Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Purchase Order.exe

Overview

General Information

Sample Name:Purchase Order.exe
Analysis ID:452476
MD5:c13f1850e9d955f826620bd1ae322368
SHA1:1329de0499fabc6fcffd4fa02864968acaac253e
SHA256:419d8b92dc042882bb3261de70dfe4a158bc9ca436c71f9bf330bb8a6917d04c
Tags:exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Purchase Order.exe (PID: 1376 cmdline: 'C:\Users\user\Desktop\Purchase Order.exe' MD5: C13F1850E9D955F826620BD1AE322368)
    • Purchase Order.exe (PID: 1784 cmdline: {path} MD5: C13F1850E9D955F826620BD1AE322368)
      • explorer.exe (PID: 3388 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cscript.exe (PID: 5288 cmdline: C:\Windows\SysWOW64\cscript.exe MD5: 00D3041E47F99E48DD5FFFEDF60F6304)
          • cmd.exe (PID: 244 cmdline: /c del 'C:\Users\user\Desktop\Purchase Order.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 3596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.valiantfinancial.net/hth0/"], "decoy": ["grahamandjana.com", "surfpodcastnetwork.com", "valkyrie20.com", "hire4looks.com", "wewalkfastasone.com", "saveourschoolyear.com", "5g23e.com", "abusinesssystems.com", "telefonepantalla.com", "tailorscafe.com", "schwarzer-markt.net", "stopwatch247.com", "458grandbetting.com", "xpovision.com", "kutkingbarbering.life", "kppp-guxxz.xyz", "chuckwagon-chow.com", "la-casa-delle-vita.com", "creativesocials.com", "negociacoeshojebr.com", "conservativestyle.life", "825tache.com", "birthmothersmaine.com", "jwrl.net", "gardiantparts.com", "contodosyparaelbiendetodos.com", "actymall.com", "oxyde.net", "adagiomusicacademy.com", "newjerseyscubadiving.net", "87oaks.com", "overt.website", "home-made-gifts.com", "viralgoats.com", "camediahub.com", "bankruptcyprobabilities.com", "yourlifematterswellness.email", "earnestjourneycourses.com", "landonpaints.com", "aesegroup.com", "omegle99.com", "sparklinmomma.com", "cofcwzrf.com", "jam-nins.com", "mazacz.com", "copdrule.info", "cahayaqq.life", "helps-paxful.com", "gerado.online", "patanamedia.com", "fromfeartotrust.com", "deux-studios.com", "wallinders.com", "nilton-g.com", "yijiamobile.com", "ocheap3dbuy.com", "flima2020a.site", "battlefieldtitle.site", "ferrebaviera.com", "plushmint.com", "achievementfound.com", "dontbringcovidhome.com", "cultigique.com", "waveplumb.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000010.00000002.362458702.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000010.00000002.362458702.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000010.00000002.362458702.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18419:$sqlite3step: 68 34 1C 7B E1
    • 0x1852c:$sqlite3step: 68 34 1C 7B E1
    • 0x18448:$sqlite3text: 68 38 2A 90 C5
    • 0x1856d:$sqlite3text: 68 38 2A 90 C5
    • 0x1845b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18583:$sqlite3blob: 68 53 D8 7F 8C
    00000013.00000002.480809359.0000000001140000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000013.00000002.480809359.0000000001140000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 18 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      16.2.Purchase Order.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        16.2.Purchase Order.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        16.2.Purchase Order.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18419:$sqlite3step: 68 34 1C 7B E1
        • 0x1852c:$sqlite3step: 68 34 1C 7B E1
        • 0x18448:$sqlite3text: 68 38 2A 90 C5
        • 0x1856d:$sqlite3text: 68 38 2A 90 C5
        • 0x1845b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18583:$sqlite3blob: 68 53 D8 7F 8C
        16.2.Purchase Order.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          16.2.Purchase Order.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1a6f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1b6fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000010.00000002.362458702.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.valiantfinancial.net/hth0/"], "decoy": ["grahamandjana.com", "surfpodcastnetwork.com", "valkyrie20.com", "hire4looks.com", "wewalkfastasone.com", "saveourschoolyear.com", "5g23e.com", "abusinesssystems.com", "telefonepantalla.com", "tailorscafe.com", "schwarzer-markt.net", "stopwatch247.com", "458grandbetting.com", "xpovision.com", "kutkingbarbering.life", "kppp-guxxz.xyz", "chuckwagon-chow.com", "la-casa-delle-vita.com", "creativesocials.com", "negociacoeshojebr.com", "conservativestyle.life", "825tache.com", "birthmothersmaine.com", "jwrl.net", "gardiantparts.com", "contodosyparaelbiendetodos.com", "actymall.com", "oxyde.net", "adagiomusicacademy.com", "newjerseyscubadiving.net", "87oaks.com", "overt.website", "home-made-gifts.com", "viralgoats.com", "camediahub.com", "bankruptcyprobabilities.com", "yourlifematterswellness.email", "earnestjourneycourses.com", "landonpaints.com", "aesegroup.com", "omegle99.com", "sparklinmomma.com", "cofcwzrf.com", "jam-nins.com", "mazacz.com", "copdrule.info", "cahayaqq.life", "helps-paxful.com", "gerado.online", "patanamedia.com", "fromfeartotrust.com", "deux-studios.com", "wallinders.com", "nilton-g.com", "yijiamobile.com", "ocheap3dbuy.com", "flima2020a.site", "battlefieldtitle.site", "ferrebaviera.com", "plushmint.com", "achievementfound.com", "dontbringcovidhome.com", "cultigique.com", "waveplumb.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: Purchase Order.exeReversingLabs: Detection: 13%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 16.2.Purchase Order.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000010.00000002.362458702.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.480809359.0000000001140000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.363133642.0000000001720000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.363097654.00000000016F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.479738533.0000000000D50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.480997579.0000000001170000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.308917029.0000000003C71000.00000004.00000001.sdmp, type: MEMORY
          Machine Learning detection for sampleShow sources
          Source: Purchase Order.exeJoe Sandbox ML: detected
          Source: 16.2.Purchase Order.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: Purchase Order.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: Purchase Order.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: cscript.pdbUGP source: Purchase Order.exe, 00000010.00000002.363242230.00000000017A0000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000011.00000000.333473408.0000000009B40000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: Purchase Order.exe, 00000010.00000002.363433472.000000000194F000.00000040.00000001.sdmp, cscript.exe, 00000013.00000002.483133229.000000000500F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Purchase Order.exe, cscript.exe
          Source: Binary string: cscript.pdb source: Purchase Order.exe, 00000010.00000002.363242230.00000000017A0000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000011.00000000.333473408.0000000009B40000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 4x nop then pop edi16_2_0040E44E
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 4x nop then pop edi16_2_00417D7C
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 4x nop then pop edi19_2_00D5E44E
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 4x nop then pop edi19_2_00D67D7C

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.valiantfinancial.net/hth0/
          Source: unknownDNS traffic detected: query: www.deux-studios.com replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.abusinesssystems.com replaycode: Name error (3)
          Source: unknownDNS traffic detected: queries for: www.deux-studios.com
          Source: explorer.exe, 00000011.00000000.337336723.000000000F5C0000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: Purchase Order.exe, 00000000.00000002.316230721.0000000006470000.00000002.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: Purchase Order.exe, 00000000.00000003.230153130.00000000056A8000.00000004.00000001.sdmp, Purchase Order.exe, 00000000.00000003.226282943.000000000569C000.00000004.00000001.sdmpString found in binary or memory: http://www.agfamonotype.
          Source: Purchase Order.exe, 00000000.00000002.316230721.0000000006470000.00000002.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: Purchase Order.exe, 00000000.00000003.224058728.00000000056A5000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
          Source: Purchase Order.exe, 00000000.00000003.224058728.00000000056A5000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comcr
          Source: Purchase Order.exe, 00000000.00000002.316230721.0000000006470000.00000002.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: Purchase Order.exe, 00000000.00000003.224058728.00000000056A5000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.
          Source: Purchase Order.exe, 00000000.00000003.223685242.00000000056A5000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comof
          Source: Purchase Order.exe, 00000000.00000003.224058728.00000000056A5000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comtGi
          Source: Purchase Order.exe, 00000000.00000002.316230721.0000000006470000.00000002.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: Purchase Order.exe, 00000000.00000003.226995164.00000000056A4000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com.TTF
          Source: Purchase Order.exe, 00000000.00000003.226282943.000000000569C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com.TTFuo
          Source: explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: Purchase Order.exe, 00000000.00000002.316230721.0000000006470000.00000002.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: Purchase Order.exe, 00000000.00000002.316230721.0000000006470000.00000002.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: Purchase Order.exe, 00000000.00000002.316230721.0000000006470000.00000002.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: Purchase Order.exe, 00000000.00000002.316230721.0000000006470000.00000002.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: Purchase Order.exe, 00000000.00000002.316230721.0000000006470000.00000002.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: Purchase Order.exe, 00000000.00000002.316230721.0000000006470000.00000002.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: Purchase Order.exe, 00000000.00000002.314683016.0000000005690000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com=
          Source: Purchase Order.exe, 00000000.00000003.226995164.00000000056A4000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
          Source: Purchase Order.exe, 00000000.00000003.226995164.00000000056A4000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd-o
          Source: Purchase Order.exe, 00000000.00000003.226995164.00000000056A4000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comdsed
          Source: Purchase Order.exe, 00000000.00000003.230396940.00000000056A2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.come.com
          Source: Purchase Order.exe, 00000000.00000002.314683016.0000000005690000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.como
          Source: Purchase Order.exe, 00000000.00000003.226995164.00000000056A4000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comsivao
          Source: Purchase Order.exe, 00000000.00000002.316230721.0000000006470000.00000002.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: Purchase Order.exe, 00000000.00000003.222559347.00000000056A3000.00000004.00000001.sdmp, Purchase Order.exe, 00000000.00000003.222070975.00000000056A0000.00000004.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: Purchase Order.exe, 00000000.00000003.222559347.00000000056A3000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
          Source: Purchase Order.exe, 00000000.00000002.316230721.0000000006470000.00000002.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: Purchase Order.exe, 00000000.00000002.316230721.0000000006470000.00000002.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: Purchase Order.exe, 00000000.00000003.222070975.00000000056A0000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cngib
          Source: Purchase Order.exe, 00000000.00000003.222559347.00000000056A3000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnmpa-u
          Source: Purchase Order.exe, 00000000.00000003.222070975.00000000056A0000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnoup
          Source: Purchase Order.exe, 00000000.00000003.222559347.00000000056A3000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnoupyt
          Source: Purchase Order.exe, 00000000.00000003.222070975.00000000056A0000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnrosCu
          Source: Purchase Order.exe, 00000000.00000003.222070975.00000000056A0000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnt
          Source: Purchase Order.exe, 00000000.00000003.227884543.00000000056A0000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
          Source: Purchase Order.exe, 00000000.00000002.316230721.0000000006470000.00000002.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: Purchase Order.exe, 00000000.00000003.227809153.00000000056A0000.00000004.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: Purchase Order.exe, 00000000.00000002.316230721.0000000006470000.00000002.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: Purchase Order.exe, 00000000.00000002.316230721.0000000006470000.00000002.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: Purchase Order.exe, 00000000.00000003.224952116.00000000056A2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//2o
          Source: Purchase Order.exe, 00000000.00000003.224952116.00000000056A2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/;o
          Source: Purchase Order.exe, 00000000.00000003.224952116.00000000056A2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Co
          Source: Purchase Order.exe, 00000000.00000003.225352110.0000000005699000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Ko
          Source: Purchase Order.exe, 00000000.00000003.224952116.00000000056A2000.00000004.00000001.sdmp, Purchase Order.exe, 00000000.00000003.225352110.0000000005699000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
          Source: Purchase Order.exe, 00000000.00000003.224952116.00000000056A2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
          Source: Purchase Order.exe, 00000000.00000003.225076126.00000000056A3000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/uo
          Source: Purchase Order.exe, 00000000.00000003.224952116.00000000056A2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/k
          Source: Purchase Order.exe, 00000000.00000003.224706549.0000000005693000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/l
          Source: Purchase Order.exe, 00000000.00000003.224849274.00000000056A2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/lt
          Source: Purchase Order.exe, 00000000.00000003.225352110.0000000005699000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/o
          Source: Purchase Order.exe, 00000000.00000003.224706549.0000000005693000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ue
          Source: Purchase Order.exe, 00000000.00000003.224706549.0000000005693000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/uo
          Source: Purchase Order.exe, 00000000.00000003.224706549.0000000005693000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/zo
          Source: Purchase Order.exe, 00000000.00000002.316230721.0000000006470000.00000002.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: Purchase Order.exe, 00000000.00000002.316230721.0000000006470000.00000002.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: Purchase Order.exe, 00000000.00000002.316230721.0000000006470000.00000002.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: Purchase Order.exe, 00000000.00000002.316230721.0000000006470000.00000002.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: Purchase Order.exe, 00000000.00000002.316230721.0000000006470000.00000002.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: Purchase Order.exe, 00000000.00000002.316230721.0000000006470000.00000002.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: Purchase Order.exe, 00000000.00000003.223470937.00000000056A5000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 16.2.Purchase Order.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000010.00000002.362458702.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.480809359.0000000001140000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.363133642.0000000001720000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.363097654.00000000016F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.479738533.0000000000D50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.480997579.0000000001170000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.308917029.0000000003C71000.00000004.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 16.2.Purchase Order.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 16.2.Purchase Order.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 16.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 16.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000002.362458702.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.362458702.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000013.00000002.480809359.0000000001140000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000013.00000002.480809359.0000000001140000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000002.363133642.0000000001720000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.363133642.0000000001720000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000002.363097654.00000000016F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.363097654.00000000016F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000013.00000002.479738533.0000000000D50000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000013.00000002.479738533.0000000000D50000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000013.00000002.480997579.0000000001170000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000013.00000002.480997579.0000000001170000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.308917029.0000000003C71000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.308917029.0000000003C71000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: Purchase Order.exe
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0041A060 NtClose,16_2_0041A060
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0041A110 NtAllocateVirtualMemory,16_2_0041A110
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_00419F30 NtCreateFile,16_2_00419F30
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_00419FE0 NtReadFile,16_2_00419FE0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0041A05A NtClose,16_2_0041A05A
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0041A10C NtAllocateVirtualMemory,16_2_0041A10C
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_00419FDA NtReadFile,16_2_00419FDA
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018999A0 NtCreateSection,LdrInitializeThunk,16_2_018999A0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018995D0 NtClose,LdrInitializeThunk,16_2_018995D0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01899910 NtAdjustPrivilegesToken,LdrInitializeThunk,16_2_01899910
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01899540 NtReadFile,LdrInitializeThunk,16_2_01899540
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018998F0 NtReadVirtualMemory,LdrInitializeThunk,16_2_018998F0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01899840 NtDelayExecution,LdrInitializeThunk,16_2_01899840
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01899860 NtQuerySystemInformation,LdrInitializeThunk,16_2_01899860
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01899780 NtMapViewOfSection,LdrInitializeThunk,16_2_01899780
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018997A0 NtUnmapViewOfSection,LdrInitializeThunk,16_2_018997A0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01899710 NtQueryInformationToken,LdrInitializeThunk,16_2_01899710
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018996E0 NtFreeVirtualMemory,LdrInitializeThunk,16_2_018996E0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01899A00 NtProtectVirtualMemory,LdrInitializeThunk,16_2_01899A00
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01899A20 NtResumeThread,LdrInitializeThunk,16_2_01899A20
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01899A50 NtCreateFile,LdrInitializeThunk,16_2_01899A50
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01899660 NtAllocateVirtualMemory,LdrInitializeThunk,16_2_01899660
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018999D0 NtCreateProcessEx,16_2_018999D0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018995F0 NtQueryInformationFile,16_2_018995F0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01899520 NtWaitForSingleObject,16_2_01899520
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0189AD30 NtSetContextThread,16_2_0189AD30
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01899950 NtQueueApcThread,16_2_01899950
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01899560 NtWriteFile,16_2_01899560
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018998A0 NtWriteVirtualMemory,16_2_018998A0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01899820 NtEnumerateKey,16_2_01899820
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0189B040 NtSuspendThread,16_2_0189B040
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0189A3B0 NtGetContextThread,16_2_0189A3B0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01899FE0 NtCreateMutant,16_2_01899FE0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01899B00 NtSetValueKey,16_2_01899B00
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0189A710 NtOpenProcessToken,16_2_0189A710
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01899730 NtQueryVirtualMemory,16_2_01899730
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01899760 NtOpenProcess,16_2_01899760
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01899770 NtSetInformationFile,16_2_01899770
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0189A770 NtOpenThread,16_2_0189A770
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01899A80 NtOpenDirectoryObject,16_2_01899A80
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018996D0 NtCreateKey,16_2_018996D0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01899610 NtEnumerateValueKey,16_2_01899610
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01899A10 NtQuerySection,16_2_01899A10
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01899650 NtQueryValueKey,16_2_01899650
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01899670 NtQueryInformationProcess,16_2_01899670
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F59860 NtQuerySystemInformation,LdrInitializeThunk,19_2_04F59860
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F59840 NtDelayExecution,LdrInitializeThunk,19_2_04F59840
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F595D0 NtClose,LdrInitializeThunk,19_2_04F595D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F599A0 NtCreateSection,LdrInitializeThunk,19_2_04F599A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F59540 NtReadFile,LdrInitializeThunk,19_2_04F59540
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F59910 NtAdjustPrivilegesToken,LdrInitializeThunk,19_2_04F59910
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F596E0 NtFreeVirtualMemory,LdrInitializeThunk,19_2_04F596E0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F596D0 NtCreateKey,LdrInitializeThunk,19_2_04F596D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F59660 NtAllocateVirtualMemory,LdrInitializeThunk,19_2_04F59660
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F59650 NtQueryValueKey,LdrInitializeThunk,19_2_04F59650
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F59A50 NtCreateFile,LdrInitializeThunk,19_2_04F59A50
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F59FE0 NtCreateMutant,LdrInitializeThunk,19_2_04F59FE0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F59780 NtMapViewOfSection,LdrInitializeThunk,19_2_04F59780
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F59710 NtQueryInformationToken,LdrInitializeThunk,19_2_04F59710
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F598F0 NtReadVirtualMemory,19_2_04F598F0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F598A0 NtWriteVirtualMemory,19_2_04F598A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F5B040 NtSuspendThread,19_2_04F5B040
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F59820 NtEnumerateKey,19_2_04F59820
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F595F0 NtQueryInformationFile,19_2_04F595F0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F599D0 NtCreateProcessEx,19_2_04F599D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F59560 NtWriteFile,19_2_04F59560
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F59950 NtQueueApcThread,19_2_04F59950
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F5AD30 NtSetContextThread,19_2_04F5AD30
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F59520 NtWaitForSingleObject,19_2_04F59520
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F59A80 NtOpenDirectoryObject,19_2_04F59A80
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F59670 NtQueryInformationProcess,19_2_04F59670
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F59A20 NtResumeThread,19_2_04F59A20
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F59610 NtEnumerateValueKey,19_2_04F59610
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F59A10 NtQuerySection,19_2_04F59A10
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F59A00 NtProtectVirtualMemory,19_2_04F59A00
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F5A3B0 NtGetContextThread,19_2_04F5A3B0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F597A0 NtUnmapViewOfSection,19_2_04F597A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F59770 NtSetInformationFile,19_2_04F59770
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F5A770 NtOpenThread,19_2_04F5A770
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F59760 NtOpenProcess,19_2_04F59760
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F59730 NtQueryVirtualMemory,19_2_04F59730
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F5A710 NtOpenProcessToken,19_2_04F5A710
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F59B00 NtSetValueKey,19_2_04F59B00
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_00D6A060 NtClose,19_2_00D6A060
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_00D6A110 NtAllocateVirtualMemory,19_2_00D6A110
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_00D69FE0 NtReadFile,19_2_00D69FE0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_00D69F30 NtCreateFile,19_2_00D69F30
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_00D6A05A NtClose,19_2_00D6A05A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_00D6A10C NtAllocateVirtualMemory,19_2_00D6A10C
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_00D69FDA NtReadFile,19_2_00D69FDA
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_051A1EB40_2_051A1EB4
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_051409D80_2_051409D8
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0040103016_2_00401030
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0041E90316_2_0041E903
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0041E1D516_2_0041E1D5
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0041D9E416_2_0041D9E4
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0041D44116_2_0041D441
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0041D56316_2_0041D563
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_00402D8716_2_00402D87
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_00402D9016_2_00402D90
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_00409E4016_2_00409E40
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_00409E3B16_2_00409E3B
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_00402FB016_2_00402FB0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0188258116_2_01882581
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_019225DD16_2_019225DD
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0186D5E016_2_0186D5E0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0185F90016_2_0185F900
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01922D0716_2_01922D07
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01850D2016_2_01850D20
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0187412016_2_01874120
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01921D5516_2_01921D55
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0186B09016_2_0186B090
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018820A016_2_018820A0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_019220A816_2_019220A8
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_019228EC16_2_019228EC
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0191100216_2_01911002
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0186841F16_2_0186841F
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0191D46616_2_0191D466
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0188EBB016_2_0188EBB0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0191DBD216_2_0191DBD2
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01921FF116_2_01921FF1
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01922B2816_2_01922B28
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_019222AE16_2_019222AE
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01922EF716_2_01922EF7
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01876E3016_2_01876E30
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FE28EC19_2_04FE28EC
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F420A019_2_04F420A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FE20A819_2_04FE20A8
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F2B09019_2_04F2B090
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FDD46619_2_04FDD466
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F2841F19_2_04F2841F
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FD100219_2_04FD1002
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F2D5E019_2_04F2D5E0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FE25DD19_2_04FE25DD
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F4258119_2_04F42581
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FE1D5519_2_04FE1D55
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F10D2019_2_04F10D20
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F3412019_2_04F34120
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F1F90019_2_04F1F900
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FE2D0719_2_04FE2D07
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FE2EF719_2_04FE2EF7
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FE22AE19_2_04FE22AE
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F36E3019_2_04F36E30
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FE1FF119_2_04FE1FF1
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FDDBD219_2_04FDDBD2
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F4EBB019_2_04F4EBB0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FE2B2819_2_04FE2B28
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_00D6E1D519_2_00D6E1D5
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_00D6E90319_2_00D6E903
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_00D6D44119_2_00D6D441
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_00D52D9019_2_00D52D90
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_00D52D8719_2_00D52D87
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_00D6D56319_2_00D6D563
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_00D59E4019_2_00D59E40
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_00D59E3B19_2_00D59E3B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_00D52FB019_2_00D52FB0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: String function: 0185B150 appears 35 times
          Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 04F1B150 appears 35 times
          Source: Purchase Order.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: Purchase Order.exe, 00000000.00000002.316200555.0000000006320000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameResource_Meter.dll> vs Purchase Order.exe
          Source: Purchase Order.exe, 00000000.00000002.315638714.0000000005EE0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs Purchase Order.exe
          Source: Purchase Order.exe, 00000000.00000002.313563096.0000000005240000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Purchase Order.exe
          Source: Purchase Order.exe, 00000000.00000002.305496464.0000000000917000.00000002.00020000.sdmpBinary or memory string: OriginalFilenametV45e.exe2 vs Purchase Order.exe
          Source: Purchase Order.exe, 00000010.00000000.304813686.0000000000D77000.00000002.00020000.sdmpBinary or memory string: OriginalFilenametV45e.exe2 vs Purchase Order.exe
          Source: Purchase Order.exe, 00000010.00000002.363242230.00000000017A0000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamecscript.exe` vs Purchase Order.exe
          Source: Purchase Order.exe, 00000010.00000002.363433472.000000000194F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Purchase Order.exe
          Source: Purchase Order.exeBinary or memory string: OriginalFilenametV45e.exe2 vs Purchase Order.exe
          Source: Purchase Order.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 16.2.Purchase Order.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 16.2.Purchase Order.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 16.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 16.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000002.362458702.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000002.362458702.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000013.00000002.480809359.0000000001140000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000013.00000002.480809359.0000000001140000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000002.363133642.0000000001720000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000002.363133642.0000000001720000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000002.363097654.00000000016F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000002.363097654.00000000016F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000013.00000002.479738533.0000000000D50000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000013.00000002.479738533.0000000000D50000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000013.00000002.480997579.0000000001170000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000013.00000002.480997579.0000000001170000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.308917029.0000000003C71000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.308917029.0000000003C71000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Purchase Order.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@2/0
          Source: C:\Users\user\Desktop\Purchase Order.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Purchase Order.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3596:120:WilError_01
          Source: Purchase Order.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Purchase Order.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Purchase Order.exeReversingLabs: Detection: 13%
          Source: Purchase Order.exeString found in binary or memory: es>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvail
          Source: Purchase Order.exeString found in binary or memory: es>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvail
          Source: Purchase Order.exeString found in binary or memory: ble> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle
          Source: Purchase Order.exeString found in binary or memory: ble> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle
          Source: unknownProcess created: C:\Users\user\Desktop\Purchase Order.exe 'C:\Users\user\Desktop\Purchase Order.exe'
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Users\user\Desktop\Purchase Order.exe {path}
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe
          Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Purchase Order.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Users\user\Desktop\Purchase Order.exe {path}Jump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Purchase Order.exe'Jump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: Purchase Order.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: Purchase Order.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: cscript.pdbUGP source: Purchase Order.exe, 00000010.00000002.363242230.00000000017A0000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000011.00000000.333473408.0000000009B40000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: Purchase Order.exe, 00000010.00000002.363433472.000000000194F000.00000040.00000001.sdmp, cscript.exe, 00000013.00000002.483133229.000000000500F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Purchase Order.exe, cscript.exe
          Source: Binary string: cscript.pdb source: Purchase Order.exe, 00000010.00000002.363242230.00000000017A0000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000011.00000000.333473408.0000000009B40000.00000002.00000001.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: Purchase Order.exe, uNotepad/Form1.cs.Net Code: TGBNJUYHFDERWS System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.2.Purchase Order.exe.830000.0.unpack, uNotepad/Form1.cs.Net Code: TGBNJUYHFDERWS System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.0.Purchase Order.exe.830000.0.unpack, uNotepad/Form1.cs.Net Code: TGBNJUYHFDERWS System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 16.2.Purchase Order.exe.c90000.1.unpack, uNotepad/Form1.cs.Net Code: TGBNJUYHFDERWS System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 16.0.Purchase Order.exe.c90000.0.unpack, uNotepad/Form1.cs.Net Code: TGBNJUYHFDERWS System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_0089566C push edi; retf 0_2_0089566F
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_05143D50 push cs; ret 0_2_05143D51
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_05142D96 push cs; ret 0_2_05142D97
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_051425E7 push cs; ret 0_2_051425E8
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_05143448 push cs; ret 0_2_05143449
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_05144C9C push cs; ret 0_2_05144C9D
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_05141CCD push cs; ret 0_2_05141CCE
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_051437A0 push cs; ret 0_2_051437A1
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_05141FAE push cs; ret 0_2_05141FAF
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_051447D5 pushad ; retf 0_2_051447E0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_0514463C push cs; ret 0_2_0514463D
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_0514297E push cs; ret 0_2_0514297F
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_0514496C push cs; ret 0_2_0514496D
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_0514407B push cs; ret 0_2_0514407C
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_05145063 push cs; ret 0_2_05145064
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_051430EF push cs; ret 0_2_051430F0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_05144B05 pushad ; retf 0_2_05144B10
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_05142B8A push cs; ret 0_2_05142B8B
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_051443A6 push cs; ret 0_2_051443A7
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_05142250 push cs; ret 0_2_05142251
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_05143A78 push cs; ret 0_2_05143A79
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0041D0D2 push eax; ret 16_2_0041D0D8
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0041D0DB push eax; ret 16_2_0041D142
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0041D085 push eax; ret 16_2_0041D0D8
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0041D13C push eax; ret 16_2_0041D142
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_00416A73 push eax; iretd 16_2_00416A9D
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_004176D4 push ss; ret 16_2_004176D6
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_004077D3 push ecx; retf 16_2_0040788B
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_004167ED push edi; ret 16_2_004167EF
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_00CFA934 push edi; retf 16_2_00CFA935
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_00CF566C push edi; retf 16_2_00CF566F
          Source: initial sampleStatic PE information: section name: .text entropy: 7.75016432791

