893831.0000000004ADB000.00000040.00000001.sdmp Download File
                                                  • Associated: 00000013.00000002.599901876.0000000004ADF000.00000040.00000001.sdmp Download File
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: ebc5f323fb99d7402803de0d769625eb168e1d12f8e9d83061525aa7b717a5f5
                                                  • Instruction ID: ec04e16d69c96542c38acd1b282a5643b8a650974e2e6952a16556259e821cce
                                                  • Opcode Fuzzy Hash: ebc5f323fb99d7402803de0d769625eb168e1d12f8e9d83061525aa7b717a5f5
                                                  • Instruction Fuzzy Hash: 799002A121200043610571694414616400A97E0647F51C021F1005590DD565D8A17165
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04A29910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000013.00000002.599728004.00000000049C0000.00000040.00000001.sdmp, Offset: 049C0000, based on PE: true
                                                  • Associated: 00000013.00000002.599893831.0000000004ADB000.00000040.00000001.sdmp Download File
                                                  • Associated: 00000013.00000002.599901876.0000000004ADF000.00000040.00000001.sdmp Download File
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 8783075e0a825a86aed04f327e908f686966f10c5c44a0629d2e9fd66b2442e1
                                                  • Instruction ID: fcf427afcb82ff89c40a44320d9022b46f5b6028075d14f8296bde89b921799e
                                                  • Opcode Fuzzy Hash: 8783075e0a825a86aed04f327e908f686966f10c5c44a0629d2e9fd66b2442e1
                                                  • Instruction Fuzzy Hash: B39002B121100442F14071694404746000597D0747F51C011B5055554ED699DDE576A5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04A29540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000013.00000002.599728004.00000000049C0000.00000040.00000001.sdmp, Offset: 049C0000, based on PE: true
                                                  • Associated: 00000013.00000002.599893831.0000000004ADB000.00000040.00000001.sdmp Download File
                                                  • Associated: 00000013.00000002.599901876.0000000004ADF000.00000040.00000001.sdmp Download File
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 336d681611f6e2aa990b9b71597f1d5d2b0999f86ea1966f6fa39da1e5d55d3c
                                                  • Instruction ID: 2e539c0dd50c761e1b6ecdf4ae5d11739d749e45f9513d6d4036589bd9adf563
                                                  • Opcode Fuzzy Hash: 336d681611f6e2aa990b9b71597f1d5d2b0999f86ea1966f6fa39da1e5d55d3c
                                                  • Instruction Fuzzy Hash: BB900265221000432105A5690704507004697D5797751C021F1006550CE661D8716161
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04A296E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000013.00000002.599728004.00000000049C0000.00000040.00000001.sdmp, Offset: 049C0000, based on PE: true
                                                  • Associated: 00000013.00000002.599893831.0000000004ADB000.00000040.00000001.sdmp Download File
                                                  • Associated: 00000013.00000002.599901876.0000000004ADF000.00000040.00000001.sdmp Download File
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 76540c1eaa7e99202eae23fbe3077b7f4c53aefb383cf613da2b56b7df4746ad
                                                  • Instruction ID: b40569f6621c8e99d9a4b6ff210ec6fa2887c8c342bd584c3644b36c846be7bd
                                                  • Opcode Fuzzy Hash: 76540c1eaa7e99202eae23fbe3077b7f4c53aefb383cf613da2b56b7df4746ad
                                                  • Instruction Fuzzy Hash: E290027121108842F1106169840474A000597D0747F55C411B4415658DD6D5D8A17161
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04A296D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000013.00000002.599728004.00000000049C0000.00000040.00000001.sdmp, Offset: 049C0000, based on PE: true
                                                  • Associated: 00000013.00000002.599893831.0000000004ADB000.00000040.00000001.sdmp Download File
                                                  • Associated: 00000013.00000002.599901876.0000000004ADF000.00000040.00000001.sdmp Download File
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: af6682d2debfdb29494f7c0a4321dba2bc363fdcaafd04000f9086a8f854aa70
                                                  • Instruction ID: 996bd58a7fba622ec8d8a472ad57af38ae4490ca1a45437a2450293d0f7fda7a
                                                  • Opcode Fuzzy Hash: af6682d2debfdb29494f7c0a4321dba2bc363fdcaafd04000f9086a8f854aa70
                                                  • Instruction Fuzzy Hash: D090027121100882F10061694404B46000597E0747F51C016B0115654DD655D8617561
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04A29660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000013.00000002.599728004.00000000049C0000.00000040.00000001.sdmp, Offset: 049C0000, based on PE: true
                                                  • Associated: 00000013.00000002.599893831.0000000004ADB000.00000040.00000001.sdmp Download File
                                                  • Associated: 00000013.00000002.599901876.0000000004ADF000.00000040.00000001.sdmp Download File
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 10fc4661f97fdead84cd1b6e3442998cc0b66a25dab1a586f042aa9c80e2c27e
                                                  • Instruction ID: 32ebae472d2a2f9c23303abaa9cc4e85e407831e9e119f0fec28f019d68e4767
                                                  • Opcode Fuzzy Hash: 10fc4661f97fdead84cd1b6e3442998cc0b66a25dab1a586f042aa9c80e2c27e