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8E 0xEE 0xEB
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 00000000.00000002.308021841.0000000002CD8000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Purchase Order.exe PID: 1376, type: MEMORY
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: Purchase Order.exe, 00000000.00000002.308021841.0000000002CD8000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: Purchase Order.exe, 00000000.00000002.308021841.0000000002CD8000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\Purchase Order.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Purchase Order.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cscript.exeRDTSC instruction interceptor: First address: 0000000000D598E4 second address: 0000000000D598EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cscript.exeRDTSC instruction interceptor: First address: 0000000000D59B5E second address: 0000000000D59B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_00409A90 rdtsc 16_2_00409A90
          Source: C:\Users\user\Desktop\Purchase Order.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exe TID: 4760Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\cscript.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\Purchase Order.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: explorer.exe, 00000011.00000000.331902331.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000011.00000000.331902331.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
          Source: Purchase Order.exe, 00000000.00000002.308021841.0000000002CD8000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
          Source: explorer.exe, 00000011.00000000.331665021.0000000008640000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000011.00000000.331287030.0000000008220000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: Purchase Order.exe, 00000000.00000002.308021841.0000000002CD8000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: Purchase Order.exe, 00000000.00000002.308021841.0000000002CD8000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: Purchase Order.exe, 00000000.00000002.308021841.0000000002CD8000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
          Source: explorer.exe, 00000011.00000000.354060611.00000000055D0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
          Source: Purchase Order.exe, 00000000.00000002.308021841.0000000002CD8000.00000004.00000001.sdmpBinary or memory string: VMWARE
          Source: explorer.exe, 00000011.00000000.331902331.000000000871F000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
          Source: explorer.exe, 00000011.00000000.331902331.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000011.00000000.331997751.00000000087D1000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00ices
          Source: explorer.exe, 00000011.00000000.326143838.0000000005603000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
          Source: Purchase Order.exe, 00000000.00000002.308021841.0000000002CD8000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000011.00000000.331287030.0000000008220000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000011.00000000.331287030.0000000008220000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: Purchase Order.exe, 00000000.00000002.308021841.0000000002CD8000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
          Source: Purchase Order.exe, 00000000.00000002.308021841.0000000002CD8000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: Purchase Order.exe, 00000000.00000002.308021841.0000000002CD8000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
          Source: explorer.exe, 00000011.00000000.331287030.0000000008220000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_00409A90 rdtsc 16_2_00409A90
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0040ACD0 LdrLoadDll,16_2_0040ACD0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0187C182 mov eax, dword ptr fs:[00000030h]16_2_0187C182
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01882581 mov eax, dword ptr fs:[00000030h]16_2_01882581
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01882581 mov eax, dword ptr fs:[00000030h]16_2_01882581
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01882581 mov eax, dword ptr fs:[00000030h]16_2_01882581
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01882581 mov eax, dword ptr fs:[00000030h]16_2_01882581
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0188A185 mov eax, dword ptr fs:[00000030h]16_2_0188A185
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01852D8A mov eax, dword ptr fs:[00000030h]16_2_01852D8A
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01852D8A mov eax, dword ptr fs:[00000030h]16_2_01852D8A
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01852D8A mov eax, dword ptr fs:[00000030h]16_2_01852D8A
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01852D8A mov eax, dword ptr fs:[00000030h]16_2_01852D8A
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01852D8A mov eax, dword ptr fs:[00000030h]16_2_01852D8A
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0188FD9B mov eax, dword ptr fs:[00000030h]16_2_0188FD9B
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0188FD9B mov eax, dword ptr fs:[00000030h]16_2_0188FD9B
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01882990 mov eax, dword ptr fs:[00000030h]16_2_01882990
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018861A0 mov eax, dword ptr fs:[00000030h]16_2_018861A0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018861A0 mov eax, dword ptr fs:[00000030h]16_2_018861A0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018835A1 mov eax, dword ptr fs:[00000030h]16_2_018835A1
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018D69A6 mov eax, dword ptr fs:[00000030h]16_2_018D69A6
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018D51BE mov eax, dword ptr fs:[00000030h]16_2_018D51BE
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018D51BE mov eax, dword ptr fs:[00000030h]16_2_018D51BE
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018D51BE mov eax, dword ptr fs:[00000030h]16_2_018D51BE
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018D51BE mov eax, dword ptr fs:[00000030h]16_2_018D51BE
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01881DB5 mov eax, dword ptr fs:[00000030h]16_2_01881DB5
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01881DB5 mov eax, dword ptr fs:[00000030h]16_2_01881DB5
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01881DB5 mov eax, dword ptr fs:[00000030h]16_2_01881DB5
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_019205AC mov eax, dword ptr fs:[00000030h]16_2_019205AC
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_019205AC mov eax, dword ptr fs:[00000030h]16_2_019205AC
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018D6DC9 mov eax, dword ptr fs:[00000030h]16_2_018D6DC9
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018D6DC9 mov eax, dword ptr fs:[00000030h]16_2_018D6DC9
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018D6DC9 mov eax, dword ptr fs:[00000030h]16_2_018D6DC9
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018D6DC9 mov ecx, dword ptr fs:[00000030h]16_2_018D6DC9
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018D6DC9 mov eax, dword ptr fs:[00000030h]16_2_018D6DC9
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018D6DC9 mov eax, dword ptr fs:[00000030h]16_2_018D6DC9
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01908DF1 mov eax, dword ptr fs:[00000030h]16_2_01908DF1
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0185B1E1 mov eax, dword ptr fs:[00000030h]16_2_0185B1E1
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0185B1E1 mov eax, dword ptr fs:[00000030h]16_2_0185B1E1
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0185B1E1 mov eax, dword ptr fs:[00000030h]16_2_0185B1E1
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018E41E8 mov eax, dword ptr fs:[00000030h]16_2_018E41E8
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0186D5E0 mov eax, dword ptr fs:[00000030h]16_2_0186D5E0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0186D5E0 mov eax, dword ptr fs:[00000030h]16_2_0186D5E0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0191FDE2 mov eax, dword ptr fs:[00000030h]16_2_0191FDE2
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0191FDE2 mov eax, dword ptr fs:[00000030h]16_2_0191FDE2
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0191FDE2 mov eax, dword ptr fs:[00000030h]16_2_0191FDE2
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0191FDE2 mov eax, dword ptr fs:[00000030h]16_2_0191FDE2
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01859100 mov eax, dword ptr fs:[00000030h]16_2_01859100
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01859100 mov eax, dword ptr fs:[00000030h]16_2_01859100
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01859100 mov eax, dword ptr fs:[00000030h]16_2_01859100
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01928D34 mov eax, dword ptr fs:[00000030h]16_2_01928D34
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01874120 mov eax, dword ptr fs:[00000030h]16_2_01874120
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01874120 mov eax, dword ptr fs:[00000030h]16_2_01874120
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01874120 mov eax, dword ptr fs:[00000030h]16_2_01874120
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01874120 mov eax, dword ptr fs:[00000030h]16_2_01874120
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01874120 mov ecx, dword ptr fs:[00000030h]16_2_01874120
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0191E539 mov eax, dword ptr fs:[00000030h]16_2_0191E539
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0188513A mov eax, dword ptr fs:[00000030h]16_2_0188513A
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0188513A mov eax, dword ptr fs:[00000030h]16_2_0188513A
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01863D34 mov eax, dword ptr fs:[00000030h]16_2_01863D34
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01863D34 mov eax, dword ptr fs:[00000030h]16_2_01863D34
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01863D34 mov eax, dword ptr fs:[00000030h]16_2_01863D34
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01863D34 mov eax, dword ptr fs:[00000030h]16_2_01863D34
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01863D34 mov eax, dword ptr fs:[00000030h]16_2_01863D34
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01863D34 mov eax, dword ptr fs:[00000030h]16_2_01863D34
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01863D34 mov eax, dword ptr fs:[00000030h]16_2_01863D34
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01863D34 mov eax, dword ptr fs:[00000030h]16_2_01863D34
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01863D34 mov eax, dword ptr fs:[00000030h]16_2_01863D34
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01863D34 mov eax, dword ptr fs:[00000030h]16_2_01863D34
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01863D34 mov eax, dword ptr fs:[00000030h]16_2_01863D34
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01863D34 mov eax, dword ptr fs:[00000030h]16_2_01863D34
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01863D34 mov eax, dword ptr fs:[00000030h]16_2_01863D34
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01884D3B mov eax, dword ptr fs:[00000030h]16_2_01884D3B
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01884D3B mov eax, dword ptr fs:[00000030h]16_2_01884D3B
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01884D3B mov eax, dword ptr fs:[00000030h]16_2_01884D3B
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0185AD30 mov eax, dword ptr fs:[00000030h]16_2_0185AD30
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018DA537 mov eax, dword ptr fs:[00000030h]16_2_018DA537
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0187B944 mov eax, dword ptr fs:[00000030h]16_2_0187B944
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0187B944 mov eax, dword ptr fs:[00000030h]16_2_0187B944
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01893D43 mov eax, dword ptr fs:[00000030h]16_2_01893D43
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018D3540 mov eax, dword ptr fs:[00000030h]16_2_018D3540
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01877D50 mov eax, dword ptr fs:[00000030h]16_2_01877D50
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0185C962 mov eax, dword ptr fs:[00000030h]16_2_0185C962
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0187C577 mov eax, dword ptr fs:[00000030h]16_2_0187C577
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0187C577 mov eax, dword ptr fs:[00000030h]16_2_0187C577
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0185B171 mov eax, dword ptr fs:[00000030h]16_2_0185B171
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0185B171 mov eax, dword ptr fs:[00000030h]16_2_0185B171
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01859080 mov eax, dword ptr fs:[00000030h]16_2_01859080
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018D3884 mov eax, dword ptr fs:[00000030h]16_2_018D3884
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018D3884 mov eax, dword ptr fs:[00000030h]16_2_018D3884
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0186849B mov eax, dword ptr fs:[00000030h]16_2_0186849B
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018990AF mov eax, dword ptr fs:[00000030h]16_2_018990AF
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018820A0 mov eax, dword ptr fs:[00000030h]16_2_018820A0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018820A0 mov eax, dword ptr fs:[00000030h]16_2_018820A0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018820A0 mov eax, dword ptr fs:[00000030h]16_2_018820A0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018820A0 mov eax, dword ptr fs:[00000030h]16_2_018820A0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018820A0 mov eax, dword ptr fs:[00000030h]16_2_018820A0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018820A0 mov eax, dword ptr fs:[00000030h]16_2_018820A0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0188F0BF mov ecx, dword ptr fs:[00000030h]16_2_0188F0BF
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0188F0BF mov eax, dword ptr fs:[00000030h]16_2_0188F0BF
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0188F0BF mov eax, dword ptr fs:[00000030h]16_2_0188F0BF
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01928CD6 mov eax, dword ptr fs:[00000030h]16_2_01928CD6
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018EB8D0 mov eax, dword ptr fs:[00000030h]16_2_018EB8D0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018EB8D0 mov ecx, dword ptr fs:[00000030h]16_2_018EB8D0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018EB8D0 mov eax, dword ptr fs:[00000030h]16_2_018EB8D0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018EB8D0 mov eax, dword ptr fs:[00000030h]16_2_018EB8D0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018EB8D0 mov eax, dword ptr fs:[00000030h]16_2_018EB8D0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018EB8D0 mov eax, dword ptr fs:[00000030h]16_2_018EB8D0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018558EC mov eax, dword ptr fs:[00000030h]16_2_018558EC
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_019114FB mov eax, dword ptr fs:[00000030h]16_2_019114FB
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018D6CF0 mov eax, dword ptr fs:[00000030h]16_2_018D6CF0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018D6CF0 mov eax, dword ptr fs:[00000030h]16_2_018D6CF0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018D6CF0 mov eax, dword ptr fs:[00000030h]16_2_018D6CF0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01924015 mov eax, dword ptr fs:[00000030h]16_2_01924015
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01924015 mov eax, dword ptr fs:[00000030h]16_2_01924015
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018D6C0A mov eax, dword ptr fs:[00000030h]16_2_018D6C0A
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018D6C0A mov eax, dword ptr fs:[00000030h]16_2_018D6C0A
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018D6C0A mov eax, dword ptr fs:[00000030h]16_2_018D6C0A
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018D6C0A mov eax, dword ptr fs:[00000030h]16_2_018D6C0A
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01911C06 mov eax, dword ptr fs:[00000030h]16_2_01911C06
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01911C06 mov eax, dword ptr fs:[00000030h]16_2_01911C06
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01911C06 mov eax, dword ptr fs:[00000030h]16_2_01911C06
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01911C06 mov eax, dword ptr fs:[00000030h]16_2_01911C06
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01911C06 mov eax, dword ptr fs:[00000030h]16_2_01911C06
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01911C06 mov eax, dword ptr fs:[00000030h]16_2_01911C06
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01911C06 mov eax, dword ptr fs:[00000030h]16_2_01911C06
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01911C06 mov eax, dword ptr fs:[00000030h]16_2_01911C06
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01911C06 mov eax, dword ptr fs:[00000030h]16_2_01911C06
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01911C06 mov eax, dword ptr fs:[00000030h]16_2_01911C06
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01911C06 mov eax, dword ptr fs:[00000030h]16_2_01911C06
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01911C06 mov eax, dword ptr fs:[00000030h]16_2_01911C06
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01911C06 mov eax, dword ptr fs:[00000030h]16_2_01911C06
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01911C06 mov eax, dword ptr fs:[00000030h]16_2_01911C06
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018D7016 mov eax, dword ptr fs:[00000030h]16_2_018D7016
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018D7016 mov eax, dword ptr fs:[00000030h]16_2_018D7016
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018D7016 mov eax, dword ptr fs:[00000030h]16_2_018D7016
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0192740D mov eax, dword ptr fs:[00000030h]16_2_0192740D
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0192740D mov eax, dword ptr fs:[00000030h]16_2_0192740D
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0192740D mov eax, dword ptr fs:[00000030h]16_2_0192740D
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0188BC2C mov eax, dword ptr fs:[00000030h]16_2_0188BC2C
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0188002D mov eax, dword ptr fs:[00000030h]16_2_0188002D
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0188002D mov eax, dword ptr fs:[00000030h]16_2_0188002D
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0188002D mov eax, dword ptr fs:[00000030h]16_2_0188002D
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0188002D mov eax, dword ptr fs:[00000030h]16_2_0188002D
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0188002D mov eax, dword ptr fs:[00000030h]16_2_0188002D
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0186B02A mov eax, dword ptr fs:[00000030h]16_2_0186B02A
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0186B02A mov eax, dword ptr fs:[00000030h]16_2_0186B02A
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0186B02A mov eax, dword ptr fs:[00000030h]16_2_0186B02A
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0186B02A mov eax, dword ptr fs:[00000030h]16_2_0186B02A
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0188A44B mov eax, dword ptr fs:[00000030h]16_2_0188A44B
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01870050 mov eax, dword ptr fs:[00000030h]16_2_01870050
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01870050 mov eax, dword ptr fs:[00000030h]16_2_01870050
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018EC450 mov eax, dword ptr fs:[00000030h]16_2_018EC450
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018EC450 mov eax, dword ptr fs:[00000030h]16_2_018EC450
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01912073 mov eax, dword ptr fs:[00000030h]16_2_01912073
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01921074 mov eax, dword ptr fs:[00000030h]16_2_01921074
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0187746D mov eax, dword ptr fs:[00000030h]16_2_0187746D
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01861B8F mov eax, dword ptr fs:[00000030h]16_2_01861B8F
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01861B8F mov eax, dword ptr fs:[00000030h]16_2_01861B8F
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0190D380 mov ecx, dword ptr fs:[00000030h]16_2_0190D380
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01868794 mov eax, dword ptr fs:[00000030h]16_2_01868794
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0188B390 mov eax, dword ptr fs:[00000030h]16_2_0188B390
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018D7794 mov eax, dword ptr fs:[00000030h]16_2_018D7794
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018D7794 mov eax, dword ptr fs:[00000030h]16_2_018D7794
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018D7794 mov eax, dword ptr fs:[00000030h]16_2_018D7794
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0191138A mov eax, dword ptr fs:[00000030h]16_2_0191138A
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01882397 mov eax, dword ptr fs:[00000030h]16_2_01882397
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01884BAD mov eax, dword ptr fs:[00000030h]16_2_01884BAD
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01884BAD mov eax, dword ptr fs:[00000030h]16_2_01884BAD
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01884BAD mov eax, dword ptr fs:[00000030h]16_2_01884BAD
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01925BA5 mov eax, dword ptr fs:[00000030h]16_2_01925BA5
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018D53CA mov eax, dword ptr fs:[00000030h]16_2_018D53CA
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018D53CA mov eax, dword ptr fs:[00000030h]16_2_018D53CA
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018803E2 mov eax, dword ptr fs:[00000030h]16_2_018803E2
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018803E2 mov eax, dword ptr fs:[00000030h]16_2_018803E2
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018803E2 mov eax, dword ptr fs:[00000030h]16_2_018803E2
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018803E2 mov eax, dword ptr fs:[00000030h]16_2_018803E2
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018803E2 mov eax, dword ptr fs:[00000030h]16_2_018803E2
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018803E2 mov eax, dword ptr fs:[00000030h]16_2_018803E2
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0187DBE9 mov eax, dword ptr fs:[00000030h]16_2_0187DBE9
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018937F5 mov eax, dword ptr fs:[00000030h]16_2_018937F5
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0188A70E mov eax, dword ptr fs:[00000030h]16_2_0188A70E
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0188A70E mov eax, dword ptr fs:[00000030h]16_2_0188A70E
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0191131B mov eax, dword ptr fs:[00000030h]16_2_0191131B
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0187F716 mov eax, dword ptr fs:[00000030h]16_2_0187F716
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018EFF10 mov eax, dword ptr fs:[00000030h]16_2_018EFF10
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018EFF10 mov eax, dword ptr fs:[00000030h]16_2_018EFF10
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0192070D mov eax, dword ptr fs:[00000030h]16_2_0192070D
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0192070D mov eax, dword ptr fs:[00000030h]16_2_0192070D
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01854F2E mov eax, dword ptr fs:[00000030h]16_2_01854F2E
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01854F2E mov eax, dword ptr fs:[00000030h]16_2_01854F2E
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0188E730 mov eax, dword ptr fs:[00000030h]16_2_0188E730
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0185DB40 mov eax, dword ptr fs:[00000030h]16_2_0185DB40
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0186EF40 mov eax, dword ptr fs:[00000030h]16_2_0186EF40
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01928B58 mov eax, dword ptr fs:[00000030h]16_2_01928B58
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0185F358 mov eax, dword ptr fs:[00000030h]16_2_0185F358
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0185DB60 mov ecx, dword ptr fs:[00000030h]16_2_0185DB60
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0186FF60 mov eax, dword ptr fs:[00000030h]16_2_0186FF60
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01883B7A mov eax, dword ptr fs:[00000030h]16_2_01883B7A
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01883B7A mov eax, dword ptr fs:[00000030h]16_2_01883B7A
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01928F6A mov eax, dword ptr fs:[00000030h]16_2_01928F6A
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018EFE87 mov eax, dword ptr fs:[00000030h]16_2_018EFE87
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0188D294 mov eax, dword ptr fs:[00000030h]16_2_0188D294
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0188D294 mov eax, dword ptr fs:[00000030h]16_2_0188D294
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018552A5 mov eax, dword ptr fs:[00000030h]16_2_018552A5
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018552A5 mov eax, dword ptr fs:[00000030h]16_2_018552A5
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018552A5 mov eax, dword ptr fs:[00000030h]16_2_018552A5
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018552A5 mov eax, dword ptr fs:[00000030h]16_2_018552A5
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018552A5 mov eax, dword ptr fs:[00000030h]16_2_018552A5
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018D46A7 mov eax, dword ptr fs:[00000030h]16_2_018D46A7
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0186AAB0 mov eax, dword ptr fs:[00000030h]16_2_0186AAB0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0186AAB0 mov eax, dword ptr fs:[00000030h]16_2_0186AAB0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01920EA5 mov eax, dword ptr fs:[00000030h]16_2_01920EA5
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01920EA5 mov eax, dword ptr fs:[00000030h]16_2_01920EA5
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01920EA5 mov eax, dword ptr fs:[00000030h]16_2_01920EA5
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0188FAB0 mov eax, dword ptr fs:[00000030h]16_2_0188FAB0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01882ACB mov eax, dword ptr fs:[00000030h]16_2_01882ACB
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01928ED6 mov eax, dword ptr fs:[00000030h]16_2_01928ED6
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018836CC mov eax, dword ptr fs:[00000030h]16_2_018836CC
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01898EC7 mov eax, dword ptr fs:[00000030h]16_2_01898EC7
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0190FEC0 mov eax, dword ptr fs:[00000030h]16_2_0190FEC0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018676E2 mov eax, dword ptr fs:[00000030h]16_2_018676E2
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018816E0 mov ecx, dword ptr fs:[00000030h]16_2_018816E0
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01882AE4 mov eax, dword ptr fs:[00000030h]16_2_01882AE4
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0185C600 mov eax, dword ptr fs:[00000030h]16_2_0185C600
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0185C600 mov eax, dword ptr fs:[00000030h]16_2_0185C600
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0185C600 mov eax, dword ptr fs:[00000030h]16_2_0185C600
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01888E00 mov eax, dword ptr fs:[00000030h]16_2_01888E00
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01868A0A mov eax, dword ptr fs:[00000030h]16_2_01868A0A
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0185AA16 mov eax, dword ptr fs:[00000030h]16_2_0185AA16
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0185AA16 mov eax, dword ptr fs:[00000030h]16_2_0185AA16
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0188A61C mov eax, dword ptr fs:[00000030h]16_2_0188A61C
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0188A61C mov eax, dword ptr fs:[00000030h]16_2_0188A61C
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01855210 mov eax, dword ptr fs:[00000030h]16_2_01855210
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01855210 mov ecx, dword ptr fs:[00000030h]16_2_01855210
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01855210 mov eax, dword ptr fs:[00000030h]16_2_01855210
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01855210 mov eax, dword ptr fs:[00000030h]16_2_01855210
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01911608 mov eax, dword ptr fs:[00000030h]16_2_01911608
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01873A1C mov eax, dword ptr fs:[00000030h]16_2_01873A1C
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0185E620 mov eax, dword ptr fs:[00000030h]16_2_0185E620
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01894A2C mov eax, dword ptr fs:[00000030h]16_2_01894A2C
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01894A2C mov eax, dword ptr fs:[00000030h]16_2_01894A2C
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0190FE3F mov eax, dword ptr fs:[00000030h]16_2_0190FE3F
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0191EA55 mov eax, dword ptr fs:[00000030h]16_2_0191EA55
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01859240 mov eax, dword ptr fs:[00000030h]16_2_01859240
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01859240 mov eax, dword ptr fs:[00000030h]16_2_01859240
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01859240 mov eax, dword ptr fs:[00000030h]16_2_01859240
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01859240 mov eax, dword ptr fs:[00000030h]16_2_01859240
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01867E41 mov eax, dword ptr fs:[00000030h]16_2_01867E41
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01867E41 mov eax, dword ptr fs:[00000030h]16_2_01867E41
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01867E41 mov eax, dword ptr fs:[00000030h]16_2_01867E41
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01867E41 mov eax, dword ptr fs:[00000030h]16_2_01867E41
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01867E41 mov eax, dword ptr fs:[00000030h]16_2_01867E41
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01867E41 mov eax, dword ptr fs:[00000030h]16_2_01867E41
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0191AE44 mov eax, dword ptr fs:[00000030h]16_2_0191AE44
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0191AE44 mov eax, dword ptr fs:[00000030h]16_2_0191AE44
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_018E4257 mov eax, dword ptr fs:[00000030h]16_2_018E4257
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0186766D mov eax, dword ptr fs:[00000030h]16_2_0186766D
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0190B260 mov eax, dword ptr fs:[00000030h]16_2_0190B260
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0190B260 mov eax, dword ptr fs:[00000030h]16_2_0190B260
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_01928A62 mov eax, dword ptr fs:[00000030h]16_2_01928A62
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0189927A mov eax, dword ptr fs:[00000030h]16_2_0189927A
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0187AE73 mov eax, dword ptr fs:[00000030h]16_2_0187AE73
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0187AE73 mov eax, dword ptr fs:[00000030h]16_2_0187AE73
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0187AE73 mov eax, dword ptr fs:[00000030h]16_2_0187AE73
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0187AE73 mov eax, dword ptr fs:[00000030h]16_2_0187AE73
          Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 16_2_0187AE73 mov eax, dword ptr fs:[00000030h]16_2_0187AE73
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FD14FB mov eax, dword ptr fs:[00000030h]19_2_04FD14FB
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F96CF0 mov eax, dword ptr fs:[00000030h]19_2_04F96CF0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F96CF0 mov eax, dword ptr fs:[00000030h]19_2_04F96CF0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F96CF0 mov eax, dword ptr fs:[00000030h]19_2_04F96CF0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F158EC mov eax, dword ptr fs:[00000030h]19_2_04F158EC
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FE8CD6 mov eax, dword ptr fs:[00000030h]19_2_04FE8CD6
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FAB8D0 mov eax, dword ptr fs:[00000030h]19_2_04FAB8D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FAB8D0 mov ecx, dword ptr fs:[00000030h]19_2_04FAB8D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FAB8D0 mov eax, dword ptr fs:[00000030h]19_2_04FAB8D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FAB8D0 mov eax, dword ptr fs:[00000030h]19_2_04FAB8D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FAB8D0 mov eax, dword ptr fs:[00000030h]19_2_04FAB8D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FAB8D0 mov eax, dword ptr fs:[00000030h]19_2_04FAB8D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F4F0BF mov ecx, dword ptr fs:[00000030h]19_2_04F4F0BF
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F4F0BF mov eax, dword ptr fs:[00000030h]19_2_04F4F0BF
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F4F0BF mov eax, dword ptr fs:[00000030h]19_2_04F4F0BF
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F420A0 mov eax, dword ptr fs:[00000030h]19_2_04F420A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F420A0 mov eax, dword ptr fs:[00000030h]19_2_04F420A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F420A0 mov eax, dword ptr fs:[00000030h]19_2_04F420A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F420A0 mov eax, dword ptr fs:[00000030h]19_2_04F420A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F420A0 mov eax, dword ptr fs:[00000030h]19_2_04F420A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F420A0 mov eax, dword ptr fs:[00000030h]19_2_04F420A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F590AF mov eax, dword ptr fs:[00000030h]19_2_04F590AF
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F2849B mov eax, dword ptr fs:[00000030h]19_2_04F2849B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F19080 mov eax, dword ptr fs:[00000030h]19_2_04F19080
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F93884 mov eax, dword ptr fs:[00000030h]19_2_04F93884
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F93884 mov eax, dword ptr fs:[00000030h]19_2_04F93884
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FE1074 mov eax, dword ptr fs:[00000030h]19_2_04FE1074
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FD2073 mov eax, dword ptr fs:[00000030h]19_2_04FD2073
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F3746D mov eax, dword ptr fs:[00000030h]19_2_04F3746D
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F30050 mov eax, dword ptr fs:[00000030h]19_2_04F30050
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F30050 mov eax, dword ptr fs:[00000030h]19_2_04F30050
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FAC450 mov eax, dword ptr fs:[00000030h]19_2_04FAC450
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FAC450 mov eax, dword ptr fs:[00000030h]19_2_04FAC450
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F4A44B mov eax, dword ptr fs:[00000030h]19_2_04F4A44B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F2B02A mov eax, dword ptr fs:[00000030h]19_2_04F2B02A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F2B02A mov eax, dword ptr fs:[00000030h]19_2_04F2B02A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F2B02A mov eax, dword ptr fs:[00000030h]19_2_04F2B02A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F2B02A mov eax, dword ptr fs:[00000030h]19_2_04F2B02A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F4BC2C mov eax, dword ptr fs:[00000030h]19_2_04F4BC2C
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F4002D mov eax, dword ptr fs:[00000030h]19_2_04F4002D
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F4002D mov eax, dword ptr fs:[00000030h]19_2_04F4002D
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F4002D mov eax, dword ptr fs:[00000030h]19_2_04F4002D
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F4002D mov eax, dword ptr fs:[00000030h]19_2_04F4002D
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F4002D mov eax, dword ptr fs:[00000030h]19_2_04F4002D
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FE4015 mov eax, dword ptr fs:[00000030h]19_2_04FE4015
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FE4015 mov eax, dword ptr fs:[00000030h]19_2_04FE4015
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F97016 mov eax, dword ptr fs:[00000030h]19_2_04F97016
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F97016 mov eax, dword ptr fs:[00000030h]19_2_04F97016
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F97016 mov eax, dword ptr fs:[00000030h]19_2_04F97016
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FE740D mov eax, dword ptr fs:[00000030h]19_2_04FE740D
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FE740D mov eax, dword ptr fs:[00000030h]19_2_04FE740D
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FE740D mov eax, dword ptr fs:[00000030h]19_2_04FE740D
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F96C0A mov eax, dword ptr fs:[00000030h]19_2_04F96C0A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F96C0A mov eax, dword ptr fs:[00000030h]19_2_04F96C0A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F96C0A mov eax, dword ptr fs:[00000030h]19_2_04F96C0A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F96C0A mov eax, dword ptr fs:[00000030h]19_2_04F96C0A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FD1C06 mov eax, dword ptr fs:[00000030h]19_2_04FD1C06
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FD1C06 mov eax, dword ptr fs:[00000030h]19_2_04FD1C06
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FD1C06 mov eax, dword ptr fs:[00000030h]19_2_04FD1C06
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FD1C06 mov eax, dword ptr fs:[00000030h]19_2_04FD1C06
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FD1C06 mov eax, dword ptr fs:[00000030h]19_2_04FD1C06
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FD1C06 mov eax, dword ptr fs:[00000030h]19_2_04FD1C06
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FD1C06 mov eax, dword ptr fs:[00000030h]19_2_04FD1C06
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FD1C06 mov eax, dword ptr fs:[00000030h]19_2_04FD1C06
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FD1C06 mov eax, dword ptr fs:[00000030h]19_2_04FD1C06
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FD1C06 mov eax, dword ptr fs:[00000030h]19_2_04FD1C06
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FD1C06 mov eax, dword ptr fs:[00000030h]19_2_04FD1C06
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FD1C06 mov eax, dword ptr fs:[00000030h]19_2_04FD1C06
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FD1C06 mov eax, dword ptr fs:[00000030h]19_2_04FD1C06
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FD1C06 mov eax, dword ptr fs:[00000030h]19_2_04FD1C06
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FC8DF1 mov eax, dword ptr fs:[00000030h]19_2_04FC8DF1
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F1B1E1 mov eax, dword ptr fs:[00000030h]19_2_04F1B1E1
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F1B1E1 mov eax, dword ptr fs:[00000030h]19_2_04F1B1E1
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F1B1E1 mov eax, dword ptr fs:[00000030h]19_2_04F1B1E1
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FA41E8 mov eax, dword ptr fs:[00000030h]19_2_04FA41E8
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F2D5E0 mov eax, dword ptr fs:[00000030h]19_2_04F2D5E0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F2D5E0 mov eax, dword ptr fs:[00000030h]19_2_04F2D5E0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FDFDE2 mov eax, dword ptr fs:[00000030h]19_2_04FDFDE2
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FDFDE2 mov eax, dword ptr fs:[00000030h]19_2_04FDFDE2
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FDFDE2 mov eax, dword ptr fs:[00000030h]19_2_04FDFDE2
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FDFDE2 mov eax, dword ptr fs:[00000030h]19_2_04FDFDE2
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F96DC9 mov eax, dword ptr fs:[00000030h]19_2_04F96DC9
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F96DC9 mov eax, dword ptr fs:[00000030h]19_2_04F96DC9
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F96DC9 mov eax, dword ptr fs:[00000030h]19_2_04F96DC9
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F96DC9 mov ecx, dword ptr fs:[00000030h]19_2_04F96DC9
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F96DC9 mov eax, dword ptr fs:[00000030h]19_2_04F96DC9
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F96DC9 mov eax, dword ptr fs:[00000030h]19_2_04F96DC9
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F41DB5 mov eax, dword ptr fs:[00000030h]19_2_04F41DB5
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F41DB5 mov eax, dword ptr fs:[00000030h]19_2_04F41DB5
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F41DB5 mov eax, dword ptr fs:[00000030h]19_2_04F41DB5
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F951BE mov eax, dword ptr fs:[00000030h]19_2_04F951BE
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F951BE mov eax, dword ptr fs:[00000030h]19_2_04F951BE
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F951BE mov eax, dword ptr fs:[00000030h]19_2_04F951BE
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F951BE mov eax, dword ptr fs:[00000030h]19_2_04F951BE
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FE05AC mov eax, dword ptr fs:[00000030h]19_2_04FE05AC
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FE05AC mov eax, dword ptr fs:[00000030h]19_2_04FE05AC
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F461A0 mov eax, dword ptr fs:[00000030h]19_2_04F461A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F461A0 mov eax, dword ptr fs:[00000030h]19_2_04F461A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F435A1 mov eax, dword ptr fs:[00000030h]19_2_04F435A1
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F969A6 mov eax, dword ptr fs:[00000030h]19_2_04F969A6
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F42990 mov eax, dword ptr fs:[00000030h]19_2_04F42990
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F4FD9B mov eax, dword ptr fs:[00000030h]19_2_04F4FD9B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F4FD9B mov eax, dword ptr fs:[00000030h]19_2_04F4FD9B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F4A185 mov eax, dword ptr fs:[00000030h]19_2_04F4A185
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F3C182 mov eax, dword ptr fs:[00000030h]19_2_04F3C182
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F42581 mov eax, dword ptr fs:[00000030h]19_2_04F42581
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F42581 mov eax, dword ptr fs:[00000030h]19_2_04F42581
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F42581 mov eax, dword ptr fs:[00000030h]19_2_04F42581
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F42581 mov eax, dword ptr fs:[00000030h]19_2_04F42581
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F12D8A mov eax, dword ptr fs:[00000030h]19_2_04F12D8A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F12D8A mov eax, dword ptr fs:[00000030h]19_2_04F12D8A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F12D8A mov eax, dword ptr fs:[00000030h]19_2_04F12D8A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F12D8A mov eax, dword ptr fs:[00000030h]19_2_04F12D8A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F12D8A mov eax, dword ptr fs:[00000030h]19_2_04F12D8A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F1B171 mov eax, dword ptr fs:[00000030h]19_2_04F1B171
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F1B171 mov eax, dword ptr fs:[00000030h]19_2_04F1B171
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F3C577 mov eax, dword ptr fs:[00000030h]19_2_04F3C577
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F3C577 mov eax, dword ptr fs:[00000030h]19_2_04F3C577
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F1C962 mov eax, dword ptr fs:[00000030h]19_2_04F1C962
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F37D50 mov eax, dword ptr fs:[00000030h]19_2_04F37D50
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F53D43 mov eax, dword ptr fs:[00000030h]19_2_04F53D43
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F3B944 mov eax, dword ptr fs:[00000030h]19_2_04F3B944
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F3B944 mov eax, dword ptr fs:[00000030h]19_2_04F3B944
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F93540 mov eax, dword ptr fs:[00000030h]19_2_04F93540
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F1AD30 mov eax, dword ptr fs:[00000030h]19_2_04F1AD30
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FDE539 mov eax, dword ptr fs:[00000030h]19_2_04FDE539
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F23D34 mov eax, dword ptr fs:[00000030h]19_2_04F23D34
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F23D34 mov eax, dword ptr fs:[00000030h]19_2_04F23D34
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F23D34 mov eax, dword ptr fs:[00000030h]19_2_04F23D34
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F23D34 mov eax, dword ptr fs:[00000030h]19_2_04F23D34
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F23D34 mov eax, dword ptr fs:[00000030h]19_2_04F23D34
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F23D34 mov eax, dword ptr fs:[00000030h]19_2_04F23D34
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F23D34 mov eax, dword ptr fs:[00000030h]19_2_04F23D34
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F23D34 mov eax, dword ptr fs:[00000030h]19_2_04F23D34
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F23D34 mov eax, dword ptr fs:[00000030h]19_2_04F23D34
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F23D34 mov eax, dword ptr fs:[00000030h]19_2_04F23D34
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F23D34 mov eax, dword ptr fs:[00000030h]19_2_04F23D34
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F23D34 mov eax, dword ptr fs:[00000030h]19_2_04F23D34
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F23D34 mov eax, dword ptr fs:[00000030h]19_2_04F23D34
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FE8D34 mov eax, dword ptr fs:[00000030h]19_2_04FE8D34
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F4513A mov eax, dword ptr fs:[00000030h]19_2_04F4513A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F4513A mov eax, dword ptr fs:[00000030h]19_2_04F4513A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F9A537 mov eax, dword ptr fs:[00000030h]19_2_04F9A537
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F44D3B mov eax, dword ptr fs:[00000030h]19_2_04F44D3B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F44D3B mov eax, dword ptr fs:[00000030h]19_2_04F44D3B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F44D3B mov eax, dword ptr fs:[00000030h]19_2_04F44D3B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F34120 mov eax, dword ptr fs:[00000030h]19_2_04F34120
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F34120 mov eax, dword ptr fs:[00000030h]19_2_04F34120
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F34120 mov eax, dword ptr fs:[00000030h]19_2_04F34120
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F34120 mov eax, dword ptr fs:[00000030h]19_2_04F34120
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F34120 mov ecx, dword ptr fs:[00000030h]19_2_04F34120
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F19100 mov eax, dword ptr fs:[00000030h]19_2_04F19100
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F19100 mov eax, dword ptr fs:[00000030h]19_2_04F19100
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F19100 mov eax, dword ptr fs:[00000030h]19_2_04F19100
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F276E2 mov eax, dword ptr fs:[00000030h]19_2_04F276E2
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F42AE4 mov eax, dword ptr fs:[00000030h]19_2_04F42AE4
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F416E0 mov ecx, dword ptr fs:[00000030h]19_2_04F416E0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FE8ED6 mov eax, dword ptr fs:[00000030h]19_2_04FE8ED6
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F58EC7 mov eax, dword ptr fs:[00000030h]19_2_04F58EC7
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F436CC mov eax, dword ptr fs:[00000030h]19_2_04F436CC
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FCFEC0 mov eax, dword ptr fs:[00000030h]19_2_04FCFEC0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F42ACB mov eax, dword ptr fs:[00000030h]19_2_04F42ACB
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F2AAB0 mov eax, dword ptr fs:[00000030h]19_2_04F2AAB0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F2AAB0 mov eax, dword ptr fs:[00000030h]19_2_04F2AAB0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F4FAB0 mov eax, dword ptr fs:[00000030h]19_2_04F4FAB0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F152A5 mov eax, dword ptr fs:[00000030h]19_2_04F152A5
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F152A5 mov eax, dword ptr fs:[00000030h]19_2_04F152A5
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F152A5 mov eax, dword ptr fs:[00000030h]19_2_04F152A5
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F152A5 mov eax, dword ptr fs:[00000030h]19_2_04F152A5
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F152A5 mov eax, dword ptr fs:[00000030h]19_2_04F152A5
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FE0EA5 mov eax, dword ptr fs:[00000030h]19_2_04FE0EA5
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FE0EA5 mov eax, dword ptr fs:[00000030h]19_2_04FE0EA5
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FE0EA5 mov eax, dword ptr fs:[00000030h]19_2_04FE0EA5
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F946A7 mov eax, dword ptr fs:[00000030h]19_2_04F946A7
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F4D294 mov eax, dword ptr fs:[00000030h]19_2_04F4D294
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F4D294 mov eax, dword ptr fs:[00000030h]19_2_04F4D294
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FAFE87 mov eax, dword ptr fs:[00000030h]19_2_04FAFE87
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F3AE73 mov eax, dword ptr fs:[00000030h]19_2_04F3AE73
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F3AE73 mov eax, dword ptr fs:[00000030h]19_2_04F3AE73
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F3AE73 mov eax, dword ptr fs:[00000030h]19_2_04F3AE73
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F3AE73 mov eax, dword ptr fs:[00000030h]19_2_04F3AE73
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F3AE73 mov eax, dword ptr fs:[00000030h]19_2_04F3AE73
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F5927A mov eax, dword ptr fs:[00000030h]19_2_04F5927A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FCB260 mov eax, dword ptr fs:[00000030h]19_2_04FCB260
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FCB260 mov eax, dword ptr fs:[00000030h]19_2_04FCB260
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FE8A62 mov eax, dword ptr fs:[00000030h]19_2_04FE8A62
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F2766D mov eax, dword ptr fs:[00000030h]19_2_04F2766D
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FDEA55 mov eax, dword ptr fs:[00000030h]19_2_04FDEA55
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FA4257 mov eax, dword ptr fs:[00000030h]19_2_04FA4257
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F19240 mov eax, dword ptr fs:[00000030h]19_2_04F19240
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F19240 mov eax, dword ptr fs:[00000030h]19_2_04F19240
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F19240 mov eax, dword ptr fs:[00000030h]19_2_04F19240
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F19240 mov eax, dword ptr fs:[00000030h]19_2_04F19240
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F27E41 mov eax, dword ptr fs:[00000030h]19_2_04F27E41
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F27E41 mov eax, dword ptr fs:[00000030h]19_2_04F27E41
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F27E41 mov eax, dword ptr fs:[00000030h]19_2_04F27E41
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F27E41 mov eax, dword ptr fs:[00000030h]19_2_04F27E41
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F27E41 mov eax, dword ptr fs:[00000030h]19_2_04F27E41
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F27E41 mov eax, dword ptr fs:[00000030h]19_2_04F27E41
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FDAE44 mov eax, dword ptr fs:[00000030h]19_2_04FDAE44
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FDAE44 mov eax, dword ptr fs:[00000030h]19_2_04FDAE44
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FCFE3F mov eax, dword ptr fs:[00000030h]19_2_04FCFE3F
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F1E620 mov eax, dword ptr fs:[00000030h]19_2_04F1E620
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F54A2C mov eax, dword ptr fs:[00000030h]19_2_04F54A2C
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F54A2C mov eax, dword ptr fs:[00000030h]19_2_04F54A2C
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F15210 mov eax, dword ptr fs:[00000030h]19_2_04F15210
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F15210 mov ecx, dword ptr fs:[00000030h]19_2_04F15210
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F15210 mov eax, dword ptr fs:[00000030h]19_2_04F15210
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F15210 mov eax, dword ptr fs:[00000030h]19_2_04F15210
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F1AA16 mov eax, dword ptr fs:[00000030h]19_2_04F1AA16
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F1AA16 mov eax, dword ptr fs:[00000030h]19_2_04F1AA16
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F4A61C mov eax, dword ptr fs:[00000030h]19_2_04F4A61C
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F4A61C mov eax, dword ptr fs:[00000030h]19_2_04F4A61C
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F33A1C mov eax, dword ptr fs:[00000030h]19_2_04F33A1C
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F1C600 mov eax, dword ptr fs:[00000030h]19_2_04F1C600
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F1C600 mov eax, dword ptr fs:[00000030h]19_2_04F1C600
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F1C600 mov eax, dword ptr fs:[00000030h]19_2_04F1C600
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F48E00 mov eax, dword ptr fs:[00000030h]19_2_04F48E00
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FD1608 mov eax, dword ptr fs:[00000030h]19_2_04FD1608
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F28A0A mov eax, dword ptr fs:[00000030h]19_2_04F28A0A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F537F5 mov eax, dword ptr fs:[00000030h]19_2_04F537F5
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F403E2 mov eax, dword ptr fs:[00000030h]19_2_04F403E2
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F403E2 mov eax, dword ptr fs:[00000030h]19_2_04F403E2
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F403E2 mov eax, dword ptr fs:[00000030h]19_2_04F403E2
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F403E2 mov eax, dword ptr fs:[00000030h]19_2_04F403E2
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F403E2 mov eax, dword ptr fs:[00000030h]19_2_04F403E2
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F403E2 mov eax, dword ptr fs:[00000030h]19_2_04F403E2
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F3DBE9 mov eax, dword ptr fs:[00000030h]19_2_04F3DBE9
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F953CA mov eax, dword ptr fs:[00000030h]19_2_04F953CA
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F953CA mov eax, dword ptr fs:[00000030h]19_2_04F953CA
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F44BAD mov eax, dword ptr fs:[00000030h]19_2_04F44BAD
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F44BAD mov eax, dword ptr fs:[00000030h]19_2_04F44BAD
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F44BAD mov eax, dword ptr fs:[00000030h]19_2_04F44BAD
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04FE5BA5 mov eax, dword ptr fs:[00000030h]19_2_04FE5BA5
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F42397 mov eax, dword ptr fs:[00000030h]19_2_04F42397
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 19_2_04F4B390 mov eax, dword ptr fs:[00000030h]19_2_04F4B390
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.deux-studios.com
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\Purchase Order.exeMemory written: C:\Users\user\Desktop\Purchase Order.exe base: 400000 value starts with: 4D5AJump to behavior
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\Purchase Order.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeSection loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeSection loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\Purchase Order.exeThread register set: target process: 3388Jump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeThread register set: target process: 3388Jump to behavior
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\Purchase Order.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\Purchase Order.exeSection unmapped: C:\Windows\SysWOW64\cscript.exe base address: 11A0000Jump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Users\user\Desktop\Purchase Order.exe {path}Jump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Purchase Order.exe'Jump to behavior
          Source: explorer.exe, 00000011.00000000.343545208.0000000001398000.00000004.00000020.sdmpBinary or memory string: ProgmanamF
          Source: explorer.exe, 00000011.00000000.343855560.0000000001980000.00000002.00000001.sdmp, cscript.exe, 00000013.00000002.481929641.00000000037A0000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000011.00000000.343855560.0000000001980000.00000002.00000001.sdmp, cscript.exe, 00000013.00000002.481929641.00000000037A0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000011.00000000.343855560.0000000001980000.00000002.00000001.sdmp, cscript.exe, 00000013.00000002.481929641.00000000037A0000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000011.00000000.343855560.0000000001980000.00000002.00000001.sdmp, cscript.exe, 00000013.00000002.481929641.00000000037A0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Users\user\Desktop\Purchase Order.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 16.2.Purchase Order.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000010.00000002.362458702.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.480809359.0000000001140000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.363133642.0000000001720000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.363097654.00000000016F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.479738533.0000000000D50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.480997579.0000000001170000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.308917029.0000000003C71000.00000004.00000001.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 16.2.Purchase Order.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000010.00000002.362458702.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.480809359.0000000001140000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.363133642.0000000001720000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.363097654.00000000016F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.479738533.0000000000D50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.480997579.0000000001170000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.308917029.0000000003C71000.00000004.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsCommand and Scripting Interpreter2Path InterceptionProcess Injection612Rootkit1Credential API Hooking1Security Software Discovery221Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsMasquerading1LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol11Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion31NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection612LSA SecretsSystem Information Discovery112SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information4DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing13Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 452476 Sample: Purchase Order.exe Startdate: 22/07/2021 Architecture: WINDOWS Score: 100 31 www.abusinesssystems.com 2->31 35 Found malware configuration 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 9 other signatures 2->41 11 Purchase Order.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\...\Purchase Order.exe.log, ASCII 11->29 dropped 51 Injects a PE file into a foreign processes 11->51 15 Purchase Order.exe 11->15         started        signatures6 process7 signatures8 53 Modifies the context of a thread in another process (thread injection) 15->53 55 Maps a DLL or memory area into another process 15->55 57 Sample uses process hollowing technique 15->57 59 Queues an APC in another process (thread injection) 15->59 18 explorer.exe 15->18 injected process9 dnsIp10 33 www.deux-studios.com 18->33 43 System process connects to network (likely due to code injection or exploit) 18->43 22 cscript.exe 18->22         started        signatures11 process12 signatures13 45 Modifies the context of a thread in another process (thread injection) 22->45 47 Maps a DLL or memory area into another process 22->47 49 Tries to detect virtualization through RDTSC time measurements 22->49 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Purchase Order.exe13%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
          Purchase Order.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          16.2.Purchase Order.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.jiyu-kobo.co.jp/lt0%VirustotalBrowse
          http://www.jiyu-kobo.co.jp/lt0%Avira URL Cloudsafe
          http://www.fontbureau.comsivao0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp//2o0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/Co0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/ue0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/ue0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/ue0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/;o0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.fontbureau.comd-o0%Avira URL Cloudsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/uo0%Avira URL Cloudsafe
          http://www.carterandcone.com0%URL Reputationsafe
          http://www.carterandcone.com0%URL Reputationsafe
          http://www.carterandcone.com0%URL Reputationsafe
          http://www.founder.com.cn/cnoupyt0%Avira URL Cloudsafe
          http://www.fontbureau.com.TTFuo0%Avira URL Cloudsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cngib0%Avira URL Cloudsafe
          http://www.founder.com.cn/cnt0%URL Reputationsafe
          http://www.founder.com.cn/cnt0%URL Reputationsafe
          http://www.founder.com.cn/cnt0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.carterandcone.como.0%URL Reputationsafe
          http://www.carterandcone.como.0%URL Reputationsafe
          http://www.carterandcone.como.0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.fontbureau.com.TTF0%URL Reputationsafe
          http://www.fontbureau.com.TTF0%URL Reputationsafe
          http://www.fontbureau.com.TTF0%URL Reputationsafe
          http://www.fontbureau.com=0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/Ko0%Avira URL Cloudsafe
          http://www.founder.com.cn/cnoup0%Avira URL Cloudsafe
          http://www.galapagosdesign.com/0%URL Reputationsafe
          http://www.galapagosdesign.com/0%URL Reputationsafe
          http://www.galapagosdesign.com/0%URL Reputationsafe
          http://www.fontbureau.comF0%URL Reputationsafe
          http://www.fontbureau.comF0%URL Reputationsafe
          http://www.fontbureau.comF0%URL Reputationsafe
          http://www.agfamonotype.0%URL Reputationsafe
          http://www.agfamonotype.0%URL Reputationsafe
          http://www.agfamonotype.0%URL Reputationsafe
          http://www.carterandcone.comcr0%Avira URL Cloudsafe
          www.valiantfinancial.net/hth0/0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
          http://www.fontbureau.come.com0%URL Reputationsafe
          http://www.fontbureau.come.com0%URL Reputationsafe
          http://www.fontbureau.come.com0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.founder.com.cn/cnmpa-u0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/0%URL Reputationsafe
          http://www.founder.com.cn/cn/0%URL Reputationsafe
          http://www.founder.com.cn/cn/0%URL Reputationsafe
          http://www.carterandcone.comof0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.carterandcone.comtGi0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.deux-studios.com
          		unknown
          		unknowntrue
            		unknown
            www.abusinesssystems.com
            		unknown
            		unknowntrue
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              www.valiantfinancial.net/hth0/true
              • Avira URL Cloud: safe
              		low

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://www.jiyu-kobo.co.jp/ltPurchase Order.exe, 00000000.00000003.224849274.00000000056A2000.00000004.00000001.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://www.fontbureau.com/designersGPurchase Order.exe, 00000000.00000002.316230721.0000000006470000.00000002.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpfalse
                		high
                http://www.fontbureau.comsivaoPurchase Order.exe, 00000000.00000003.226995164.00000000056A4000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.jiyu-kobo.co.jp//2oPurchase Order.exe, 00000000.00000003.224952116.00000000056A2000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.fontbureau.com/designers/?Purchase Order.exe, 00000000.00000002.316230721.0000000006470000.00000002.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpfalse
                  		high
                  http://www.jiyu-kobo.co.jp/CoPurchase Order.exe, 00000000.00000003.224952116.00000000056A2000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.founder.com.cn/cn/bThePurchase Order.exe, 00000000.00000002.316230721.0000000006470000.00000002.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.jiyu-kobo.co.jp/uePurchase Order.exe, 00000000.00000003.224706549.0000000005693000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designers?Purchase Order.exe, 00000000.00000002.316230721.0000000006470000.00000002.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpfalse
                    		high
                    http://www.jiyu-kobo.co.jp/;oPurchase Order.exe, 00000000.00000003.224952116.00000000056A2000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.tiro.comexplorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designersexplorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpfalse
                      		high
                      http://www.fontbureau.comd-oPurchase Order.exe, 00000000.00000003.226995164.00000000056A4000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.goodfont.co.krPurchase Order.exe, 00000000.00000002.316230721.0000000006470000.00000002.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/uoPurchase Order.exe, 00000000.00000003.224706549.0000000005693000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.carterandcone.comPurchase Order.exe, 00000000.00000003.224058728.00000000056A5000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.founder.com.cn/cnoupytPurchase Order.exe, 00000000.00000003.222559347.00000000056A3000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.fontbureau.com.TTFuoPurchase Order.exe, 00000000.00000003.226282943.000000000569C000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.sajatypeworks.comPurchase Order.exe, 00000000.00000002.316230721.0000000006470000.00000002.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.typography.netDPurchase Order.exe, 00000000.00000002.316230721.0000000006470000.00000002.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.founder.com.cn/cn/cThePurchase Order.exe, 00000000.00000002.316230721.0000000006470000.00000002.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.galapagosdesign.com/staff/dennis.htmPurchase Order.exe, 00000000.00000003.227809153.00000000056A0000.00000004.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://fontfabrik.comPurchase Order.exe, 00000000.00000002.316230721.0000000006470000.00000002.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.founder.com.cn/cngibPurchase Order.exe, 00000000.00000003.222070975.00000000056A0000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.founder.com.cn/cntPurchase Order.exe, 00000000.00000003.222070975.00000000056A0000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.galapagosdesign.com/DPleasePurchase Order.exe, 00000000.00000002.316230721.0000000006470000.00000002.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/Y0Purchase Order.exe, 00000000.00000003.224952116.00000000056A2000.00000004.00000001.sdmp, Purchase Order.exe, 00000000.00000003.225352110.0000000005699000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.fonts.comPurchase Order.exe, 00000000.00000002.316230721.0000000006470000.00000002.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpfalse
                        		high
                        http://www.sandoll.co.krPurchase Order.exe, 00000000.00000002.316230721.0000000006470000.00000002.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.urwpp.deDPleasePurchase Order.exe, 00000000.00000002.316230721.0000000006470000.00000002.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.zhongyicts.com.cnPurchase Order.exe, 00000000.00000002.316230721.0000000006470000.00000002.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.carterandcone.como.Purchase Order.exe, 00000000.00000003.224058728.00000000056A5000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.sakkal.comPurchase Order.exe, 00000000.00000002.316230721.0000000006470000.00000002.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com.TTFPurchase Order.exe, 00000000.00000003.226995164.00000000056A4000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com=Purchase Order.exe, 00000000.00000002.314683016.0000000005690000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        http://www.jiyu-kobo.co.jp/KoPurchase Order.exe, 00000000.00000003.225352110.0000000005699000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.founder.com.cn/cnoupPurchase Order.exe, 00000000.00000003.222070975.00000000056A0000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.apache.org/licenses/LICENSE-2.0Purchase Order.exe, 00000000.00000002.316230721.0000000006470000.00000002.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpfalse
                          		high
                          http://www.fontbureau.comPurchase Order.exe, 00000000.00000002.316230721.0000000006470000.00000002.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpfalse
                            		high
                            http://www.galapagosdesign.com/Purchase Order.exe, 00000000.00000003.227884543.00000000056A0000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.comFPurchase Order.exe, 00000000.00000003.226995164.00000000056A4000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.agfamonotype.Purchase Order.exe, 00000000.00000003.230153130.00000000056A8000.00000004.00000001.sdmp, Purchase Order.exe, 00000000.00000003.226282943.000000000569C000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.carterandcone.comcrPurchase Order.exe, 00000000.00000003.224058728.00000000056A5000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/jp/Purchase Order.exe, 00000000.00000003.224952116.00000000056A2000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.come.comPurchase Order.exe, 00000000.00000003.230396940.00000000056A2000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.carterandcone.comlPurchase Order.exe, 00000000.00000002.316230721.0000000006470000.00000002.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.founder.com.cn/cnmpa-uPurchase Order.exe, 00000000.00000003.222559347.00000000056A3000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.founder.com.cn/cn/Purchase Order.exe, 00000000.00000003.222559347.00000000056A3000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.carterandcone.comofPurchase Order.exe, 00000000.00000003.223685242.00000000056A5000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.fontbureau.com/designers/cabarga.htmlNPurchase Order.exe, 00000000.00000002.316230721.0000000006470000.00000002.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpfalse
                              		high
                              http://www.founder.com.cn/cnPurchase Order.exe, 00000000.00000003.222559347.00000000056A3000.00000004.00000001.sdmp, Purchase Order.exe, 00000000.00000003.222070975.00000000056A0000.00000004.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.carterandcone.comtGiPurchase Order.exe, 00000000.00000003.224058728.00000000056A5000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.com/designers/frere-jones.htmlPurchase Order.exe, 00000000.00000002.316230721.0000000006470000.00000002.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpfalse
                                		high
                                http://www.jiyu-kobo.co.jp/oPurchase Order.exe, 00000000.00000003.225352110.0000000005699000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/Purchase Order.exe, 00000000.00000002.316230721.0000000006470000.00000002.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/kPurchase Order.exe, 00000000.00000003.224952116.00000000056A2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.comoPurchase Order.exe, 00000000.00000002.314683016.0000000005690000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/lPurchase Order.exe, 00000000.00000003.224706549.0000000005693000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.zhongyicts.com.cno.Purchase Order.exe, 00000000.00000003.223470937.00000000056A5000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers8Purchase Order.exe, 00000000.00000002.316230721.0000000006470000.00000002.00000001.sdmp, explorer.exe, 00000011.00000000.332748032.0000000008B40000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.jiyu-kobo.co.jp/jp/uoPurchase Order.exe, 00000000.00000003.225076126.00000000056A3000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/zoPurchase Order.exe, 00000000.00000003.224706549.0000000005693000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fontbureau.comdsedPurchase Order.exe, 00000000.00000003.226995164.00000000056A4000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.founder.com.cn/cnrosCuPurchase Order.exe, 00000000.00000003.222070975.00000000056A0000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown

                                  Contacted IPs

                                  No contacted IP infos

                                  General Information

                                  Joe Sandbox Version:33.0.0 White Diamond
                                  Analysis ID:452476
                                  Start date:22.07.2021
                                  Start time:13:17:13
                                  Joe Sandbox Product:CloudBasic
                                  Overall analysis duration:0h 10m 57s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Sample file name:Purchase Order.exe
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                  Number of analysed new started processes analysed:28
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • HDC enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Detection:MAL
                                  Classification:mal100.troj.evad.winEXE@7/1@2/0
                                  EGA Information:Failed
                                  HDC Information:
                                  • Successful, ratio: 12.6% (good quality ratio 10.3%)
                                  • Quality average: 64.4%
                                  • Quality standard deviation: 37%
                                  HCA Information:
                                  • Successful, ratio: 96%
                                  • Number of executed functions: 73
                                  • Number of non-executed functions: 152
                                  Cookbook Comments:
                                  • Adjust boot time
                                  • Enable AMSI
                                  • Found application associated with file extension: .exe
                                  Warnings:
                                  Show All
                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                  • Excluded IPs from analysis (whitelisted): 23.211.6.115, 13.64.90.137, 104.42.151.234, 23.211.4.86, 20.82.209.183, 40.112.88.60, 205.185.216.42, 205.185.216.10, 80.67.82.211, 80.67.82.235, 20.82.210.154
                                  • Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, skypedataprdcolwus17.cloudapp.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.

                                  Simulations

                                  Behavior and APIs

                                  No simulations

                                  Joe Sandbox View / Context

                                  IPs

                                  No context

                                  Domains

                                  No context

                                  ASN

                                  No context

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Purchase Order.exe.log
                                  Process:C:\Users\user\Desktop\Purchase Order.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1216
                                  Entropy (8bit):5.355304211458859
                                  Encrypted:false
                                  SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                  MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                  SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                  SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                  SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                  Malicious:true
                                  Reputation:high, very likely benign file
                                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Entropy (8bit):7.09707815679182
                                  TrID:
                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                  • DOS Executable Generic (2002/1) 0.01%
                                  File name:Purchase Order.exe
                                  File size:938496
                                  MD5:c13f1850e9d955f826620bd1ae322368
                                  SHA1:1329de0499fabc6fcffd4fa02864968acaac253e
                                  SHA256:419d8b92dc042882bb3261de70dfe4a158bc9ca436c71f9bf330bb8a6917d04c
                                  SHA512:8d11bbe6afadbd108f227bb3397334f27eb69859b19e82ae436ea91a9f9b6b786c83a55a2fe0f71b15875ec51df8b19f367941420e5972eb2a06e6163aed2657
                                  SSDEEP:12288:a+pvoEou45e3hi0CnMBUajS9VF/yEWmym5sD+cSMPQipP5q:a+pvZGe3encUNjFaEWmfipQ
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............0..j..........^.... ........@.. ....................................@................................

                                  File Icon

                                  Icon Hash:f0debeffdffeec70

                                  Static PE Info

                                  General

                                  Entrypoint:0x48885e
                                  Entrypoint Section:.text
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                  Time Stamp:0x60F8B8F5 [Thu Jul 22 00:16:53 2021 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:v4.0.30319
                                  OS Version Major:4
                                  OS Version Minor:0
                                  File Version Major:4
                                  File Version Minor:0
                                  Subsystem Version Major:4
                                  Subsystem Version Minor:0
                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                  Entrypoint Preview

                                  Instruction
                                  jmp dword ptr [00402000h]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x8880c0x4f.text
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x8a0000x5e320.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xea0000xc.reloc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x20000x868640x86a00False0.862472435005data7.75016432791IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                  .rsrc0x8a0000x5e3200x5e400False0.167326342838data5.6405677251IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .reloc0xea0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                  Resources

                                  NameRVASizeTypeLanguageCountry
                                  RT_ICON0x8a2200x468GLS_BINARY_LSB_FIRST
                                  RT_ICON0x8a6880x1128dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
                                  RT_ICON0x8b7b00x2668dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
                                  RT_ICON0x8de180x4428dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
                                  RT_ICON0x922400x11028dBase III DBT, version number 0, next free block index 40
                                  RT_ICON0xa32680x44028data
                                  RT_GROUP_ICON0xe72900x5adata
                                  RT_VERSION0xe72ec0x30cdata
                                  RT_MANIFEST0xe75f80xd25XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF, LF line terminators

                                  Imports

                                  DLLImport
                                  mscoree.dll_CorExeMain

                                  Version Infos

                                  DescriptionData
                                  Translation0x0000 0x04b0
                                  LegalCopyrightCopyright 2016
                                  Assembly Version1.0.0.0
                                  InternalNametV45e.exe
                                  FileVersion1.0.0.0
                                  CompanyName
                                  LegalTrademarks
                                  Comments
                                  ProductNameuNotepad
                                  ProductVersion1.0.0.0
                                  FileDescriptionuNotepad
                                  OriginalFilenametV45e.exe

                                  Network Behavior

                                  Network Port Distribution

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Jul 22, 2021 13:18:04.580295086 CEST4919953192.168.2.38.8.8.8
                                  Jul 22, 2021 13:18:04.641351938 CEST53491998.8.8.8192.168.2.3
                                  Jul 22, 2021 13:18:05.780913115 CEST5062053192.168.2.38.8.8.8
                                  Jul 22, 2021 13:18:05.838221073 CEST53506208.8.8.8192.168.2.3
                                  Jul 22, 2021 13:18:08.121515036 CEST6493853192.168.2.38.8.8.8
                                  Jul 22, 2021 13:18:08.174133062 CEST53649388.8.8.8192.168.2.3
                                  Jul 22, 2021 13:18:09.386004925 CEST6015253192.168.2.38.8.8.8
                                  Jul 22, 2021 13:18:09.439255953 CEST53601528.8.8.8192.168.2.3
                                  Jul 22, 2021 13:18:11.218653917 CEST5754453192.168.2.38.8.8.8
                                  Jul 22, 2021 13:18:11.268026114 CEST53575448.8.8.8192.168.2.3
                                  Jul 22, 2021 13:18:12.461256981 CEST5598453192.168.2.38.8.8.8
                                  Jul 22, 2021 13:18:12.513565063 CEST53559848.8.8.8192.168.2.3
                                  Jul 22, 2021 13:18:13.618632078 CEST6418553192.168.2.38.8.8.8
                                  Jul 22, 2021 13:18:13.678450108 CEST53641858.8.8.8192.168.2.3
                                  Jul 22, 2021 13:18:14.900017023 CEST6511053192.168.2.38.8.8.8
                                  Jul 22, 2021 13:18:14.959148884 CEST53651108.8.8.8192.168.2.3
                                  Jul 22, 2021 13:18:16.150531054 CEST5836153192.168.2.38.8.8.8
                                  Jul 22, 2021 13:18:16.215924025 CEST53583618.8.8.8192.168.2.3
                                  Jul 22, 2021 13:18:17.424123049 CEST6349253192.168.2.38.8.8.8
                                  Jul 22, 2021 13:18:17.553191900 CEST53634928.8.8.8192.168.2.3
                                  Jul 22, 2021 13:18:18.743213892 CEST6083153192.168.2.38.8.8.8
                                  Jul 22, 2021 13:18:18.792356014 CEST53608318.8.8.8192.168.2.3
                                  Jul 22, 2021 13:18:19.899352074 CEST6010053192.168.2.38.8.8.8
                                  Jul 22, 2021 13:18:19.951848984 CEST53601008.8.8.8192.168.2.3
                                  Jul 22, 2021 13:18:22.063747883 CEST5319553192.168.2.38.8.8.8
                                  Jul 22, 2021 13:18:22.116322041 CEST53531958.8.8.8192.168.2.3
                                  Jul 22, 2021 13:18:23.425777912 CEST5014153192.168.2.38.8.8.8
                                  Jul 22, 2021 13:18:23.475258112 CEST53501418.8.8.8192.168.2.3
                                  Jul 22, 2021 13:18:25.565068960 CEST5302353192.168.2.38.8.8.8
                                  Jul 22, 2021 13:18:25.617316961 CEST53530238.8.8.8192.168.2.3
                                  Jul 22, 2021 13:18:27.019148111 CEST4956353192.168.2.38.8.8.8
                                  Jul 22, 2021 13:18:27.072943926 CEST53495638.8.8.8192.168.2.3
                                  Jul 22, 2021 13:18:28.292045116 CEST5135253192.168.2.38.8.8.8
                                  Jul 22, 2021 13:18:28.343964100 CEST53513528.8.8.8192.168.2.3
                                  Jul 22, 2021 13:18:29.441327095 CEST5934953192.168.2.38.8.8.8
                                  Jul 22, 2021 13:18:29.493346930 CEST53593498.8.8.8192.168.2.3
                                  Jul 22, 2021 13:18:30.676944017 CEST5708453192.168.2.38.8.8.8
                                  Jul 22, 2021 13:18:30.728882074 CEST53570848.8.8.8192.168.2.3
                                  Jul 22, 2021 13:18:32.825310946 CEST5882353192.168.2.38.8.8.8
                                  Jul 22, 2021 13:18:32.907706976 CEST53588238.8.8.8192.168.2.3
                                  Jul 22, 2021 13:18:37.642015934 CEST5756853192.168.2.38.8.8.8
                                  Jul 22, 2021 13:18:37.715970039 CEST53575688.8.8.8192.168.2.3
                                  Jul 22, 2021 13:18:55.421674013 CEST5054053192.168.2.38.8.8.8
                                  Jul 22, 2021 13:18:55.491024017 CEST53505408.8.8.8192.168.2.3
                                  Jul 22, 2021 13:18:56.310287952 CEST5436653192.168.2.38.8.8.8
                                  Jul 22, 2021 13:18:56.368032932 CEST53543668.8.8.8192.168.2.3
                                  Jul 22, 2021 13:19:13.879085064 CEST5303453192.168.2.38.8.8.8
                                  Jul 22, 2021 13:19:13.946717978 CEST53530348.8.8.8192.168.2.3
                                  Jul 22, 2021 13:19:18.997966051 CEST5776253192.168.2.38.8.8.8
                                  Jul 22, 2021 13:19:19.058268070 CEST53577628.8.8.8192.168.2.3
                                  Jul 22, 2021 13:19:51.858135939 CEST5543553192.168.2.38.8.8.8
                                  Jul 22, 2021 13:19:51.919841051 CEST53554358.8.8.8192.168.2.3
                                  Jul 22, 2021 13:19:53.551717997 CEST5071353192.168.2.38.8.8.8
                                  Jul 22, 2021 13:19:53.618792057 CEST53507138.8.8.8192.168.2.3
                                  Jul 22, 2021 13:19:57.076951027 CEST5613253192.168.2.38.8.8.8
                                  Jul 22, 2021 13:19:57.153218985 CEST53561328.8.8.8192.168.2.3
                                  Jul 22, 2021 13:20:17.673424959 CEST5898753192.168.2.38.8.8.8
                                  Jul 22, 2021 13:20:17.736171007 CEST53589878.8.8.8192.168.2.3

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                  Jul 22, 2021 13:19:57.076951027 CEST192.168.2.38.8.8.80xee55Standard query (0)www.deux-studios.comA (IP address)IN (0x0001)
                                  Jul 22, 2021 13:20:17.673424959 CEST192.168.2.38.8.8.80x7fccStandard query (0)www.abusinesssystems.comA (IP address)IN (0x0001)

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                  Jul 22, 2021 13:19:57.153218985 CEST8.8.8.8192.168.2.30xee55Name error (3)www.deux-studios.comnonenoneA (IP address)IN (0x0001)
                                  Jul 22, 2021 13:20:17.736171007 CEST8.8.8.8192.168.2.30x7fccName error (3)www.abusinesssystems.comnonenoneA (IP address)IN (0x0001)

                                  Code Manipulations

                                  User Modules

                                  Hook Summary

                                  Function NameHook TypeActive in Processes
                                  PeekMessageAINLINEexplorer.exe
                                  PeekMessageWINLINEexplorer.exe
                                  GetMessageWINLINEexplorer.exe
                                  GetMessageAINLINEexplorer.exe

                                  Processes

                                  Process: explorer.exe, Module: user32.dll
                                  Function NameHook TypeNew Data
                                  PeekMessageAINLINE0x48 0x8B 0xB8 0x8E 0xEE 0xEB
                                  PeekMessageWINLINE0x48 0x8B 0xB8 0x86 0x6E 0xEB
                                  GetMessageWINLINE0x48 0x8B 0xB8 0x86 0x6E 0xEB
                                  GetMessageAINLINE0x48 0x8B 0xB8 0x8E 0xEE 0xEB

                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  Analysis Process: Purchase Order.exe PID: 1376 Parent PID: 5620

                                  General

                                  Start time:13:18:09
                                  Start date:22/07/2021
                                  Path:C:\Users\user\Desktop\Purchase Order.exe
                                  Wow64 process (32bit):true
                                  Commandline:'C:\Users\user\Desktop\Purchase Order.exe'
                                  Imagebase:0x830000
                                  File size:938496 bytes
                                  MD5 hash:C13F1850E9D955F826620BD1AE322368
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.308021841.0000000002CD8000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.308917029.0000000003C71000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.308917029.0000000003C71000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.308917029.0000000003C71000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                  Reputation:low

                                  Chronological Activities

                                  Analysis Process: Purchase Order.exe PID: 1784 Parent PID: 1376

                                  General

                                  Start time:13:18:50
                                  Start date:22/07/2021
                                  Path:C:\Users\user\Desktop\Purchase Order.exe
                                  Wow64 process (32bit):true
                                  Commandline:{path}
                                  Imagebase:0xc90000
                                  File size:938496 bytes
                                  MD5 hash:C13F1850E9D955F826620BD1AE322368
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.362458702.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.362458702.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.362458702.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.363133642.0000000001720000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.363133642.0000000001720000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.363133642.0000000001720000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.363097654.00000000016F0000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.363097654.00000000016F0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.363097654.00000000016F0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                  Reputation:low

                                  Chronological Activities

                                  Analysis Process: explorer.exe PID: 3388 Parent PID: 1784

                                  General

                                  Start time:13:18:53
                                  Start date:22/07/2021
                                  Path:C:\Windows\explorer.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\Explorer.EXE
                                  Imagebase:0x7ff714890000
                                  File size:3933184 bytes
                                  MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Chronological Activities

                                  Analysis Process: cscript.exe PID: 5288 Parent PID: 3388

                                  General

                                  Start time:13:19:16
                                  Start date:22/07/2021
                                  Path:C:\Windows\SysWOW64\cscript.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\SysWOW64\cscript.exe
                                  Imagebase:0x11a0000
                                  File size:143360 bytes
                                  MD5 hash:00D3041E47F99E48DD5FFFEDF60F6304
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.480809359.0000000001140000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.480809359.0000000001140000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.480809359.0000000001140000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.479738533.0000000000D50000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.479738533.0000000000D50000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.479738533.0000000000D50000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.480997579.0000000001170000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.480997579.0000000001170000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.480997579.0000000001170000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                  Reputation:moderate

                                  Chronological Activities

                                  Analysis Process: cmd.exe PID: 244 Parent PID: 5288

                                  General

                                  Start time:13:19:19
                                  Start date:22/07/2021
                                  Path:C:\Windows\SysWOW64\cmd.exe
                                  Wow64 process (32bit):true
                                  Commandline:/c del 'C:\Users\user\Desktop\Purchase Order.exe'
                                  Imagebase:0xbd0000
                                  File size:232960 bytes
                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Chronological Activities

                                  Analysis Process: conhost.exe PID: 3596 Parent PID: 244

                                  General

                                  Start time:13:19:19
                                  Start date:22/07/2021
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff6b2800000
                                  File size:625664 bytes
                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Chronological Activities

                                  Disassembly

                                  Code Analysis

                                  Reset < >

                                    Analysis Process: Purchase Order.exe PID: 1376 Parent PID: 5620 Purchase Order.exeCOMMON