                                                  • Instruction Fuzzy Hash: BB90027121100842F1807169440464A000597D1747F91C015B0016654DDA55DA6977E1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04A29650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000013.00000002.599728004.00000000049C0000.00000040.00000001.sdmp, Offset: 049C0000, based on PE: true
                                                  • Associated: 00000013.00000002.599893831.0000000004ADB000.00000040.00000001.sdmp Download File
                                                  • Associated: 00000013.00000002.599901876.0000000004ADF000.00000040.00000001.sdmp Download File
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 1822d7bd6092036979bcdbb664d1987880bd7e34c2f2c9418af83e88abed7035
                                                  • Instruction ID: d732660f3fdaeadff22d9fca0fe8ce66dabb3119aacf7fbe26f3f3291f253b31
                                                  • Opcode Fuzzy Hash: 1822d7bd6092036979bcdbb664d1987880bd7e34c2f2c9418af83e88abed7035
                                                  • Instruction Fuzzy Hash: 0A90027121504882F14071694404A46001597D074BF51C011B0055694DE665DD65B6A1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04A29A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000013.00000002.599728004.00000000049C0000.00000040.00000001.sdmp, Offset: 049C0000, based on PE: true
                                                  • Associated: 00000013.00000002.599893831.0000000004ADB000.00000040.00000001.sdmp Download File
                                                  • Associated: 00000013.00000002.599901876.0000000004ADF000.00000040.00000001.sdmp Download File
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: a2d378f25f4958de5d525d37a9888a9443c5d0d0bd5ad519c3333ec508e0e055
                                                  • Instruction ID: e5ab94c46683d90285c108dfd5fab5d46777b7637d7377401439ceff3d92b2f6
                                                  • Opcode Fuzzy Hash: a2d378f25f4958de5d525d37a9888a9443c5d0d0bd5ad519c3333ec508e0e055
                                                  • Instruction Fuzzy Hash: A390026122180082F20065794C14B07000597D0747F51C115B0145554CD955D8716561
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04A29780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000013.00000002.599728004.00000000049C0000.00000040.00000001.sdmp, Offset: 049C0000, based on PE: true
                                                  • Associated: 00000013.00000002.599893831.0000000004ADB000.00000040.00000001.sdmp Download File
                                                  • Associated: 00000013.00000002.599901876.0000000004ADF000.00000040.00000001.sdmp Download File
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 73beb49b74759a6226e97c81be83306bed5d081b7cac59b64880e4674ddf7a82
                                                  • Instruction ID: 2b3c4675bfd5e99a36326fb6b9873d102e0444bc5eeeba734b281cbbccb2dac6
                                                  • Opcode Fuzzy Hash: 73beb49b74759a6226e97c81be83306bed5d081b7cac59b64880e4674ddf7a82
                                                  • Instruction Fuzzy Hash: E190026922300042F1807169540860A000597D1647F91D415B0006558CD955D8796361
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04A29FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000013.00000002.599728004.00000000049C0000.00000040.00000001.sdmp, Offset: 049C0000, based on PE: true
                                                  • Associated: 00000013.00000002.599893831.0000000004ADB000.00000040.00000001.sdmp Download File
                                                  • Associated: 00000013.00000002.599901876.0000000004ADF000.00000040.00000001.sdmp Download File
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 3a5bb08d6532767e4d300e005aaa60149f1f86c9b8fdc82d31716c63e8a55ade
                                                  • Instruction ID: 6e74d31e287579b66efd5e6ab7eef8c4ae18487e270c6193d435c411f87cfaba
                                                  • Opcode Fuzzy Hash: 3a5bb08d6532767e4d300e005aaa60149f1f86c9b8fdc82d31716c63e8a55ade
                                                  • Instruction Fuzzy Hash: AB90027132114442F11061698404706000597D1647F51C411B0815558DD6D5D8A17162
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04A29710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000013.00000002.599728004.00000000049C0000.00000040.00000001.sdmp, Offset: 049C0000, based on PE: true
                                                  • Associated: 00000013.00000002.599893831.0000000004ADB000.00000040.00000001.sdmp Download File
                                                  • Associated: 00000013.00000002.599901876.0000000004ADF000.00000040.00000001.sdmp Download File
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: bcb278c7ee67e69f4fbd1a9c8a2465baa79ab902dd5cc02bc321be6e23255088
                                                  • Instruction ID: dd84245a405266be24002ed9cceb41960edbe5441f5e55ab6e0f7619b6cc3544
                                                  • Opcode Fuzzy Hash: bcb278c7ee67e69f4fbd1a9c8a2465baa79ab902dd5cc02bc321be6e23255088
                                                  • Instruction Fuzzy Hash: A890027121100442F10065A95408646000597E0747F51D011B5015555ED6A5D8A17171
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 007CA070, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,007B3AF8), ref: 007CA09D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000013.00000002.598077257.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FreeHeap
                                                  • String ID: .z`
                                                  • API String ID: 3298025750-1441809116
                                                  • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                  • Instruction ID: 42580fe029818d33bdd8a04ff562b8255d2f751d58a51aaffe5768356c4d1c56
                                                  • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                  • Instruction Fuzzy Hash: 90E04FB1200208BBD714DF59CC49EA777ACEF88750F018558FD0857241C630F910CAF0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 007B82F0, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 007B834A
                                                  • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 007B836B
                                                  Memory Dump Source
                                                  • Source File: 00000013.00000002.598077257.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false
                                                  Yara matches
                                                  Similarity
                                                  • API ID: MessagePostThread
                                                  • String ID:
                                                  • API String ID: 1836367815-0
                                                  • Opcode ID: 4a55148ff9da4d85293f36c1d21b3ca726a4155c96c158c46edfd0097c785396
                                                  • Instruction ID: aed08e04bf445e4010c16dc72b74f2aab8d2b1c68464af2b7fb35f5d72610dd3
                                                  • Opcode Fuzzy Hash: 4a55148ff9da4d85293f36c1d21b3ca726a4155c96c158c46edfd0097c785396
                                                  • Instruction Fuzzy Hash: D801A771A80228BBE721A6989C47FFE776C6B40F51F05415CFF04FA1C1E6D8690646F6
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 007CA0E0, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 007CA134
                                                  Memory Dump Source
                                                  • Source File: 00000013.00000002.598077257.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateInternalProcess
                                                  • String ID:
                                                  • API String ID: 2186235152-0
                                                  • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                  • Instruction ID: 2104c0986064a9789c3039e7edc2055cd82fd5c9679553288f726130b90cad8f
                                                  • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                  • Instruction Fuzzy Hash: 9301AFB2210108BBCB54DF89DC81EEB77ADAF8C754F158258BA0DA7241C630E851CBA4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 007CA1CA, Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,?,007BF1A2,007BF1A2,?,00000000,?,?), ref: 007CA200
                                                  Memory Dump Source
                                                  • Source File: 00000013.00000002.598077257.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false
                                                  Yara matches
                                                  Similarity
                                                  • API ID: LookupPrivilegeValue
                                                  • String ID:
                                                  • API String ID: 3899507212-0
                                                  • Opcode ID: e2051275d9ea06a44c6d06bc0d4b8b1826f931bbba6a6eb254549d9deffb0759
                                                  • Instruction ID: 15485aab7e6fa71367118641c660a2b4f8732f892f7be3680f57f9cae2d1335f
                                                  • Opcode Fuzzy Hash: e2051275d9ea06a44c6d06bc0d4b8b1826f931bbba6a6eb254549d9deffb0759
                                                  • Instruction Fuzzy Hash: 95E01AB6600218ABEB14DF44CC85EE73769EF84360F118159F94DAB341D634E914CBB1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 007CA030, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RtlAllocateHeap.NTDLL(007C4506,?,007C4C7F,007C4C7F,?,007C4506,?,?,?,?,?,00000000,00000000,?), ref: 007CA05D
                                                  Memory Dump Source
                                                  • Source File: 00000013.00000002.598077257.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AllocateHeap
                                                  • String ID:
                                                  • API String ID: 1279760036-0
                                                  • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                  • Instruction ID: 5b712920f41613197878b9046e3a10b19bf931b19b05e910f2710dad5caa1029
                                                  • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                  • Instruction Fuzzy Hash: 93E012B1200208ABDB14EF99CC85EA777ACEF88754F118558BA086B242C630F9108AB0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 007CA1D0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,?,007BF1A2,007BF1A2,?,00000000,?,?), ref: 007CA200
                                                  Memory Dump Source
                                                  • Source File: 00000013.00000002.598077257.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false
                                                  Yara matches
                                                  Similarity
                                                  • API ID: LookupPrivilegeValue
                                                  • String ID:
                                                  • API String ID: 3899507212-0
                                                  • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                  • Instruction ID: 3619b82e3c2a5c201da2bfbb532cc400381f8da5900750063f15aa36c78a65e0