                                    Executed Functions

                                    Function 051A19A0, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 130threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcess.KERNEL32 ref: 051A1A10
                                    • GetCurrentThread.KERNEL32 ref: 051A1A4D
                                    • GetCurrentProcess.KERNEL32 ref: 051A1A8A
                                    • GetCurrentThreadId.KERNEL32 ref: 051A1AE3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.313169571.00000000051A0000.00000040.00000001.sdmp, Offset: 05140000, based on PE: true
                                    • Associated: 00000000.00000002.313057308.0000000005140000.00000004.00000001.sdmp Download File
                                    Similarity
                                    • API ID: Current$ProcessThread
                                    • String ID: py
                                    • API String ID: 2063062207-1576276511
                                    • Opcode ID: 58e3ce39d845b13c3a4cd353bf8bfe47443a9d8693961c5ec539d27153a7fadc
                                    • Instruction ID: b61d9d3be5d58c78751e2aea6ca18b4e16720d25c2307b0e461e42a362f3dc4d
                                    • Opcode Fuzzy Hash: 58e3ce39d845b13c3a4cd353bf8bfe47443a9d8693961c5ec539d27153a7fadc
                                    • Instruction Fuzzy Hash: 375174B49043889FDB15CFA9C548BDEBBF5BF89318F248599E009A7360CB746844CF66
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 051A19B0, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcess.KERNEL32 ref: 051A1A10
                                    • GetCurrentThread.KERNEL32 ref: 051A1A4D
                                    • GetCurrentProcess.KERNEL32 ref: 051A1A8A
                                    • GetCurrentThreadId.KERNEL32 ref: 051A1AE3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.313169571.00000000051A0000.00000040.00000001.sdmp, Offset: 05140000, based on PE: true
                                    • Associated: 00000000.00000002.313057308.0000000005140000.00000004.00000001.sdmp Download File
                                    Similarity
                                    • API ID: Current$ProcessThread
                                    • String ID: py
                                    • API String ID: 2063062207-1576276511
                                    • Opcode ID: 130296e4368e45d619955ee0400875ff77b035ae2085859563e6826dd443591f
                                    • Instruction ID: cdf395f40f9853e6a2f80986e24dd49ac89b78c53ccb6c48e0b150e5b6fab43d
                                    • Opcode Fuzzy Hash: 130296e4368e45d619955ee0400875ff77b035ae2085859563e6826dd443591f
                                    • Instruction Fuzzy Hash: D25163B49043499FDB14CFA9C648BDEBBF5BF88318F208559E009A3360CB745944CB6A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 051A1FD8, Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                    Download Yara Rule
                                    APIs
                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 051A2067
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.313169571.00000000051A0000.00000040.00000001.sdmp, Offset: 05140000, based on PE: true
                                    • Associated: 00000000.00000002.313057308.0000000005140000.00000004.00000001.sdmp Download File
                                    Similarity
                                    • API ID: DuplicateHandle
                                    • String ID:
                                    • API String ID: 3793708945-0
                                    • Opcode ID: 7fe4f9a0b0a290b2235ad86817dc54a26a4f6950c511455b32b714792793a4ca
                                    • Instruction ID: 7e434e8f2d14ffe5080c31bdf237c15713b9248de71d6d535ebbb404cd7074ce
                                    • Opcode Fuzzy Hash: 7fe4f9a0b0a290b2235ad86817dc54a26a4f6950c511455b32b714792793a4ca
                                    • Instruction Fuzzy Hash: 252103B5900248EFDB10CFA9D984ADEBBF4FB49324F14841AE914A7210C379A944CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 051A1FE0, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                    Download Yara Rule
                                    APIs
                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 051A2067
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.313169571.00000000051A0000.00000040.00000001.sdmp, Offset: 05140000, based on PE: true
                                    • Associated: 00000000.00000002.313057308.0000000005140000.00000004.00000001.sdmp Download File
                                    Similarity
                                    • API ID: DuplicateHandle
                                    • String ID:
                                    • API String ID: 3793708945-0
                                    • Opcode ID: 26234c05f5e2f1698e1809d9de1b3c39ffa0edeaafa012e85b2135e1d83f3e9d
                                    • Instruction ID: 5e87551a5d7c67e0b743bdaabf6f8c594a20ce68ac7cd3fe46f06c9c111241e7
                                    • Opcode Fuzzy Hash: 26234c05f5e2f1698e1809d9de1b3c39ffa0edeaafa012e85b2135e1d83f3e9d
                                    • Instruction Fuzzy Hash: 8F21F3B59002089FDB10CFAAD984ADEBBF8FB48324F14841AE915B7710C379A944CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Non-executed Functions

                                    Function 051409D8, Relevance: 3.0, Strings: 2, Instructions: 452COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.313057308.0000000005140000.00000004.00000001.sdmp, Offset: 05140000, based on PE: true
                                    • Associated: 00000000.00000002.313169571.00000000051A0000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID: 4.0.$neut
                                    • API String ID: 0-1214844073
                                    • Opcode ID: 81f2cab7aaec22c13b2e6309753784495161b2cc7e9341fbfc13f98d6b83b35f
                                    • Instruction ID: 2d01aa817a4a59e28b6baf5ec1e556eab95118f078115cd2079ba9710d19adc2
                                    • Opcode Fuzzy Hash: 81f2cab7aaec22c13b2e6309753784495161b2cc7e9341fbfc13f98d6b83b35f
                                    • Instruction Fuzzy Hash: 08F1896544E3C16FC7178B31486D5A17FB1AF17224B1DAADFC5C68F0A3D318580ACB66
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 051A1EB4, Relevance: .3, Instructions: 265COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.313169571.00000000051A0000.00000040.00000001.sdmp, Offset: 05140000, based on PE: true
                                    • Associated: 00000000.00000002.313057308.0000000005140000.00000004.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8abab34e403140de347eb7a2fb789e701b5a1222a41217b1aba5743d110ed5c1
                                    • Instruction ID: 2b13d1fb3c3b5bef6753b06a1803f2e8c98c757ac1d67b62befc2c80b4e8c32f
                                    • Opcode Fuzzy Hash: 8abab34e403140de347eb7a2fb789e701b5a1222a41217b1aba5743d110ed5c1
                                    • Instruction Fuzzy Hash: F7A18E36E002198FCF16DFB5C8885EDB7F2FF85300B15856AE815AB265EB75A905CF40
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Analysis Process: Purchase Order.exe PID: 1784 Parent PID: 1376 Purchase Order.exeCOMMON

                                    Executed Functions

                                    Function 00419FDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55filenativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • NtReadFile.NTDLL(BMA,5EB6522D,FFFFFFFF,00414A01,?,?,BMA,?,00414A01,FFFFFFFF,5EB6522D,00414D42,?,00000000), ref: 0041A025
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.362458702.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID: FileRead
                                    • String ID: BMA$BMA
                                    • API String ID: 2738559852-2163208940
                                    • Opcode ID: 57858beab7d840be63e0609c5040b93089d684fa3ec464125e6ca1c8de97ba52
                                    • Instruction ID: f47a887cd2306692d8654df027feaa02507d6f7ae190c45cc68cb046687021a4
                                    • Opcode Fuzzy Hash: 57858beab7d840be63e0609c5040b93089d684fa3ec464125e6ca1c8de97ba52
                                    • Instruction Fuzzy Hash: BC0169B2200104AFCB14DF88CC90EEB77ADEF8C364F018249FA0CA7241D630E8118BA0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00419FE0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36filenativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • NtReadFile.NTDLL(BMA,5EB6522D,FFFFFFFF,00414A01,?,?,BMA,?,00414A01,FFFFFFFF,5EB6522D,00414D42,?,00000000), ref: 0041A025
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.362458702.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID: FileRead
                                    • String ID: BMA$BMA
                                    • API String ID: 2738559852-2163208940
                                    • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                    • Instruction ID: 370e936de0c6b30a0e9c68c176e8d16dab5dfb862c4be705976860dd555c5517
                                    • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                    • Instruction Fuzzy Hash: DCF0A4B2210208ABCB14DF89DC91EEB77ADAF8C754F158249BA1D97241D630E8518BA4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040ACD0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD42
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.362458702.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID: Load
                                    • String ID:
                                    • API String ID: 2234796835-0
                                    • Opcode ID: 4e7e6ba31bbc1c6f731b244d46290ada3a087f6c5bf953407071256f7589dc13
                                    • Instruction ID: a31c2487d958de86685633fd431b3ef9c8f0d30197873f4edf114e6b439d7a00
                                    • Opcode Fuzzy Hash: 4e7e6ba31bbc1c6f731b244d46290ada3a087f6c5bf953407071256f7589dc13
                                    • Instruction Fuzzy Hash: A2015EB5D4020DBBDB10EBA5DC82FDEB7799B54308F0041AAE908A7281F634EB54CB95
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00419F30, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • NtCreateFile.NTDLL(00000060,00409CD3,?,00414B87,00409CD3,FFFFFFFF,?,?,FFFFFFFF,00409CD3,00414B87,?,00409CD3,00000060,00000000,00000000), ref: 00419F7D
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.362458702.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID: CreateFile
                                    • String ID:
                                    • API String ID: 823142352-0
                                    • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                    • Instruction ID: 961861021b5599f6e321fa2eb4d652485a26ebd9b99d875dc12ce75f1520402c
                                    • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                    • Instruction Fuzzy Hash: 3DF0BDB2215208ABCB08CF89DC95EEB77ADAF8C754F158248BA0D97241C630F8518BA4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041A10C, Relevance: 1.5, APIs: 1, Instructions: 31memorynativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AD04,?,00000000,?,00003000,00000040,00000000,00000000,00409CD3), ref: 0041A149
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.362458702.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID: AllocateMemoryVirtual
                                    • String ID:
                                    • API String ID: 2167126740-0
                                    • Opcode ID: 721d7cfa1304fcf05898b1460409692818eb5745a65093968fe8fc42b918678c
                                    • Instruction ID: 4b1bfc003a641df2639245b33e88fa48cd06b1d93079450aa7dfa2cc4b973895
                                    • Opcode Fuzzy Hash: 721d7cfa1304fcf05898b1460409692818eb5745a65093968fe8fc42b918678c
                                    • Instruction Fuzzy Hash: 21F012B1210109AFCB14DF99CC41EEB77A9EF8C354F114649FE1997291C630E911CBA4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041A110, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AD04,?,00000000,?,00003000,00000040,00000000,00000000,00409CD3), ref: 0041A149
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.362458702.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID: AllocateMemoryVirtual
                                    • String ID:
                                    • API String ID: 2167126740-0
                                    • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                    • Instruction ID: 37a8c631670896842b218247a062c4f669cdd6b33082669530ec9f00ac69b820
                                    • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                    • Instruction Fuzzy Hash: 2BF015B2210208ABCB14DF89CC81EEB77ADAF88754F118249BE0897241C630F811CBA4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041A05A, Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • NtClose.NTDLL(00414D20,?,?,00414D20,00409CD3,FFFFFFFF), ref: 0041A085
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.362458702.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID: Close
                                    • String ID:
                                    • API String ID: 3535843008-0
                                    • Opcode ID: b86f9a1c9f228fd371841ea8b5b332d09c96f168564370caffda146f164df539
                                    • Instruction ID: ad790ab394d42ddfc7b80276edce87e5c53130a1a9111da76ae2c77e1071b6a3
                                    • Opcode Fuzzy Hash: b86f9a1c9f228fd371841ea8b5b332d09c96f168564370caffda146f164df539
                                    • Instruction Fuzzy Hash: 55E08C31600204ABDB20EBA4CC45FEB7B68EF843A0F10456ABA0CDB242C530E511CA90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041A060, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • NtClose.NTDLL(00414D20,?,?,00414D20,00409CD3,FFFFFFFF), ref: 0041A085
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.362458702.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID: Close
                                    • String ID:
                                    • API String ID: 3535843008-0
                                    • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                    • Instruction ID: 6cd8388973e83edfd6cfca07806e1d74deb588f8289630df2fc4ecf908b9aac5
                                    • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                    • Instruction Fuzzy Hash: 48D01776200214ABD710EB99CC85FE77BADEF48760F154599BA189B242C530FA1086E0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 018999A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: 2b84c4ee8964a40039a5e96a9ff9037e251541c346b2514dc50fe3f8596a9ad6
                                    • Instruction ID: be05b566e99184db9e5cc75eaac03969a03815253e147b1eef2664b7c9bc766f
                                    • Opcode Fuzzy Hash: 2b84c4ee8964a40039a5e96a9ff9037e251541c346b2514dc50fe3f8596a9ad6
                                    • Instruction Fuzzy Hash: 759002A134100453E10061994414B060005E7E1341FD1C115E205C6A4DDA59CD567166
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 018995D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: ba5bc391043e3e54c92071f7ca2196533d862b181a4acf29293633ca56e6f96b
                                    • Instruction ID: fcfdea3165a156a8e6cd7b8d66353d4eed1dd3304e33a8da847088f76afe94de
                                    • Opcode Fuzzy Hash: ba5bc391043e3e54c92071f7ca2196533d862b181a4acf29293633ca56e6f96b
                                    • Instruction Fuzzy Hash: 489002A120200013510571994414616400AA7E0341BD1C121E200C6E0DD96589957165
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01899910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: 4e49be217eb187092d30ff9e0db5f6088a6a612a0fe795f92de6fd93908ef800
                                    • Instruction ID: c9ea6a8c9b6eacfe9dae68d01df55f4e0469bbb7a0e9e9ba68660b3a6ac8b6c6
                                    • Opcode Fuzzy Hash: 4e49be217eb187092d30ff9e0db5f6088a6a612a0fe795f92de6fd93908ef800
                                    • Instruction Fuzzy Hash: 7B9002B120100413E140719944047460005A7D0341FD1C111A605C6A4EDA998ED976A5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01899540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: d1a1b50c49ecddf97e1619f4cee1b982ae0cf7b2a312f713e12fdb1f58b5a990
                                    • Instruction ID: 9c31f10b65c1b17adb4a1da569c9629f2a0035efe06d8fb9fce7b1755c49346b
                                    • Opcode Fuzzy Hash: d1a1b50c49ecddf97e1619f4cee1b982ae0cf7b2a312f713e12fdb1f58b5a990
                                    • Instruction Fuzzy Hash: 40900265211000131105A59907045070046A7D53913D1C121F200D6A0CEA6189656161
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 018998F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: b2cb950dc2cabb2af94e993bd6d6d546c7556408b440537041530d36710512bb
                                    • Instruction ID: 12fab08f6d8ed5df531e67fcb050d7fde179281e0745c8ee43f4153862c768fd
                                    • Opcode Fuzzy Hash: b2cb950dc2cabb2af94e993bd6d6d546c7556408b440537041530d36710512bb
                                    • Instruction Fuzzy Hash: 1C90026160100513E10171994404616000AA7D0381FD1C122A201C6A5EDE658A96B171
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01899840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: f6c4f5093ff0aa1d903b6bd888274923ce5f011255956a7c29ee7d1f31b8d649
                                    • Instruction ID: d90acacee73c877dc9d11f3de4f35a477d02063b495da81bed01820b5f3cc4dc
                                    • Opcode Fuzzy Hash: f6c4f5093ff0aa1d903b6bd888274923ce5f011255956a7c29ee7d1f31b8d649
                                    • Instruction Fuzzy Hash: 7B900261242041636545B19944045074006B7E03817D1C112A240CAA0CD966995AE661
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01899860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: 264adf39f5470f717b9676f09e9b06cff3631dec628936180811628170637f34
                                    • Instruction ID: 86ea48be0d74b58b53c69c9cc7416c7cdbca845e356f0b814177761fca2eefe8
                                    • Opcode Fuzzy Hash: 264adf39f5470f717b9676f09e9b06cff3631dec628936180811628170637f34
                                    • Instruction Fuzzy Hash: E090027120100423E111619945047070009A7D0381FD1C512A141C6A8DEA968A56B161
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01899780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: d9d1910617452eff9faad44160f9a57036a3c5adf6b0c022779319105d83d4c3
                                    • Instruction ID: aebaa85dc7325572423a7c7d2361c7689c7172b44921a182c8d7d699a83708dd
                                    • Opcode Fuzzy Hash: d9d1910617452eff9faad44160f9a57036a3c5adf6b0c022779319105d83d4c3
                                    • Instruction Fuzzy Hash: 3890026921300013E1807199540860A0005A7D1342FD1D515A100D6A8CDD55896D6361
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 018997A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: b2e096607b8b0f60527155841998bb9294c7501dcca51442bde13606a3f07fb3
                                    • Instruction ID: 7af57fda57005fc0f73c2f41d434a583a1da19019728ad00764b0f33d4828bcd
                                    • Opcode Fuzzy Hash: b2e096607b8b0f60527155841998bb9294c7501dcca51442bde13606a3f07fb3
                                    • Instruction Fuzzy Hash: 9490026130100013E140719954186064005F7E1341FD1D111E140C6A4CED55895A6262
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01899710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: d3931e706344692c3f7b4b672f8a54aa9f491c78bca8965cbc90a62fef63e9fc
                                    • Instruction ID: 94dabb16db271464e0e144188247c30307e0b50452731a2d6511d64da89cf7d1
                                    • Opcode Fuzzy Hash: d3931e706344692c3f7b4b672f8a54aa9f491c78bca8965cbc90a62fef63e9fc
                                    • Instruction Fuzzy Hash: 6890027120100413E10065D954086460005A7E0341FD1D111A601C6A5EDAA589957171
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 018996E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: 26113174f8c9a815c51c77c87b675918b2a2f9e4c4959008bb65b4f44b1cf15b
                                    • Instruction ID: aa75988fb10b2f83a16cdcd26b8377903bb18ba38f4d476463e6dc4ee5776d9c
                                    • Opcode Fuzzy Hash: 26113174f8c9a815c51c77c87b675918b2a2f9e4c4959008bb65b4f44b1cf15b
                                    • Instruction Fuzzy Hash: 1590027120108813E1106199840474A0005A7D0341FD5C511A541C7A8DDAD589957161
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01899A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: d07f131b82ea9f45a0c39c94d1bca8eda5ebef5a81d2d8303f02411c8fbaf56d
                                    • Instruction ID: 78e036e07e1e774548c4ff8e16f0624373e7f369808d002cc04de7be48517af4
                                    • Opcode Fuzzy Hash: d07f131b82ea9f45a0c39c94d1bca8eda5ebef5a81d2d8303f02411c8fbaf56d
                                    • Instruction Fuzzy Hash: 4390027120140413E1006199481470B0005A7D0342FD1C111A215C6A5DDA65895575B1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01899A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: 93c20231b510a618a2650d9f4213884db8afbd85c4adb9739123f0c0dd9a10a1
                                    • Instruction ID: 6977aa2449558a538ea08f2d7e2beb31755c06b172cf664fdb8862bcb5c7d3b0
                                    • Opcode Fuzzy Hash: 93c20231b510a618a2650d9f4213884db8afbd85c4adb9739123f0c0dd9a10a1
                                    • Instruction Fuzzy Hash: D490026160100053514071A988449064005BBE13517D1C221A198C6A0DD999896966A5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01899A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: cd2375cfd926fa9cda2027b3ace307372470cf63f1a7168a02c9b90f8096c980
                                    • Instruction ID: 5845a932fbf779bcdfba24c53dc793b1aa9826263dce05b2ed6df5bbdc2aa687
                                    • Opcode Fuzzy Hash: cd2375cfd926fa9cda2027b3ace307372470cf63f1a7168a02c9b90f8096c980
                                    • Instruction Fuzzy Hash: CD90026121180053E20065A94C14B070005A7D0343FD1C215A114C6A4CDD5589656561
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01899660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: 9927232ef105fc65941052313e5f6b6e4b881b480e6444648a0acddd533027fd
                                    • Instruction ID: 1ade2ed787246c4ce4d1eebb849fb3957c35307ee5e4687a239da998e6187e35
                                    • Opcode Fuzzy Hash: 9927232ef105fc65941052313e5f6b6e4b881b480e6444648a0acddd533027fd
                                    • Instruction Fuzzy Hash: 9190027120100813E1807199440464A0005A7D1341FD1C115A101D7A4DDE558B5D77E1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00409A90, Relevance: .1, Instructions: 92COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.362458702.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0327286b03ad3413f637a2475f25f286d9bf62369b9ecfde997da3914e589c74
                                    • Instruction ID: 432e1ce9d525f57aefaca7daa4fe6280bf22d9d084bd04ba996dfdd8e8b53d12
                                    • Opcode Fuzzy Hash: 0327286b03ad3413f637a2475f25f286d9bf62369b9ecfde997da3914e589c74
                                    • Instruction Fuzzy Hash: 4F210CB2D4020857CB25D665AD42BEF737CAB54318F04017FE949A3182F638BE49CBA5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004082E8, Relevance: 1.6, APIs: 1, Instructions: 56threadwindowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.362458702.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID: MessagePostThread
                                    • String ID:
                                    • API String ID: 1836367815-0
                                    • Opcode ID: 04d3a9a69251edb1d3768af9f24479c0bba01892d7837abc2796bc8d3f92e475
                                    • Instruction ID: ba1fb131b74129c0d7782f1b191ddab2270d3bba55af058870ac61210c9d8382
                                    • Opcode Fuzzy Hash: 04d3a9a69251edb1d3768af9f24479c0bba01892d7837abc2796bc8d3f92e475
                                    • Instruction Fuzzy Hash: 17012431A803287BE720A6A59D42FFE272CAB40F44F14401EFF04FA1C1E6A8690546EA
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004082F0, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.362458702.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID: MessagePostThread
                                    • String ID:
                                    • API String ID: 1836367815-0
                                    • Opcode ID: 0bfa4e74d4fa1a6ebe56472b901301c3cf37ddf70bb540388544bf445b19770a
                                    • Instruction ID: 1050077c77294267169ebb916dfae3a1405fb9879d8789690f6f999e3cf74240
                                    • Opcode Fuzzy Hash: 0bfa4e74d4fa1a6ebe56472b901301c3cf37ddf70bb540388544bf445b19770a
                                    • Instruction Fuzzy Hash: AD01D831A8032877E720A6959C03FFE771C6B40F54F044019FF04BA1C1E6A8690546EA
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041A448, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.362458702.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5845107cd6bde830653fcfc0efd2ae75b08230588f2e124d0d66d31033fc4ca7
                                    • Instruction ID: 140812ef1840070bb1a4b773dc4a20e4326085b560cd8638d719405b1ca3c0af
                                    • Opcode Fuzzy Hash: 5845107cd6bde830653fcfc0efd2ae75b08230588f2e124d0d66d31033fc4ca7
                                    • Instruction Fuzzy Hash: 0E01DB722002147BDB20EF99CC88EE737ACEF85760F008159FA0C9B202C634BD108BA0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041A240, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RtlFreeHeap.NTDLL(00000060,00409CD3,?,?,00409CD3,00000060,00000000,00000000,?,?,00409CD3,?,00000000), ref: 0041A26D
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.362458702.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID: FreeHeap
                                    • String ID:
                                    • API String ID: 3298025750-0
                                    • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                    • Instruction ID: 8b4701b4f03220052e2b3b5ed4c672ef58e2eb60ff823c8fb6afa074398e137c
                                    • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                    • Instruction Fuzzy Hash: DCE04FB12102046BD714DF59CC45EE777ADEF88750F014559FE0857241C630F910CAF0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041A200, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RtlAllocateHeap.NTDLL(00414506,?,00414C7F,00414C7F,?,00414506,?,?,?,?,?,00000000,00409CD3,?), ref: 0041A22D
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.362458702.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID: AllocateHeap
                                    • String ID:
                                    • API String ID: 1279760036-0
                                    • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                    • Instruction ID: 4224f920e4464a65d08b1d76aaa125f94db740d8927d38e6c7d6b62f4195d12c
                                    • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                    • Instruction Fuzzy Hash: 58E012B1210208ABDB14EF99CC41EA777ADAF88664F118559BA085B242C630F9118AB0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041A3A0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                    Download Yara Rule
                                    APIs
                                    • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1A2,0040F1A2,0000003C,00000000,?,00409D45), ref: 0041A3D0
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.362458702.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID: LookupPrivilegeValue
                                    • String ID:
                                    • API String ID: 3899507212-0
                                    • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                    • Instruction ID: 9e479b2eaf60326b59b5a15a73b63e8f9b290ab663b6f1255dfa49a1ae2fc0e3
                                    • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                    • Instruction Fuzzy Hash: DFE01AB12002086BDB10DF49CC85EE737ADAF88650F018155BA0857241C934F8118BF5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041A280, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                    Download Yara Rule
                                    APIs
                                    • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A2A8
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.362458702.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID: ExitProcess
                                    • String ID:
                                    • API String ID: 621844428-0
                                    • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                    • Instruction ID: ec4c192c261470033b7d3fff11050ba2ce0bed15fbfecc5592b4580303735d53
                                    • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                    • Instruction Fuzzy Hash: 29D017726142187BD620EB99CC85FD777ACDF487A0F0181A9BA1C6B242C531BA108AE1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041A27D, Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                    Download Yara Rule
                                    APIs
                                    • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A2A8
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.362458702.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID: ExitProcess
                                    • String ID:
                                    • API String ID: 621844428-0
                                    • Opcode ID: a74ce8aa11965c028991d7493dcfab3b245107c0e3b1a4e3fdc046e1c48618a9
                                    • Instruction ID: 112d608d5d45ef0efc72efa71f730536102033559c09f63278dbd7c8d34996cd
                                    • Opcode Fuzzy Hash: a74ce8aa11965c028991d7493dcfab3b245107c0e3b1a4e3fdc046e1c48618a9
                                    • Instruction Fuzzy Hash: F8E012716102047BD724DF64CC95FD73BA8DF49350F118569B919AB241C535AA01CBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0189967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: 68e37210a248f7e47eb25779bd2a856c05e54f147b8173ac2bf0c5b2f056e3df
                                    • Instruction ID: e48739a22af62c0aaf6cd864691d8f6d037cb7ba095cc594a1dfd425c1d19496
                                    • Opcode Fuzzy Hash: 68e37210a248f7e47eb25779bd2a856c05e54f147b8173ac2bf0c5b2f056e3df
                                    • Instruction Fuzzy Hash: A8B02B71C010C0C6EB02D3A40608717390077C0300F57C011D2028380B4738C180F1F1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Non-executed Functions

                                    Function 0190B260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON
                                    Download Yara Rule
                                    Strings
                                    • The resource is owned shared by %d threads, xrefs: 0190B37E
                                    • *** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 0190B53F
                                    • *** then kb to get the faulting stack, xrefs: 0190B51C
                                    • This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 0190B484
                                    • *** Critical Section Timeout (%p) in %ws:%s, xrefs: 0190B39B
                                    • This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 0190B305
                                    • *** Resource timeout (%p) in %ws:%s, xrefs: 0190B352
                                    • If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 0190B314
                                    • a NULL pointer, xrefs: 0190B4E0
                                    • This means that the I/O device reported an I/O error. Check your hardware., xrefs: 0190B476
                                    • The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 0190B323
                                    • <unknown>, xrefs: 0190B27E, 0190B2D1, 0190B350, 0190B399, 0190B417, 0190B48E
                                    • This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 0190B47D
                                    • The instruction at %p tried to %s , xrefs: 0190B4B6
                                    • *** An Access Violation occurred in %ws:%s, xrefs: 0190B48F
                                    • *** enter .exr %p for the exception record, xrefs: 0190B4F1
                                    • The critical section is owned by thread %p., xrefs: 0190B3B9
                                    • *** Inpage error in %ws:%s, xrefs: 0190B418
                                    • This failed because of error %Ix., xrefs: 0190B446
                                    • Go determine why that thread has not released the critical section., xrefs: 0190B3C5
                                    • The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0190B38F
                                    • write to, xrefs: 0190B4A6
                                    • read from, xrefs: 0190B4AD, 0190B4B2
                                    • The resource is owned exclusively by thread %p, xrefs: 0190B374
                                    • The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0190B3D6
                                    • *** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 0190B2DC
                                    • *** enter .cxr %p for the context, xrefs: 0190B50D
                                    • The instruction at %p referenced memory at %p., xrefs: 0190B432
                                    • *** A stack buffer overrun occurred in %ws:%s, xrefs: 0190B2F3
                                    • an invalid address, %p, xrefs: 0190B4CF
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
                                    • API String ID: 0-108210295
                                    • Opcode ID: 165f4816d0c61b0714a3cfe01cd674581e0761b471b02fbfc354eda5b011e948
                                    • Instruction ID: 6b31eb8dfdf6aa66a25d02b234260b83c8a6cb25fa1125f21846fa1f25cebcde
                                    • Opcode Fuzzy Hash: 165f4816d0c61b0714a3cfe01cd674581e0761b471b02fbfc354eda5b011e948
                                    • Instruction Fuzzy Hash: 3481387DA80200FFDB225B4E8C89D6B3BA9EF67B56F410048F5099B292D6698711C772
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01911C06, Relevance: 31.4, Strings: 25, Instructions: 195COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 44%
                                    			E01911C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x18348a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0185B150();
				} else {
					E0185B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x194589c);
				E0185B150("Heap error detected at %p (heap handle %p)\n",  *0x19458a0);
				_t27 =  *0x1945898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M01911E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0185B150();
				} else {
					E0185B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E0185B150("Error code: %d - %s\n",  *0x1945898);
				_t113 =  *0x19458a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0185B150();
					} else {
						E0185B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0185B150("Parameter1: %p\n",  *0x19458a4);
				}
				_t115 =  *0x19458a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0185B150();
					} else {
						E0185B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0185B150("Parameter2: %p\n",  *0x19458a8);
				}
				_t117 =  *0x19458ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0185B150();
					} else {
						E0185B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0185B150("Parameter3: %p\n",  *0x19458ac);
				}
				_t119 =  *0x19458b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0185B150();
					} else {
						E0185B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x19458b4);
					E0185B150("Last known valid blocks: before - %p, after - %p\n",  *0x19458b0);
				} else {
					_t120 =  *0x19458b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0185B150();
				} else {
					E0185B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E0185B150("Stack trace available at %p\n", 0x19458c0);
			}











                                    0x01911c10
                                    0x01911c16
                                    0x01911c1e
                                    0x01911c3d
                                    0x01911c3e
                                    0x01911c20
                                    0x01911c35
                                    0x01911c3a
                                    0x01911c44
                                    0x01911c55
                                    0x01911c5a
                                    0x01911c65
                                    0x01911c67
                                    0x00000000
                                    0x01911c6e
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x01911c67
                                    0x01911cdc
                                    0x01911ce5
                                    0x01911d04
                                    0x01911d05
                                    0x01911ce7
                                    0x01911cfc
                                    0x01911d01
                                    0x01911d0b
                                    0x01911d17
                                    0x01911d1f
                                    0x01911d25
                                    0x01911d30
                                    0x01911d4f
                                    0x01911d50
                                    0x01911d32
                                    0x01911d47
                                    0x01911d4c
                                    0x01911d61
                                    0x01911d67
                                    0x01911d68
                                    0x01911d6e
                                    0x01911d79
                                    0x01911d98
                                    0x01911d99
                                    0x01911d7b
                                    0x01911d90
                                    0x01911d95
                                    0x01911daa
                                    0x01911db0
                                    0x01911db1
                                    0x01911db7
                                    0x01911dc2
                                    0x01911de1
                                    0x01911de2
                                    0x01911dc4
                                    0x01911dd9
                                    0x01911dde
                                    0x01911df3
                                    0x01911df9
                                    0x01911dfa
                                    0x01911e00
                                    0x01911e0a
                                    0x01911e13
                                    0x01911e32
                                    0x01911e33
                                    0x01911e15
                                    0x01911e2a
                                    0x01911e2f
                                    0x01911e39
                                    0x01911e4a
                                    0x01911e02
                                    0x01911e02
                                    0x01911e08
                                    0x00000000
                                    0x00000000
                                    0x01911e08
                                    0x01911e5b
                                    0x01911e7a
                                    0x01911e7b
                                    0x01911e5d
                                    0x01911e72
                                    0x01911e77
                                    0x01911e95

                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
                                    • API String ID: 0-2897834094
                                    • Opcode ID: 43eb9dbe8c6884e049d647964848cde52493e6b2e2fc4ee4c39d4ff7e1b15f11
                                    • Instruction ID: cc3665d99f8cfb697f96a62f1d8a7168a74a298f8da7d5161c853befbea62480
                                    • Opcode Fuzzy Hash: 43eb9dbe8c6884e049d647964848cde52493e6b2e2fc4ee4c39d4ff7e1b15f11
                                    • Instruction Fuzzy Hash: 5661E63695554DEFE791ABADD484D2073A5F710B21B0A807AFB0DDB344DA289E80CF4B
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01863D34, Relevance: 6.7, Strings: 5, Instructions: 435COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 96%
                                    			E01863D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E01861B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E01861B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E01861B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E01861B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E01861B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L01874620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E0189F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E018A1370(_t276, 0x1834e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E0189BB40(0,  &_v68, _t170);
									if(L018643C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E0189BB40(_t257,  &_v68, _t243);
								if(L018643C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E018A1370(_t278, 0x1834e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L01874620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E0189F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E018A1370(_v16, 0x1834e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E0189BB40(_t262,  &_v68, _t244);
								if(L018643C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E018A1370(_t282, 0x1834e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E0189BB40(_t262,  &_v68, _t201);
							if(L018643C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L01874620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E0189F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E018A1370(_t280, 0x1834e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E0189BB40(_t267,  &_v68, _t245);
							if(L018643C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E018A1370(_t284, 0x1834e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E0189BB40(_t267,  &_v68, _t224);
						if(L018643C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}










































                                    0x01863d3c
                                    0x01863d42
                                    0x01863d44
                                    0x01863d46
                                    0x01863d49
                                    0x01863d4c
                                    0x01863d4f
                                    0x01863d52
                                    0x01863d55
                                    0x01863d58
                                    0x01863d5b
                                    0x01863d5f
                                    0x01863d61
                                    0x01863d66
                                    0x018b8213
                                    0x018b8218
                                    0x01864085
                                    0x01864088
                                    0x0186408e
                                    0x01864094
                                    0x0186409a
                                    0x018640a0
                                    0x018640a6
                                    0x018640a9
                                    0x018640af
                                    0x018640b6
                                    0x018640bd
                                    0x018640bd
                                    0x01863d83
                                    0x018b821f
                                    0x018b8229
                                    0x018b8238
                                    0x018b8238
                                    0x018b823d
                                    0x018b823d
                                    0x01863da0
                                    0x01863daf
                                    0x01863db5
                                    0x01863dba
                                    0x01863dba
                                    0x01863dd4
                                    0x01863e94
                                    0x01863eab
                                    0x01863f6d
                                    0x01863f84
                                    0x0186406b
                                    0x0186406b
                                    0x0186406e
                                    0x0186406e
                                    0x01864070
                                    0x01864074
                                    0x018b8351
                                    0x018b8351
                                    0x0186407a
                                    0x0186407f
                                    0x018b835d
                                    0x018b8370
                                    0x018b8377
                                    0x018b8379
                                    0x018b837c
                                    0x018b837c
                                    0x018b835d
                                    0x00000000
                                    0x0186407f
                                    0x01863f8a
                                    0x01863f8d
                                    0x01863f90
                                    0x01863f95
                                    0x018b830d
                                    0x018b830f
                                    0x01863f9b
                                    0x01863fac
                                    0x01863fae
                                    0x01863fb1
                                    0x01863fb1
                                    0x01863fb6
                                    0x018b8317
                                    0x018b831a
                                    0x00000000
                                    0x01863fbc
                                    0x01863fc1
                                    0x01863fc9
                                    0x01863fd7
                                    0x01863fda
                                    0x01863fdd
                                    0x01864021
                                    0x01864021
                                    0x01864029
                                    0x01864030
                                    0x01864044
                                    0x01864046
                                    0x01864046
                                    0x01864044
                                    0x01864049
                                    0x018b8327
                                    0x018b8334
                                    0x018b8339
                                    0x018b833c
                                    0x0186404f
                                    0x0186404f
                                    0x0186404f
                                    0x01864051
                                    0x01864056
                                    0x01864063
                                    0x01864063
                                    0x01864068
                                    0x00000000
                                    0x01864068
                                    0x01863fdf
                                    0x01863fe2
                                    0x01863fe4
                                    0x01863fe7
                                    0x01863fef
                                    0x01864003
                                    0x01864005
                                    0x01864005
                                    0x0186400c
                                    0x01864013
                                    0x01864016
                                    0x01864017
                                    0x0186401b
                                    0x0186401e
                                    0x00000000
                                    0x0186401e
                                    0x01863fb6
                                    0x01863eb1
                                    0x01863eb4
                                    0x01863eb7
                                    0x01863ebc
                                    0x018b82a9
                                    0x018b82ab
                                    0x01863ec2
                                    0x01863ed3
                                    0x01863ed5
                                    0x01863ed8
                                    0x01863ed8
                                    0x01863edd
                                    0x018b82b3
                                    0x018b82b6
                                    0x00000000
                                    0x01863ee3
                                    0x01863ee8
                                    0x01863eed
                                    0x01863ef0
                                    0x01863ef3
                                    0x01863f02
                                    0x01863f05
                                    0x01863f08
                                    0x018b82c0
                                    0x018b82c3
                                    0x018b82c5
                                    0x018b82c8
                                    0x018b82d0
                                    0x018b82e4
                                    0x018b82e6
                                    0x018b82e6
                                    0x018b82ed
                                    0x018b82f4
                                    0x018b82f7
                                    0x018b82f8
                                    0x018b82fc
                                    0x018b82ff
                                    0x018b82ff
                                    0x01863f0e
                                    0x01863f11
                                    0x01863f16
                                    0x01863f1d
                                    0x01863f31
                                    0x018b8307
                                    0x018b8307
                                    0x01863f31
                                    0x01863f39
                                    0x01863f48
                                    0x01863f4d
                                    0x01863f50
                                    0x01863f50
                                    0x01863f53
                                    0x01863f58
                                    0x01863f65
                                    0x01863f65
                                    0x01863f6a
                                    0x00000000
                                    0x01863f6a
                                    0x01863edd
                                    0x01863dda
                                    0x01863ddd
                                    0x01863de0
                                    0x01863de5
                                    0x018b8245
                                    0x01863deb
                                    0x01863df7
                                    0x01863dfc
                                    0x01863dfe
                                    0x01863e01
                                    0x01863e01
                                    0x01863e06
                                    0x018b824d
                                    0x018b824f
                                    0x018b8254
                                    0x00000000
                                    0x01863e0c
                                    0x01863e11
                                    0x01863e16
                                    0x01863e19
                                    0x01863e29
                                    0x01863e2c
                                    0x01863e2f
                                    0x018b825c
                                    0x018b825f
                                    0x018b8261
                                    0x018b8264
                                    0x018b826c
                                    0x018b8280
                                    0x018b8282
                                    0x018b8282
                                    0x018b8289
                                    0x018b8290
                                    0x018b8293
                                    0x018b8294
                                    0x018b8298
                                    0x018b829b
                                    0x018b829b
                                    0x01863e35
                                    0x01863e38
                                    0x01863e3d
                                    0x01863e44
                                    0x01863e58
                                    0x018b82a3
                                    0x018b82a3
                                    0x01863e58
                                    0x01863e60
                                    0x01863e6f
                                    0x01863e74
                                    0x01863e77
                                    0x01863e77
                                    0x01863e7a
                                    0x01863e7f
                                    0x01863e8c
                                    0x01863e8c
                                    0x01863e91
                                    0x00000000
                                    0x01863e91

                                    Strings
                                    • Kernel-MUI-Language-SKU, xrefs: 01863F70
                                    • Kernel-MUI-Language-Disallowed, xrefs: 01863E97
                                    • Kernel-MUI-Number-Allowed, xrefs: 01863D8C
                                    • Kernel-MUI-Language-Allowed, xrefs: 01863DC0
                                    • WindowsExcludedProcs, xrefs: 01863D6F
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                    • API String ID: 0-258546922
                                    • Opcode ID: 7d83e22b37c305bb196b190335696969ef3fb26b25ba615e0877e4f31802f3e0
                                    • Instruction ID: 8ea8e64c5b6034e0f761ddf6a6b3c819bbbcd2fc5a73f40d2bbf07d61352ac3e
                                    • Opcode Fuzzy Hash: 7d83e22b37c305bb196b190335696969ef3fb26b25ba615e0877e4f31802f3e0
                                    • Instruction Fuzzy Hash: 0CF11572D00619EBDB12DF98C980AEEBBBDFF59750F14006AE905E7251E7349B01CBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01888E00, Relevance: 5.1, Strings: 4, Instructions: 126COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 44%
                                    			E01888E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x194d360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x1948464; // 0x74b10110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x1945780 & 0x00000003) != 0) {
							E018D5510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x1945780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E0189B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x1947984; // 0x13f2af0
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x1948464; // 0x74b10110
					 *0x194b1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E01889B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x1945780 & 0x00000005) != 0) {
						_push(_t49);
						E018D5510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}




















                                    0x01888e0f
                                    0x01888e16
                                    0x01888e19
                                    0x01888e1b
                                    0x01888e21
                                    0x01888e7f
                                    0x01888e85
                                    0x018c9354
                                    0x018c936c
                                    0x018c9371
                                    0x018c937b
                                    0x018c9381
                                    0x018c9381
                                    0x018c937b
                                    0x01888e9d
                                    0x01888e9d
                                    0x01888e29
                                    0x01888e2c
                                    0x01888e38
                                    0x01888e3e
                                    0x01888e43
                                    0x01888eb5
                                    0x01888eb9
                                    0x018c92aa
                                    0x018c92af
                                    0x018c92e8
                                    0x018c92e8
                                    0x018c92af
                                    0x01888eb9
                                    0x01888e45
                                    0x01888e53
                                    0x01888e5b
                                    0x01888e5f
                                    0x01888e78
                                    0x01888e78
                                    0x01888e7d
                                    0x01888ec3
                                    0x01888ecd
                                    0x01888ed2
                                    0x01888ed2
                                    0x01888ec5
                                    0x01888ec5
                                    0x00000000
                                    0x01888e7d
                                    0x01888e67
                                    0x01888ea4
                                    0x018c931a
                                    0x00000000
                                    0x00000000
                                    0x018c9320
                                    0x01888ea4
                                    0x01888e70
                                    0x018c9325
                                    0x018c9340
                                    0x018c9345
                                    0x018c9345
                                    0x01888e76
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000