                                                  • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                  • Instruction Fuzzy Hash: 8DE01AB1200208ABDB10DF49CC85EE737ADEF88750F018158BA0867241C934F8108BF5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 007BF6A0, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetErrorMode.KERNELBASE(00008003,?,007B8CF4,?), ref: 007BF6CB
                                                  Memory Dump Source
                                                  • Source File: 00000013.00000002.598077257.00000000007B0000.00000040.00000001.sdmp, Offset: 007B0000, based on PE: false
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorMode
                                                  • String ID:
                                                  • API String ID: 2340568224-0
                                                  • Opcode ID: cec8ba978ca00a4152f16fa99d3564a32c161d26ed3cfe0d05bc2e8c73902fa4
                                                  • Instruction ID: 94655809bb383194039a3a064a5e404be8f53b29d910aca4ea881accd1fe095e
                                                  • Opcode Fuzzy Hash: cec8ba978ca00a4152f16fa99d3564a32c161d26ed3cfe0d05bc2e8c73902fa4
                                                  • Instruction Fuzzy Hash: 07D0A7717903043BE610FEA49C07F6633CD6B44B04F490078FA48D73C3D954E4004165
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04A2967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000013.00000002.599728004.00000000049C0000.00000040.00000001.sdmp, Offset: 049C0000, based on PE: true
                                                  • Associated: 00000013.00000002.599893831.0000000004ADB000.00000040.00000001.sdmp Download File
                                                  • Associated: 00000013.00000002.599901876.0000000004ADF000.00000040.00000001.sdmp Download File
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 87e4bd269a4abe883909cdb3a65a6778fd056ac3c033c684748451c40df7b9cf
                                                  • Instruction ID: 9a2e6ab94427f8e49cd00b048afc78e481bb782a1455c17ec22fe85c9801c0a4
                                                  • Opcode Fuzzy Hash: 87e4bd269a4abe883909cdb3a65a6778fd056ac3c033c684748451c40df7b9cf
                                                  • Instruction Fuzzy Hash: 49B09BB19014D5C9F711D7744708717794477D0B46F16C061E1020641A4778D195F5B6
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Non-executed Functions

                                                  Function 04A7FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 53%
                                                  			E04A7FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E04A2CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E04A75720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E04A75720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                                  0x04a7fdda
                                                  0x04a7fde2
                                                  0x04a7fde5
                                                  0x04a7fdec
                                                  0x04a7fdfa
                                                  0x04a7fdff
                                                  0x04a7fe0a
                                                  0x04a7fe0f
                                                  0x04a7fe17
                                                  0x04a7fe1e
                                                  0x04a7fe19
                                                  0x04a7fe19
                                                  0x04a7fe19
                                                  0x04a7fe20
                                                  0x04a7fe21
                                                  0x04a7fe22
                                                  0x04a7fe25
                                                  0x04a7fe40

                                                  APIs
                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04A7FDFA
                                                  Strings
                                                  • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 04A7FE01
                                                  • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 04A7FE2B
                                                  Memory Dump Source
                                                  • Source File: 00000013.00000002.599728004.00000000049C0000.00000040.00000001.sdmp, Offset: 049C0000, based on PE: true
                                                  • Associated: 00000013.00000002.599893831.0000000004ADB000.00000040.00000001.sdmp Download File
                                                  • Associated: 00000013.00000002.599901876.0000000004ADF000.00000040.00000001.sdmp Download File
                                                  Similarity
                                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                  • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                                  • API String ID: 885266447-3903918235
                                                  • Opcode ID: 9bdaf9ca783efecb6b66d9a9291c7fa7ace2cf02059e3d289d833bafc9261d5d
                                                  • Instruction ID: a980185d369a72576b90089d9752b123b56e1ba6ce7ffcb1a4b0b772f9e8071c
                                                  • Opcode Fuzzy Hash: 9bdaf9ca783efecb6b66d9a9291c7fa7ace2cf02059e3d289d833bafc9261d5d
                                                  • Instruction Fuzzy Hash: FBF0F672600601BFEA301B55DD02F23BB6AEB84730F144354F628569D1EA62F92096F8
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%