                                    Strings
                                    • Querying the active activation context failed with status 0x%08lx, xrefs: 018C9357
                                    • LdrpFindDllActivationContext, xrefs: 018C9331, 018C935D
                                    • minkernel\ntdll\ldrsnap.c, xrefs: 018C933B, 018C9367
                                    • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 018C932A
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                                    • API String ID: 0-3779518884
                                    • Opcode ID: 16cd0d8cfd4e82ef9f1c071ce9329592939bed5a7019714c9bbc3ee6d1a846bf
                                    • Instruction ID: 7d8b01a5da9d55cc5e134441712f2922a49b75d4a4cc2759b499ca9e8a1138c0
                                    • Opcode Fuzzy Hash: 16cd0d8cfd4e82ef9f1c071ce9329592939bed5a7019714c9bbc3ee6d1a846bf
                                    • Instruction Fuzzy Hash: 23410931A407199FEB36BB5CC888E35B7B5AB46758F8A4169E904D71D1E770AF80C3C1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01868794, Relevance: 4.0, Strings: 3, Instructions: 255COMMON
                                    Download Yara Rule
                                    Strings
                                    • LdrpDoPostSnapWork, xrefs: 018B9C1E
                                    • minkernel\ntdll\ldrsnap.c, xrefs: 018B9C28
                                    • LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 018B9C18
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
                                    • API String ID: 2994545307-1948996284
                                    • Opcode ID: 9fc9d1321af9fa12ec487c8ae2eb2592e9d77f7c3c48f821cca36f37f60abb9f
                                    • Instruction ID: d825c5712a97547b92a7ffe27c3da0dd86f2d2282ad16b514f24cbfe52b450b3
                                    • Opcode Fuzzy Hash: 9fc9d1321af9fa12ec487c8ae2eb2592e9d77f7c3c48f821cca36f37f60abb9f
                                    • Instruction Fuzzy Hash: 1391E171A0031A9FEF28DF5DD4C1AAAB7B9FF86314B154169DA09EB241D730EB01CB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01867E41, Relevance: 3.9, Strings: 3, Instructions: 174COMMON
                                    Download Yara Rule
                                    Strings
                                    • LdrpCompleteMapModule, xrefs: 018B9898
                                    • Could not validate the crypto signature for DLL %wZ, xrefs: 018B9891
                                    • minkernel\ntdll\ldrmap.c, xrefs: 018B98A2
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
                                    • API String ID: 0-1676968949
                                    • Opcode ID: ddc88061dd6c077ab74138e5d9ba6ad6b7ce9543869a6df9c469f2c510fed3f8
                                    • Instruction ID: ce378370fa2a4bc56e8fa312be9420896be72d6cc8dc8787f836a91fe6b34e8e
                                    • Opcode Fuzzy Hash: ddc88061dd6c077ab74138e5d9ba6ad6b7ce9543869a6df9c469f2c510fed3f8
                                    • Instruction Fuzzy Hash: 4A51E171A04746DBE722CB6CCD84B6A7BA8AB00B1CF0405A9EA51DB3D1D734EF04C791
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0185E620, Relevance: 3.9, Strings: 3, Instructions: 165COMMON
                                    Download Yara Rule
                                    Strings
                                    • @, xrefs: 0185E6C0
                                    • InstallLanguageFallback, xrefs: 0185E6DB
                                    • \Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 0185E68C
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
                                    • API String ID: 0-1757540487
                                    • Opcode ID: 6a53c322fcd6c412abe15dcbf430cc8270dc04fff5dc11bbedfbceb51a48a9ab
                                    • Instruction ID: 574d6e985e5c0fcc3e74d30d28bd3583d535941755f25237b8cb3da4a885f474
                                    • Opcode Fuzzy Hash: 6a53c322fcd6c412abe15dcbf430cc8270dc04fff5dc11bbedfbceb51a48a9ab
                                    • Instruction Fuzzy Hash: D7516FB25043469BDB15DF68C880AABB7E8EF88755F05092EF985D7250E734DB04C7A2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0191E539, Relevance: 2.8, Strings: 2, Instructions: 261COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID: `$`
                                    • API String ID: 0-197956300
                                    • Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
                                    • Instruction ID: 05bd713e0f8c1b43158e6809ec85bb3ed8137c110e98fc28fcee8ca1d2298712
                                    • Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
                                    • Instruction Fuzzy Hash: 5191B3316043469FE726CE29C940B1BBBE9AFC4714F14892DFA99C7284E770E944CB52
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 018D51BE, Relevance: 2.7, Strings: 2, Instructions: 173COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID: Legacy$UEFI
                                    • API String ID: 2994545307-634100481
                                    • Opcode ID: 71c79e96267c2ef71b4ce1b9f632ef506e5381d71d6e9a19a0dae0b4997f4514
                                    • Instruction ID: 3675f3238895b4025b77706bb252707f63cca9a0d7aa466b1f041bc3fde74b5c
                                    • Opcode Fuzzy Hash: 71c79e96267c2ef71b4ce1b9f632ef506e5381d71d6e9a19a0dae0b4997f4514
                                    • Instruction Fuzzy Hash: 00516F71A007099FDB19DFA9C840AADBBF8FF55704F14402EE659EB251DB71DA00CB51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0187B944, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                                    Download Yara Rule
                                    APIs
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0187B9A5
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                    • String ID:
                                    • API String ID: 885266447-0
                                    • Opcode ID: 7f8f239f8738198137cc7b2dcb44a7ab75b2aee759b12a1dac66ea671bb663c2
                                    • Instruction ID: 0e2552a09e1977429756d50c9cb39ed73fd635cde41e2af6eced0ac53950c0fc
                                    • Opcode Fuzzy Hash: 7f8f239f8738198137cc7b2dcb44a7ab75b2aee759b12a1dac66ea671bb663c2
                                    • Instruction Fuzzy Hash: B6513671A09345CFC721EF68C08092AFBE6BB88714F14496EE995C7355E730EA44CB92
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0185B171, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID: _vswprintf_s
                                    • String ID:
                                    • API String ID: 677850445-0
                                    • Opcode ID: db2353ee540614c3a244ae085586e54c029789547c4b77d42f2b1c7f1683bfba
                                    • Instruction ID: 4ec8f718e38fa5ee8bcfacacaa26aeb907bf988d5547219efd29b023b008efb6
                                    • Opcode Fuzzy Hash: db2353ee540614c3a244ae085586e54c029789547c4b77d42f2b1c7f1683bfba
                                    • Instruction Fuzzy Hash: FE51C071D002598EEF35CF688886BEEBBB1EF00714F1441A9D85AEB393D7705A45CB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01882581, Relevance: 1.6, Strings: 1, Instructions: 329COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID: PATH
                                    • API String ID: 0-1036084923
                                    • Opcode ID: 22182c37b7bf2a5e27d701b7d11a4d26bc2b7a1f97ff3aaf733eb46c622a0db4
                                    • Instruction ID: 937ea351c3900cb50246f0b5d648c451027de6ee234e5206c280c02ebb3edca4
                                    • Opcode Fuzzy Hash: 22182c37b7bf2a5e27d701b7d11a4d26bc2b7a1f97ff3aaf733eb46c622a0db4
                                    • Instruction Fuzzy Hash: 08C17F75E00219EBDB25FF9DD880AADBBB6FF48754F484029E901EB250D734AA41CB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0188FAB0, Relevance: 1.6, Strings: 1, Instructions: 306COMMON
                                    Download Yara Rule
                                    Strings
                                    • *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 018CBE0F
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
                                    • API String ID: 0-865735534
                                    • Opcode ID: 1ea0ae1648eb4c17a3f494c2bf1ba9a0a3230cad1637014429b0bfb5c438d632
                                    • Instruction ID: f0379d6e88f017ee96e467abafcd881dee20a7dc00e16ebee702b5c0412e8f12
                                    • Opcode Fuzzy Hash: 1ea0ae1648eb4c17a3f494c2bf1ba9a0a3230cad1637014429b0bfb5c438d632
                                    • Instruction Fuzzy Hash: 7EA10231B00A1A8BEB35EF6CC450B6AB7A5AF44B64F04456DEB06CB681DB34DB41CB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01852D8A, Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID: RTL: Re-Waiting
                                    • API String ID: 0-316354757
                                    • Opcode ID: f7d9acbda4be7feb1f2124e998bb27832e9e675b8ae749e98da763403ffe0086
                                    • Instruction ID: 7299132cc915934c23c965e189cf0bd31351901ebdaab006f4cca647d8240e0c
                                    • Opcode Fuzzy Hash: f7d9acbda4be7feb1f2124e998bb27832e9e675b8ae749e98da763403ffe0086
                                    • Instruction Fuzzy Hash: 8561F731A00649DFEB32DB6CC894BBE7BA6EB44718F580259DA11D72C1DB34AB41C791
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01920EA5, Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID: `
                                    • API String ID: 0-2679148245
                                    • Opcode ID: 9dc28c7fac725f10660ffcbfac31c29b3b400d7b59c29c20aaf507a3bfcf9c7c
                                    • Instruction ID: 73f431e5e3ad75ee10e18749eaeef8fdafa6b1f1a70b4f820763b460a3cd76c1
                                    • Opcode Fuzzy Hash: 9dc28c7fac725f10660ffcbfac31c29b3b400d7b59c29c20aaf507a3bfcf9c7c
                                    • Instruction Fuzzy Hash: BC51AF713443829FD325DF28D884F5BBBE9EBC4704F08092CFA4A97294D674E945C762
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0188F0BF, Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID: @
                                    • API String ID: 0-2766056989
                                    • Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                                    • Instruction ID: 8df316cc4ab5b7b2b813f4f3106fcd5d2d15bd5494f23385244d86f041fd4b5e
                                    • Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                                    • Instruction Fuzzy Hash: 0D518A71500B11ABC321DF19C841A6BBBF8FF48750F00892DFA95C7690E7B4EA04CB92
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 018D3540, Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID: BinaryHash
                                    • API String ID: 0-2202222882
                                    • Opcode ID: 5f6ae879b3361e8be0e554a34335b469442ced908498e606477e1bec6924e523
                                    • Instruction ID: 90f12920e5c6689b1ac308920d7012813a6a46fb8244d12f52d7c39ec81ee6e1
                                    • Opcode Fuzzy Hash: 5f6ae879b3361e8be0e554a34335b469442ced908498e606477e1bec6924e523
                                    • Instruction Fuzzy Hash: 1A4132F1D0062DABDF219A54DC84FAEB77CAB54714F0045A5EA09E7241DB309F88CF96
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 019205AC, Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID: `
                                    • API String ID: 0-2679148245
                                    • Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                                    • Instruction ID: f32b9c125f6d1570b97e2109980fed10340bb1f195f0020d5250fb40c0bc784c
                                    • Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                                    • Instruction Fuzzy Hash: CF31D33260435A6BE720DE28CD45F9B7BE9BBC4754F184229FA58DB284D770E904C791
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 018D3884, Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID: BinaryName
                                    • API String ID: 0-215506332
                                    • Opcode ID: fef0af5df0d8eff66ee0232935354456610fd68690ca8e1a94c46e510ae02beb
                                    • Instruction ID: bf6a243be728a4848f0ed0ae4f04480d444f166d890e6dc8be377ff10f85b759
                                    • Opcode Fuzzy Hash: fef0af5df0d8eff66ee0232935354456610fd68690ca8e1a94c46e510ae02beb
                                    • Instruction Fuzzy Hash: 7931CEB2D0161ABFEB16DA5CC945E6FBB74FB82B20F054169ED14E7291D6309F00C7A2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0188D294, Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID: @
                                    • API String ID: 0-2766056989
                                    • Opcode ID: 3e76e6f7e88c8eb24e38cc46a60c9c3b6d917b987d13f7a133d3d3cdef166703
                                    • Instruction ID: abb048327a519b1bf522868efce62365dcc55d6f4fd355fe10881df19f63c827
                                    • Opcode Fuzzy Hash: 3e76e6f7e88c8eb24e38cc46a60c9c3b6d917b987d13f7a133d3d3cdef166703
                                    • Instruction Fuzzy Hash: 2D31AFB15483059FC721EF6CC88096BBBE8EB95758F000A2EF994D3291E634DE04CB93
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01861B8F, Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID: WindowsExcludedProcs
                                    • API String ID: 0-3583428290
                                    • Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                                    • Instruction ID: 7f78933c433e61dbff2c22ca4b6d91053aeedc106d1b102533de1c264623761d
                                    • Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                                    • Instruction Fuzzy Hash: 6821F836501619EBDB229A5D8884F9FBB6DAFC0B50F054426FA04CB205D630DF01D7A1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0187F716, Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID: Actx
                                    • API String ID: 0-89312691
                                    • Opcode ID: 0ee4e83dd3f8ec792c56f987ba77a9726d7ec7a36600c7c54aff43a06e39af96
                                    • Instruction ID: 174c9ec30eee58b3e65f083bb1b8f56e3c19377c85d51ca2d2d6c27705867fba
                                    • Opcode Fuzzy Hash: 0ee4e83dd3f8ec792c56f987ba77a9726d7ec7a36600c7c54aff43a06e39af96
                                    • Instruction Fuzzy Hash: CB11B2353086868BEB258E1F8891736F695AB867E8F24452AE771CB391DB70CA408740
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01908DF1, Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                    Download Yara Rule
                                    Strings
                                    • Critical error detected %lx, xrefs: 01908E21
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID: Critical error detected %lx
                                    • API String ID: 0-802127002
                                    • Opcode ID: 5d4cebb08a9be3d45d4ba8b7df3ce5881c56e3ae0c83a59cb392d1aba0f83159
                                    • Instruction ID: 1d03dfacce36be038bfb704bf0d221ed92e920f1b067ff9ff443454fcb887d25
                                    • Opcode Fuzzy Hash: 5d4cebb08a9be3d45d4ba8b7df3ce5881c56e3ae0c83a59cb392d1aba0f83159
                                    • Instruction Fuzzy Hash: FA1175B5E40348DFEB26DFA88905B9DBBB4AB14315F20421EE128AB282C3741A02CF15
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 018EFF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                                    Download Yara Rule
                                    Strings
                                    • NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 018EFF60
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
                                    • API String ID: 0-1911121157
                                    • Opcode ID: d20345f98a82d03e3ef3ee28060233936361b9b5ce6df9d1ad935939d68ee3d1
                                    • Instruction ID: 51a23791c6aaf7c9966083425a10c12db5c1023871d6a9fa7870fc52ae24f5fa
                                    • Opcode Fuzzy Hash: d20345f98a82d03e3ef3ee28060233936361b9b5ce6df9d1ad935939d68ee3d1
                                    • Instruction Fuzzy Hash: A511E175950548EFEB26EB98C848F98BBF1BB09704F548054E208E76A1CB389A40CB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01925BA5, Relevance: .6, Instructions: 592COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4c7f6408b046527c8d6105c2507f10a1392301f51e3c5cc1e1e0ae0bbc5e443f
                                    • Instruction ID: 3f7e54edf85d4002e315a349be9f3ccf5aa85b876e22a0fda7faf77797d82975
                                    • Opcode Fuzzy Hash: 4c7f6408b046527c8d6105c2507f10a1392301f51e3c5cc1e1e0ae0bbc5e443f
                                    • Instruction Fuzzy Hash: 83426E75D00229CFEB24CF68C880BA9BBB5FF45305F1581AAD94DEB246D734AA85CF50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01874120, Relevance: .4, Instructions: 444COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 96a5334d6c4b460b25b749c80bb847b5206ca452b5588ccf7b01eb3fdfe6cf2c
                                    • Instruction ID: f99e28dbe4c7cc914aca6cb3637a260cbcdacd804de02703c7f362cca4826230
                                    • Opcode Fuzzy Hash: 96a5334d6c4b460b25b749c80bb847b5206ca452b5588ccf7b01eb3fdfe6cf2c
                                    • Instruction Fuzzy Hash: 29F1AE706086118FC724CF18C480ABABBE1FF88718F15492EF99ACB351E734DA95DB52
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 018820A0, Relevance: .4, Instructions: 420COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d0f76883544f2d0869014b933d1706d93667ebfa2e11090d605dba76c7cdb944
                                    • Instruction ID: 20c89de927e5d1b0a913c4b816778ff9892fa039550da58a88910897197be361
                                    • Opcode Fuzzy Hash: d0f76883544f2d0869014b933d1706d93667ebfa2e11090d605dba76c7cdb944
                                    • Instruction Fuzzy Hash: 90F127357083019FDB26DF2CC440B6BBBE2AF85728F14855DE999DB291D734EA41CB82
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0186D5E0, Relevance: .4, Instructions: 353COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d4042993dcb9e78932a6963e0affa087bbcfc2b00f2d3d3068280c1a601a611e
                                    • Instruction ID: 482bb0a662a3639453dcd23f73825217c74fae2d2dfaf7195c336df03df136fa
                                    • Opcode Fuzzy Hash: d4042993dcb9e78932a6963e0affa087bbcfc2b00f2d3d3068280c1a601a611e
                                    • Instruction Fuzzy Hash: ECE1C234B05359CFEB25CF58C884BA9B7BABF45314F040299D949D7291D734AF81CB92
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0186849B, Relevance: .3, Instructions: 290COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1615cde47f398d58f2678be38c565d288b5512b7d89fff76ce1ffd962aa32d45
                                    • Instruction ID: 61ea88a054206005529e40e9e0a8bb948366ea7d13700fd95c74c563c293bb35
                                    • Opcode Fuzzy Hash: 1615cde47f398d58f2678be38c565d288b5512b7d89fff76ce1ffd962aa32d45
                                    • Instruction Fuzzy Hash: 7DB13BB4E00359DFDB15DFD9C984AADBBB9BF49308F104129E609EB345DB70AA41CB50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0188513A, Relevance: .3, Instructions: 258COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 903231e00fe8d3ce1530e2956699869286d8d9e5367fb6f5bb1cdd240dbba2fd
                                    • Instruction ID: 3a9caa94a8bcb3d5773db13f28afb12a8099fc40680bfc6ce7f8f71da0e73971
                                    • Opcode Fuzzy Hash: 903231e00fe8d3ce1530e2956699869286d8d9e5367fb6f5bb1cdd240dbba2fd
                                    • Instruction Fuzzy Hash: 89C102755083818FD355CF28C580A5AFBE1BF88704F284A6EF9998B352D771EA45CB42
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 018803E2, Relevance: .3, Instructions: 254COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 71783d3b3cb87783f6ecbd42d935a578ca12ca852abc23faae455838b43c02b2
                                    • Instruction ID: aad5cd7da92fedb5c4639d47b4f3fdb8b000ecca7c55b5681a8193d8afc388dc
                                    • Opcode Fuzzy Hash: 71783d3b3cb87783f6ecbd42d935a578ca12ca852abc23faae455838b43c02b2
                                    • Instruction Fuzzy Hash: 7F914C31E042199FEB31AB6CC854BAD7BA4EB01B28F050269FA11EB2D1D774DF84C791
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0185C600, Relevance: .2, Instructions: 225COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 02540c8fef4319c453aac1e83dc10682276c73dbd9174f19131f7a34038f40a8
                                    • Instruction ID: af994b265394e14a9fa008b3b62fc916ceac980b0b0d7284b6102503d88f53df
                                    • Opcode Fuzzy Hash: 02540c8fef4319c453aac1e83dc10682276c73dbd9174f19131f7a34038f40a8
                                    • Instruction Fuzzy Hash: 978191756042069BDB26CE5CC880A7A77E9FB84B54F14482EEE45DB241D330EF45CFA2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 018D6DC9, Relevance: .2, Instructions: 199COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                                    • Instruction ID: 434e3597f61e43f35cb431fd1f6a416703cc7efa978e68070ebce54c473aee65
                                    • Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                                    • Instruction Fuzzy Hash: 4B716D71A0061AEFDB10DFA9C984EEEBBB9FF48714F144469E505E7250EB34EA41CB90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 018EB8D0, Relevance: .2, Instructions: 199COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2b34617623144f46ab4dd541a22630a644c62e5ca466a07a2a1115876d40f3a7
                                    • Instruction ID: 38916c721fd8635852a84eabe5944a807f7775cae3b1f9275dc0a13694d3170b
                                    • Opcode Fuzzy Hash: 2b34617623144f46ab4dd541a22630a644c62e5ca466a07a2a1115876d40f3a7
                                    • Instruction Fuzzy Hash: 14710032200706EFEB32DF18C848F66BBE5EF42724F144528E655DB6A1EB71EA41CB51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 018552A5, Relevance: .2, Instructions: 161COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e04fc816e1d4cd919315ab1bcc7079c0e7efbb86da6075e6f1fd114df895ad1b
                                    • Instruction ID: 69446a6ec3b829c0355ccd240529a861dc6d06e8820c494f8912d315436c31af
                                    • Opcode Fuzzy Hash: e04fc816e1d4cd919315ab1bcc7079c0e7efbb86da6075e6f1fd114df895ad1b
                                    • Instruction Fuzzy Hash: 7A51DD34205346ABDB21EF68C880B27BBE8FF90754F14091EF999C7651E770EA04CB92
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01882AE4, Relevance: .2, Instructions: 159COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 01d70d8f217c47927b7176275aca4124701d6d46a9d0559b29087073517f9d57
                                    • Instruction ID: d5a59b8744ce0d5c4f3a6b24ff68bb42360cd2416e8305a236291b35ce2aa291
                                    • Opcode Fuzzy Hash: 01d70d8f217c47927b7176275aca4124701d6d46a9d0559b29087073517f9d57
                                    • Instruction Fuzzy Hash: EB519EB6A01129CFCB18EF5CC8809BDB7F2FB88704719845AE846DB355E730AB51DB90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0191AE44, Relevance: .2, Instructions: 152COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5e97bd4f156478950b5d862fc7a4fa810eb770df234a0a2bcbd3109b8cfad6b6
                                    • Instruction ID: 6abe1281a26a03237c532d60ee7841f8c112cedff034b95398c2eb89279861e5
                                    • Opcode Fuzzy Hash: 5e97bd4f156478950b5d862fc7a4fa810eb770df234a0a2bcbd3109b8cfad6b6
                                    • Instruction Fuzzy Hash: 8041D4B17022995BD726CA29C884F3FB79EEF84611F044619F91E873D8D734DD81C691
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0187DBE9, Relevance: .1, Instructions: 149COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 29ab8d435f61ccb1982c609e64d472f68f8fb9090f502b6597868ef645707db7
                                    • Instruction ID: c08de5945096705bc84458c6e09c1397547815c6f8ca95c84f734eb8e470c59d
                                    • Opcode Fuzzy Hash: 29ab8d435f61ccb1982c609e64d472f68f8fb9090f502b6597868ef645707db7
                                    • Instruction Fuzzy Hash: 90519D75A01606CFCB14DFACC480AAEBBF5BF98310F24825AD955E7344EB31EA44CB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0186EF40, Relevance: .1, Instructions: 147COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                                    • Instruction ID: 43810c4f983c83b6c15ef4f2de83d72bee0b06ae362d9d4b07e5955249a23355
                                    • Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                                    • Instruction Fuzzy Hash: 35510634E04249EFDB25CB6CD1D07EEBBB5AF05318F1481A8D645D7282C375AB89C742
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0192740D, Relevance: .1, Instructions: 141COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                                    • Instruction ID: 926098a57fa0ddbe6571b2e1afd6afe85192e4a15abf52e6bb9f59223e5bf1a6
                                    • Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                                    • Instruction Fuzzy Hash: BF517D71600646EFDB1ACF58C480E56FBB9FF55305F1481AAE908EF216E371EA85CB90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01882990, Relevance: .1, Instructions: 133COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e3e07334674dbcac41cd3989b45a7e1a4834a798c89549088a6c7fc853351ed7
                                    • Instruction ID: 90934820ffe028aca41114c25bc58ee0488c0487e1d2178084adade37c6d02f6
                                    • Opcode Fuzzy Hash: e3e07334674dbcac41cd3989b45a7e1a4834a798c89549088a6c7fc853351ed7
                                    • Instruction Fuzzy Hash: CD516A71A0020ADFDF25EF99C880ADEBBB6BF58714F048119E915EB210D335DA52CF90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01884D3B, Relevance: .1, Instructions: 131COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ab13001617830b8b1259fca0c807016f3bb382206bf3e9a2d0215a7f1440b9a9
                                    • Instruction ID: 80063e7371fd65d9296ef9728f5b9e49a9af82f221ad9968d0b6b46f602327c1
                                    • Opcode Fuzzy Hash: ab13001617830b8b1259fca0c807016f3bb382206bf3e9a2d0215a7f1440b9a9
                                    • Instruction Fuzzy Hash: 4E41D572A44319AFEB32EF18CC80F6AB7A9EB54724F0400A9E945D7281D774DF44CB92
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01884BAD, Relevance: .1, Instructions: 131COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a4088141dca32b6a7231275e7f0585e4e6870f0cd6a9eea68ab87c16f4c1a3dc
                                    • Instruction ID: 1f108626a4c7a5e0d71082bfc5e9de8f9530c01ae0ee79a9cf1a24d0eebf8693
                                    • Opcode Fuzzy Hash: a4088141dca32b6a7231275e7f0585e4e6870f0cd6a9eea68ab87c16f4c1a3dc
                                    • Instruction Fuzzy Hash: 5F419736A002199BDB21EF68C940BE977B9EF45710F1105A9E908EB341E774DF45CB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01868A0A, Relevance: .1, Instructions: 120COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b6fdd5a4f99520bb3ef85455ecb0584e6e12fada1e0a6d03e9a52454bbd2c55a
                                    • Instruction ID: 5ae1cc4709ab34fb393d3c9405a9439d331eed5ac6c6fbac08869d5ea7172ec4
                                    • Opcode Fuzzy Hash: b6fdd5a4f99520bb3ef85455ecb0584e6e12fada1e0a6d03e9a52454bbd2c55a
                                    • Instruction Fuzzy Hash: B4417EB4A0032D9BDB24DF19C888AA9B7F8EB55304F1041EAD91DD7242EB709F80CF51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0191FDE2, Relevance: .1, Instructions: 116COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
                                    • Instruction ID: 3843f7daf554163910e8c479623e163b9a053a5416780f126261ea0b9011ff3f
                                    • Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
                                    • Instruction Fuzzy Hash: 3431283220064C6FD722876CC848F6A7BAAEBC5750F084558E54E8B34ADA70EC85C750
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0191EA55, Relevance: .1, Instructions: 111COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
                                    • Instruction ID: 8ae8923820c5c5cba8673b3827df12280fa6f71336521f72c104e6654ed3627b
                                    • Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
                                    • Instruction Fuzzy Hash: C531B47260470A9BC71ADF28C880A5BB7AAFFC4310F04492DF95A87785DE30E945C7A5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 018D69A6, Relevance: .1, Instructions: 108COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 62da94347473a41523ab086ff7feac7cf9c577f79a72081c6ff329abb94dd061
                                    • Instruction ID: 42857088606c05e67f9f633958953994c7c47fe765df76f7726031158853a886
                                    • Opcode Fuzzy Hash: 62da94347473a41523ab086ff7feac7cf9c577f79a72081c6ff329abb94dd061
                                    • Instruction Fuzzy Hash: 78415CB5D003099FDB24DFAAD940BAEBBF8EF48714F14812AE954E7240EB749A05CB51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01855210, Relevance: .1, Instructions: 107COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4682b9382d7ed1a302b9976a7017b2fcbe6b341d86aa7364f7ca85c6f38967f9
                                    • Instruction ID: 14f046c10718c15de863755abacc28d207d2c42ef6b4aef3b092462deacf688d
                                    • Opcode Fuzzy Hash: 4682b9382d7ed1a302b9976a7017b2fcbe6b341d86aa7364f7ca85c6f38967f9
                                    • Instruction Fuzzy Hash: 9C31F231641605ABCB269B1CC880BAB7BB5EF107A4F194719F959CB6E0EB60FB00C791
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01893D43, Relevance: .1, Instructions: 106COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a6783fd8d2e418e2c2d97c3aa403f8195f9e46738e2a21a3c1e0e61032dc14d9
                                    • Instruction ID: e615db68f0c7949daecbdfd2bcd84ae22bc56eb6bb8ecb393dbe6dd2fdf7976e
                                    • Opcode Fuzzy Hash: a6783fd8d2e418e2c2d97c3aa403f8195f9e46738e2a21a3c1e0e61032dc14d9
                                    • Instruction Fuzzy Hash: 3231AB31A05615DBDB258F3DC851A6ABBE5FF85B10B09806EE94ACB750E730DA40C791
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0188A61C, Relevance: .1, Instructions: 106COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f717c091e637678f4b20b460c85951802c6010f9f1b164075dbc65ffe66dd456
                                    • Instruction ID: b55a074d86dea6350df1fe57bac05c33c395021bd296dd33e019f8df5afbacf9
                                    • Opcode Fuzzy Hash: f717c091e637678f4b20b460c85951802c6010f9f1b164075dbc65ffe66dd456
                                    • Instruction Fuzzy Hash: 70417C75A00219DFDB19EF58C480BA9BBF1FF89708F1580AAE905EB384C774EA01CB50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0187C182, Relevance: .1, Instructions: 104COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                                    • Instruction ID: 392b0d38f175dc7937bc808588acacf661a56dc5832e9e09b8676f72a1cc2dd6
                                    • Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                                    • Instruction Fuzzy Hash: 8631167260154BBAD705EBB8D490BE9FB59BF52304F04416AD51CC7201DB34EB45C7E2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 018D7016, Relevance: .1, Instructions: 104COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2790dfbb012d03be467c3a70209afc633f00002399399d97d994bad9bfa62b79
                                    • Instruction ID: 32d76fdacf9478e81b592b07ab99511a9262b304187473cbbeaaedee1dc1b79c
                                    • Opcode Fuzzy Hash: 2790dfbb012d03be467c3a70209afc633f00002399399d97d994bad9bfa62b79
                                    • Instruction Fuzzy Hash: 4B31C0766047919BC720DF6CC840E6AB7E9FF88704F044A29F995C7690E730EA04CBA6
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0188A70E, Relevance: .1, Instructions: 96COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 73d7570eb8841d77d8859bba09eea82c86d63e114528e8580c5971077f18aaaf
                                    • Instruction ID: 3c6951d2a8c4f3fc5c7e185a0358c8996b79e1760275062ac5d9fdcfcfa50da4
                                    • Opcode Fuzzy Hash: 73d7570eb8841d77d8859bba09eea82c86d63e114528e8580c5971077f18aaaf
                                    • Instruction Fuzzy Hash: 5131F5B9604619EFD72DEF88D880F25BBF9FB84750F14095AE245C7284D370AA01CB92
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 018861A0, Relevance: .1, Instructions: 93COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 636c412553500a1235160f49b938a35d478eed9c20002e783bb04e9e8f00b7f4
                                    • Instruction ID: fe3215966f31bc615d0953ee26c1722088f1cf223ac9ca768cc7694532214c01
                                    • Opcode Fuzzy Hash: 636c412553500a1235160f49b938a35d478eed9c20002e783bb04e9e8f00b7f4
                                    • Instruction Fuzzy Hash: 113138716157018FE360DF1DC940B26BBE5FF88B04F15496DEA98DB252E7B0EA04CB92
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0185AA16, Relevance: .1, Instructions: 93COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: fa0e8d0a5ca647a5bc1c0233b790d39c04bbce4754e0a01860d0f8ceb85ab3ee
                                    • Instruction ID: 47a541bdd3b84a15180f652d3e3850977e34e596d23da5b40fd1f78156dfc4e6
                                    • Opcode Fuzzy Hash: fa0e8d0a5ca647a5bc1c0233b790d39c04bbce4754e0a01860d0f8ceb85ab3ee
                                    • Instruction Fuzzy Hash: C631C571A0011AABCF15AF68CD81ABFB7B9EF44700F454069F902E7250E7789B51DBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01898EC7, Relevance: .1, Instructions: 92COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8d56b299aa5f23aa7524d4c38bd11845eb6654efb7637c92df7b5348a9144b7f
                                    • Instruction ID: 09ee0e3f341636891cfab2dab26e90e0e134c0cf17f97e03644ed136833e427b
                                    • Opcode Fuzzy Hash: 8d56b299aa5f23aa7524d4c38bd11845eb6654efb7637c92df7b5348a9144b7f
                                    • Instruction Fuzzy Hash: 39419CB1D003199BDB24CFAAD980AADFBF4BB49710F5481AEE509E7240EB745A84CF51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01894A2C, Relevance: .1, Instructions: 92COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1b5c2fce58ab02f1c86ea69681d6f7330abb691da3a601e15d5cf453532de726
                                    • Instruction ID: 505139c03e6d95fc8be6b41ee544027d105f7e18fb059ad81cdbc069c6035e5b
                                    • Opcode Fuzzy Hash: 1b5c2fce58ab02f1c86ea69681d6f7330abb691da3a601e15d5cf453532de726
                                    • Instruction Fuzzy Hash: 0F3144322153019BCB22DF58CA80B2ABBE6FFC1B14F08042DE91AC7241CB74DA01CB86
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0188E730, Relevance: .1, Instructions: 89COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 83764c80fa368f932adea62402743a0a48c1f7375c1207cf036fb16ef3ff606a
                                    • Instruction ID: e03ce406c7b9c6ef2d7eeb79cde756454d5008a3dffe46cf163d2bb6a5364d5b
                                    • Opcode Fuzzy Hash: 83764c80fa368f932adea62402743a0a48c1f7375c1207cf036fb16ef3ff606a
                                    • Instruction Fuzzy Hash: 44317EB5A14249EFE744EF58D841F9ABBE8FB09314F14825AF904CB341D631EE80CBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0188BC2C, Relevance: .1, Instructions: 88COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 124bc796cff754b28b51f85ad2ad287d79c311d9b7ed3bc7199c3caa939a90ff
                                    • Instruction ID: 43a91cb8fab9771cab93bc684fc0763fe8f77101f590158366d78d72743c3166
                                    • Opcode Fuzzy Hash: 124bc796cff754b28b51f85ad2ad287d79c311d9b7ed3bc7199c3caa939a90ff
                                    • Instruction Fuzzy Hash: 063122B6604606EBDB21EF5CC4C0BA673B4FF59314F040078ED48DB206EB74DA068B81
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01881DB5, Relevance: .1, Instructions: 87COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                                    • Instruction ID: cee9ce2ed4496019d22755bc55f808b215b014c9d026363fa03ea72291b6a043
                                    • Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                                    • Instruction Fuzzy Hash: 18217F72600119EFD721DF59CC88EAABBB9FF85B54F114055EA05D7250DA34EF02C7A0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01859100, Relevance: .1, Instructions: 87COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8195678506a28aa8d1c982b00bb57b7e853a4690abc4b323e8a045311d3ef556
                                    • Instruction ID: 5eaeadaf9a5b216dbca105da2b98d6a591436647e9c6b03adc9f4530f280f696
                                    • Opcode Fuzzy Hash: 8195678506a28aa8d1c982b00bb57b7e853a4690abc4b323e8a045311d3ef556
                                    • Instruction Fuzzy Hash: B631C775D41A55DFDBA1DBACC088BACBBF1FB44358F18815DC818E7241C338AA40C752
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01870050, Relevance: .1, Instructions: 81COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 213ecd0fe9a283ebd2aad3bb7fad70017289e6fc32279ce7efde9465e137a3c5
                                    • Instruction ID: 78a6b01125df5c0c53ee407781daac87e8c26025f00bfc3518c71f154d90c0cc
                                    • Opcode Fuzzy Hash: 213ecd0fe9a283ebd2aad3bb7fad70017289e6fc32279ce7efde9465e137a3c5
                                    • Instruction Fuzzy Hash: C0317A31601A048FD726CB28C880BA6B7E5FB89724F144569E59AC7B90EB75E901CB90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 018D6C0A, Relevance: .1, Instructions: 79COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f858f2a845746ba1f8cf52d8b84730464d8d210f551c8928a4122fe19eace8fb
                                    • Instruction ID: fae8120454439acb8270e6000d10c58398199f801d8b6569ec7e35dfa672ca07
                                    • Opcode Fuzzy Hash: f858f2a845746ba1f8cf52d8b84730464d8d210f551c8928a4122fe19eace8fb
                                    • Instruction Fuzzy Hash: DA218BB1A00649AFD715DB6CD884E6ABBB8FF48744F140069F904D7791E634EE50CBA4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 018990AF, Relevance: .1, Instructions: 76COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                                    • Instruction ID: 2a92fbf8a4be7cc91be06faf2683c17ed7be17b2fa8497005e000b662f8692fd
                                    • Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                                    • Instruction Fuzzy Hash: C62171B1A00709EFDB21DF59C885A6ABBF8EF54314F14846EE949D7211D334EE408B50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01883B7A, Relevance: .1, Instructions: 75COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e9b3bc90d422a9610b52a7d18a01c1f1686ba410fee3910d784e8bec9b9c2b97
                                    • Instruction ID: 50dda1982353a7a631cb39c941f05c2866a6a59c735af10fa18aa2ada1dd75dd
                                    • Opcode Fuzzy Hash: e9b3bc90d422a9610b52a7d18a01c1f1686ba410fee3910d784e8bec9b9c2b97
                                    • Instruction Fuzzy Hash: 50218072600109AFD715EF98CD81F5ABBBDFB44B48F150068EA04EB251D371EE01DB94
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 018D6CF0, Relevance: .1, Instructions: 74COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 33a908e5fde82a4bb19ef66bdcd1c69910a89b3fb7f77fab5798354d6fcaa848
                                    • Instruction ID: c4a7891f63ea3c7311cbb3e1e2945686483262c3a1a8d26c89f108035687eb2a
                                    • Opcode Fuzzy Hash: 33a908e5fde82a4bb19ef66bdcd1c69910a89b3fb7f77fab5798354d6fcaa848
                                    • Instruction Fuzzy Hash: FB2100324003499BD721EF2CD944B6BBBECEF91384F180556FA40C7250E735CB48C6A2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0192070D, Relevance: .1, Instructions: 72COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                                    • Instruction ID: 9ab446f4cf570c3770c000c6589093a51e20ffa256de6128d30ee335dbfab758
                                    • Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                                    • Instruction Fuzzy Hash: 5C21F236204214AFD705DF2CCC84A6ABBA9EBD4750F088569F9998B389D730D909CB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 018D7794, Relevance: .1, Instructions: 70COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f88aa4725b3013a64ef3e0d2fd04be8348a195d178ab9ac6e2f18e06d88b5ff1
                                    • Instruction ID: cf58ce8c1f37f9069f8277263fc4750ca7453fc53b0fc279f163cf69c40fcf7b
                                    • Opcode Fuzzy Hash: f88aa4725b3013a64ef3e0d2fd04be8348a195d178ab9ac6e2f18e06d88b5ff1
                                    • Instruction Fuzzy Hash: 4921AE72900644AFC725DFA9D880E6BBBA8EF48340F10056DF60AC7750E634EA00CBA8
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0187AE73, Relevance: .1, Instructions: 70COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                                    • Instruction ID: 9d5fbde8b67b1df254b4dfb8a2726243beeda3c28eb42044baafd5ad30a63881
                                    • Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                                    • Instruction Fuzzy Hash: BE21D4326016859FE716DB6CC948F257BE9EF44B54F0904A4ED04CB792E774DE40C7A1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0188FD9B, Relevance: .1, Instructions: 69COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                                    • Instruction ID: b2419a8466ad2bafdb9f376ae8e97667ab2507b4bf6ce6784018f896715da2c7
                                    • Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                                    • Instruction Fuzzy Hash: 30217972600A45DBD731DF0DC540A66FBE5EB94B10F24816EEA49CB611D730EE00CB80
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0188B390, Relevance: .1, Instructions: 63COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 26d851f3303a862abb667b72e221283235c0ff3a9e8aaa69c3683023263dafae
                                    • Instruction ID: ef797124f786d44c748ea3a9f13219572bacd95605a3a3bc3f45dd8c4915bb9d
                                    • Opcode Fuzzy Hash: 26d851f3303a862abb667b72e221283235c0ff3a9e8aaa69c3683023263dafae
                                    • Instruction Fuzzy Hash: 66116B333112149BCB19DA688D81A2BB3D7EBC5770B28012DDD1AC7380D931DE02C791
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01859240, Relevance: .1, Instructions: 63COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: 0caa90c53cfcee2620d8bf4d9b09062dc2f1addfc7ef3a27e5f1d6635bbd81bf
                                    • Instruction ID: f090b9bc2076bec85ad1e9322d60b31992e232f3aeb43b4a8d992957507db532
                                    • Opcode Fuzzy Hash: 0caa90c53cfcee2620d8bf4d9b09062dc2f1addfc7ef3a27e5f1d6635bbd81bf
                                    • Instruction Fuzzy Hash: 51212532441A01DFCB62EF6CCA44F5AB7B9FF28709F15456CE149C6AA2CB34EA41CB45
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 018E4257, Relevance: .1, Instructions: 60COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4e0be7cb54e946410c4221e803b0326c4f9c4cc0a42ae7014abdf22cfc35fc53
                                    • Instruction ID: 7e5a8ef5ee099ef4ceb3e07b5b2cf929ca824f2195868f10f14dda23e92ee03b
                                    • Opcode Fuzzy Hash: 4e0be7cb54e946410c4221e803b0326c4f9c4cc0a42ae7014abdf22cfc35fc53
                                    • Instruction Fuzzy Hash: 14219D78904701CFCB25EFA8D014E24BBF1FB86315B55826EC10DCBA99DB32D691CB01
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01882397, Relevance: .1, Instructions: 59COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c020ec5e9e1022a2645ab0c3a6e91fff493f97b17dcb493033bbcd3a663048df
                                    • Instruction ID: 138819e8ad43d8688e234673a311455ee6de762ba9f701be80fc4e6007f6f343
                                    • Opcode Fuzzy Hash: c020ec5e9e1022a2645ab0c3a6e91fff493f97b17dcb493033bbcd3a663048df
                                    • Instruction Fuzzy Hash: 27114E7174430167E770BA6E9C90F1AF6DAFBA0B50F18402AF706D7291D5B0EB05C795
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 018D46A7, Relevance: .1, Instructions: 59COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                                    • Instruction ID: aa0cae1fa42587fc3398c05137dacb138d78f4090d1318b050188395c26abf5d
                                    • Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                                    • Instruction Fuzzy Hash: 8811E572504208BFCB059F5CE8808BEBBB9EF95314F10806AF944C7351DA319E55D7A5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0185C962, Relevance: .1, Instructions: 57COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 7affd1e8e383e317cdde583c51ee448abf41c633b176586d7ca16cfa8bb3cfe4
                                    • Instruction ID: 04953e33c3ac50fb1c563ef9c3a9c6cfb1a06d855909aa79e349e14aaf2683c4
                                    • Opcode Fuzzy Hash: 7affd1e8e383e317cdde583c51ee448abf41c633b176586d7ca16cfa8bb3cfe4
                                    • Instruction Fuzzy Hash: DB11C23530070B9BCB25AF6DDC8592AB7E5BB94B14B00052CE946C3651EB30EE10CBD2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 018937F5, Relevance: .1, Instructions: 57COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8cea70f299a8a7ba0fd30369ffbb7896a755c4fac607a024724bdbde7df92b48
                                    • Instruction ID: b0b1afdafbba0a81fe7ee969fc1a08e7fd2fe111ae1bef48f49997dfb939c978
                                    • Opcode Fuzzy Hash: 8cea70f299a8a7ba0fd30369ffbb7896a755c4fac607a024724bdbde7df92b48
                                    • Instruction Fuzzy Hash: 0401D6B29016119BCB378B6D9940E26BBE6FF85B547194069ED5AEF315DB30CB01C7C0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0188002D, Relevance: .1, Instructions: 55COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                                    • Instruction ID: 7850df7d0ebdbdbc9c0249d426c7712397fdbe8db652e4afa7c97acdaf27af4b
                                    • Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                                    • Instruction Fuzzy Hash: B511C8326066C18FE723D7ACC568B357BD4AF41B58F0900A4ED14C7693E739DB82C261
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0186766D, Relevance: .1, Instructions: 54COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                                    • Instruction ID: c13a0702e694a779a13952ad9991e85647d0faa6e8162b2f9f8a92f7f1ee06b9
                                    • Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                                    • Instruction Fuzzy Hash: 3301A232701119ABD720EE6ECC41E5BBBADEB84B64F280534BA09CB250DE30DE01C7E0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01859080, Relevance: .1, Instructions: 53COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: faf50d86fad0d708723b2f7636ca5ca874faedbbe895bf722c301d56a4ad0e1b
                                    • Instruction ID: 77b16df5bb9ea849e851c72cf22b6855c9b83ac81e32a23a1a952d1c8f0e099a
                                    • Opcode Fuzzy Hash: faf50d86fad0d708723b2f7636ca5ca874faedbbe895bf722c301d56a4ad0e1b
                                    • Instruction Fuzzy Hash: 8301AFB2A05604CFD3259F1CD840B22BBFAEB85729F264466EA05CB692C774DE41CBD0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 018EC450, Relevance: .1, Instructions: 53COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                                    • Instruction ID: 923b7095daf24341ed4aa1c1cee8267dc487003eab192a1bda987a4d39ade157
                                    • Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                                    • Instruction Fuzzy Hash: CC019671140506BFEB21AF6DCC84E63FB7DFF55395F044529F21492560C721EDA1C6A1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01924015, Relevance: .0, Instructions: 49COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 25b4fb5285e94ee2a8248beac308b5a2fe763d69fe8d2174571a0c014d448d09
                                    • Instruction ID: 6f02921d2d2a9362b85df4f48d8b95f81ce2579a508eaa25b65cc887664a077b
                                    • Opcode Fuzzy Hash: 25b4fb5285e94ee2a8248beac308b5a2fe763d69fe8d2174571a0c014d448d09
                                    • Instruction Fuzzy Hash: 1E018F72241A467FD751AB6DCE84E13F7ACFF95760B000229F608C3A11DB24ED51C6E5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 019114FB, Relevance: .0, Instructions: 48COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 7364fc42ca72c21a7710eecae6e28755b03b2d8e41d837bd9a37f1e3593070cb
                                    • Instruction ID: 8ca86ae5530437835ffe24e2bef5f479bcbec5d6bd4cca6c8d812f2ceb277e8e
                                    • Opcode Fuzzy Hash: 7364fc42ca72c21a7710eecae6e28755b03b2d8e41d837bd9a37f1e3593070cb
                                    • Instruction Fuzzy Hash: 50019E71A0124CAFCB14DFACD845EAEBBB8EF44710F04406AFA04EB280DA74DA40CB95
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0191138A, Relevance: .0, Instructions: 48COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 91a57ad33b494e4854b868e734f9abb4a26208709db45db83d972df6d85280a2
                                    • Instruction ID: 746d45c5a574761fbfd50b0d29045112f8527f68e52ee27e6821da0d4f2fc2ee
                                    • Opcode Fuzzy Hash: 91a57ad33b494e4854b868e734f9abb4a26208709db45db83d972df6d85280a2
                                    • Instruction Fuzzy Hash: 4F019E71A0120CAFCB14DFACD841EAEBBB8EF44710F04406AF904EB280EA74DA41CB95
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 018558EC, Relevance: .0, Instructions: 47COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6cdc581d83c044b9daca3b9632bd06c438381026fc5d651556c7f9b942c430dc
                                    • Instruction ID: b81e22ceb9ef4ade1684e51f46f9434bdcc8add327c327ead129c790fba8d71b
                                    • Opcode Fuzzy Hash: 6cdc581d83c044b9daca3b9632bd06c438381026fc5d651556c7f9b942c430dc
                                    • Instruction Fuzzy Hash: 66018F31A00209DBDB14EB6DE8009BEB7B8EB85374F590069AE05DB244DE24DF06C791
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0186B02A, Relevance: .0, Instructions: 46COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                                    • Instruction ID: 2613b85628caad3085a6cf6e6c15386d8b6dabfa4fe1c21319141c8cb9168908
                                    • Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                                    • Instruction Fuzzy Hash: 08018472301684DFE327C71CC988F667FDCEB85758F0900A1FA15CB651D629DE40C622
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01921074, Relevance: .0, Instructions: 46COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5af9a1a306f152a9b8fe1a720ff3e0aa257b8f8f8033c18154054827cd4cbbf4
                                    • Instruction ID: e82c3f958cdf76eb6f4022e3f66282c7f80c990aab4c24221d45d58c7861da88
                                    • Opcode Fuzzy Hash: 5af9a1a306f152a9b8fe1a720ff3e0aa257b8f8f8033c18154054827cd4cbbf4
                                    • Instruction Fuzzy Hash: E6014C726447429FC711DF69C844F1A7BD9BBC4310F048529F98983695EE34D950CB92
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0190FEC0, Relevance: .0, Instructions: 46COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 42eaeabc40a73958d0b6f86b1ba5ada05eea243c512181ed49a97ec725888c3f
                                    • Instruction ID: a9b198140a03ff78a15986e00f4e124f4dff5bdab69843797273ee1122a7c2be
                                    • Opcode Fuzzy Hash: 42eaeabc40a73958d0b6f86b1ba5ada05eea243c512181ed49a97ec725888c3f
                                    • Instruction Fuzzy Hash: 9D018471E01209AFDB14DBADD845FAEBBB8EF54710F04406AFA04EB280EA74DA01C7D5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0190FE3F, Relevance: .0, Instructions: 46COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 61005088e2fd0c4718075ec5c0077e24bd4acfedb44cebfdf677da45463d6700
                                    • Instruction ID: f0d55f54b9a6ca301ae11f56a8f77d8dfc2578a7eea7b77e886f2cc0fee2f94e
                                    • Opcode Fuzzy Hash: 61005088e2fd0c4718075ec5c0077e24bd4acfedb44cebfdf677da45463d6700
                                    • Instruction Fuzzy Hash: 8201B171A04209AFCB24DBA8D805EAEBBF8EF40B04F044066B900EB280DA34AA00C795
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01928ED6, Relevance: .0, Instructions: 44COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ec00b7f3897b3a2cfc62e86737317799d9d3f7a167fab64acacd580170c7bfe1
                                    • Instruction ID: 4d357497820d9fe9405ce633e343f83c7e742ff30e74ca8349490663f53ff753
                                    • Opcode Fuzzy Hash: ec00b7f3897b3a2cfc62e86737317799d9d3f7a167fab64acacd580170c7bfe1
                                    • Instruction Fuzzy Hash: 47111E70E002599FDB04DFA9D441FAEBBF4FF08300F0442AAE518EB381E6349A40CB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01928A62, Relevance: .0, Instructions: 44COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 246b6b9965c28447844aaf859190b79e887453905d4ce96ef6439f8fdbcadece
                                    • Instruction ID: fcd0d968d09fda6336386b8de0ab9278f8a60c051bcac7a3de463395e8751ff3
                                    • Opcode Fuzzy Hash: 246b6b9965c28447844aaf859190b79e887453905d4ce96ef6439f8fdbcadece
                                    • Instruction Fuzzy Hash: B2012C75A0121DAFCB04DFADD941DAEBBF8EF58710F14405AF904E7341EA34AA00CBA5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0185DB60, Relevance: .0, Instructions: 43COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                                    • Instruction ID: 2dfba4b928c1e854af63995f886ba1ff8464845fbe15436371ad60b8a794cf2f
                                    • Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                                    • Instruction Fuzzy Hash: F9F0C8332015239BD3725ADD4884B67BAABCF91BA1F150135BE05DB344C9608A0286D3
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0185B1E1, Relevance: .0, Instructions: 42COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                                    • Instruction ID: 259365518aad493ccec9ee4aeb9643f82801fb88ca9a7f196c3cd3c1da05cf5f
                                    • Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                                    • Instruction Fuzzy Hash: C301F932200684DBD322975DC848FA97F99EF51754F080061FE15CB7B2D774CA00C325
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 018EFE87, Relevance: .0, Instructions: 38COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b10f04b4debb3e5060d112fd4ccd9f4dee0603409f773a3efc0a7b7a5e55cd9e
                                    • Instruction ID: 35800b7b074fbd768eb34b5ede4e45bdb99aa62962b3bbda1eb8697e449bbef8
                                    • Opcode Fuzzy Hash: b10f04b4debb3e5060d112fd4ccd9f4dee0603409f773a3efc0a7b7a5e55cd9e
                                    • Instruction Fuzzy Hash: 92016270A0020DAFCB14DFACD545A6EBBF4EF14704F144159A504EB382D635EA01CB81
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0191131B, Relevance: .0, Instructions: 36COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 15073043c73de1b558e46a328255a6a0e5e36605c1f0f38addd35ccb2e72a3a2
                                    • Instruction ID: b4f2b390ebc8c3bcd21a0509abac04a26fc3155e8b2363a42ae22279aa9e2675
                                    • Opcode Fuzzy Hash: 15073043c73de1b558e46a328255a6a0e5e36605c1f0f38addd35ccb2e72a3a2
                                    • Instruction Fuzzy Hash: C0011975A0124DAFCB04EFA9D545AAEBBF4EF18700F404069B905EB385E634AB40CB95
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01928F6A, Relevance: .0, Instructions: 36COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 73ea44f5927237a359aca7dc517d88c8f985b3576b0456e3e6de087668762339
                                    • Instruction ID: fdf69ea250fb6e7762b9585ec7e0ade8e8a2dd45ed154cbe9848b04c5b878448
                                    • Opcode Fuzzy Hash: 73ea44f5927237a359aca7dc517d88c8f985b3576b0456e3e6de087668762339
                                    • Instruction Fuzzy Hash: 35013C74A01209AFDB04EFA8D545EAEBBF8EF18300F104459F905EB380EA34EA00CB95
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01911608, Relevance: .0, Instructions: 34COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 36d96690a4c615f07b202fedb9af48580b2ac078674eea64b4a73e31f703de12
                                    • Instruction ID: c6a9dbe1e487cc707a00032046b0ace9644e97fd8a569ce1140da7f4ba3729bf
                                    • Opcode Fuzzy Hash: 36d96690a4c615f07b202fedb9af48580b2ac078674eea64b4a73e31f703de12
                                    • Instruction Fuzzy Hash: 0CF04F71A05248AFDB14DFA8D405E6EBBF4EF14300F044469A905EB281E6349A00CB95
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0187C577, Relevance: .0, Instructions: 33COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 26a9ac8ebc395103f27c20c6c31541334dfa6a052045a1d1da36fd59ddd9a589
                                    • Instruction ID: 9e60f3af8e9cc2f28467f7f2f49dba9813e3f1a0cbfcddb5dbeffd62dad94a6d
                                    • Opcode Fuzzy Hash: 26a9ac8ebc395103f27c20c6c31541334dfa6a052045a1d1da36fd59ddd9a589
                                    • Instruction Fuzzy Hash: 47F090B2915A979EE7368F1C8044B217FD4BB45778F444466F515C7102C7A6DE80C251
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01928D34, Relevance: .0, Instructions: 32COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2cdebd796eb7b1e124afe1f7b11ec27d5eadbc6f188fe9ed64070669a7f01163
                                    • Instruction ID: fc39a3e3f56cc0995c60c693a49fc9a3d2521edf8326716c5b71182c6cbadbd1
                                    • Opcode Fuzzy Hash: 2cdebd796eb7b1e124afe1f7b11ec27d5eadbc6f188fe9ed64070669a7f01163
                                    • Instruction Fuzzy Hash: 67F0B470E046189FDB14EFBCD445E6E77F4EF14700F148099E905EB280EA34DA00C755
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01912073, Relevance: .0, Instructions: 32COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c6daf7c29f1ba64edc3c21e2da19f65c7c1af122432d35e2c3f568f117dc6c9a
                                    • Instruction ID: d43aebc16199ef6c0b419e706eb92be3f5c41c5f6fa87b9f0f1809830b33333f
                                    • Opcode Fuzzy Hash: c6daf7c29f1ba64edc3c21e2da19f65c7c1af122432d35e2c3f568f117dc6c9a
                                    • Instruction Fuzzy Hash: 1EF0A07E81A28D4BEE33BB786111AE17B9AD795211B2A0585D5A81720EC93889D3CB20
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0189927A, Relevance: .0, Instructions: 32COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                                    • Instruction ID: dfdf88992325251d2b564388d499c5413fe2891f4d469db30151a86e35fb4786
                                    • Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                                    • Instruction Fuzzy Hash: 84E02B323405016BEB119E4DCC80F03379DDF92724F0440BCF5009E242C6E5DE0887A0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01928CD6, Relevance: .0, Instructions: 31COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a3d1c55423f92f6b683dc9a2e2fae751efa0fbd70b81d21620f2201b293d6603
                                    • Instruction ID: 19f4cfaa681c6bc92342ef1784b2c43d119537c795303e684a9f88ca0c8aa85e
                                    • Opcode Fuzzy Hash: a3d1c55423f92f6b683dc9a2e2fae751efa0fbd70b81d21620f2201b293d6603
                                    • Instruction Fuzzy Hash: CBF08270A05259ABDF04DBACE945E6E77F8EF18304F140199E915EB280EA34EA04C755
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0187746D, Relevance: .0, Instructions: 31COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: fe8c5926984e955335e87b213cda5c48ed2fc69a7fc4acb4868ccd318e926309
                                    • Instruction ID: 8de27306e43c59addbe6a0f14513c852eb90ed4691b546b9837c3a5afcd87cc1
                                    • Opcode Fuzzy Hash: fe8c5926984e955335e87b213cda5c48ed2fc69a7fc4acb4868ccd318e926309
                                    • Instruction Fuzzy Hash: FFF0BE39900149AADF029B6CC8C4BBABFB1AF14358F080219D951EB161E725DA01C7C6
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01854F2E, Relevance: .0, Instructions: 31COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 10377932ca09831eefbcb54a1c35fb7da24e852203da2c32fe14b18fe91027b7
                                    • Instruction ID: 6548238c271a16a52590eb90c5af746a2c2028d4db91a10d5f75e2f13b28ce0d
                                    • Opcode Fuzzy Hash: 10377932ca09831eefbcb54a1c35fb7da24e852203da2c32fe14b18fe91027b7
                                    • Instruction Fuzzy Hash: C8F0BE325257958FD772CB5CC1C4FA3B7E4AB00778F444464E405C7A22D724EA84C680
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01928B58, Relevance: .0, Instructions: 31COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ec2f1066fd0e3402231cb4d5d38d9f93f83a837ac47df0c3990eafc69b67b41c
                                    • Instruction ID: a1671441b837a92f664ef01982a47714ccb697f23f510520f22f182da33d50a8
                                    • Opcode Fuzzy Hash: ec2f1066fd0e3402231cb4d5d38d9f93f83a837ac47df0c3990eafc69b67b41c
                                    • Instruction Fuzzy Hash: B4F082B0A04259ABDF14EBACD906E7E77F8EF14704F040459FA05DB380EA34DA00C799
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0188A44B, Relevance: .0, Instructions: 29COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e3f5430f09975cada7567f7659c4913d9c2ae5180181005cbae6372d467b2285
                                    • Instruction ID: e4a25b9e9b4e01dba9a681ba723894b4a7f1cecb2562d27fe42f107e633c9b73
                                    • Opcode Fuzzy Hash: e3f5430f09975cada7567f7659c4913d9c2ae5180181005cbae6372d467b2285
                                    • Instruction Fuzzy Hash: 75E092B2A01421ABD7266A5CAC40F66779DDBE4755F0D4035F604E7264D628DE01C7E1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0185F358, Relevance: .0, Instructions: 28COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                                    • Instruction ID: db51eaafbe0e95842516d9a8f1bb892796a5794b5740a9090fd4c2f65c96bcd1
                                    • Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                                    • Instruction Fuzzy Hash: 46E0DF32A42118FBEB61AADD9E05FAABFACDB58B60F000195BF04D7151D5609F40C2D1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0186FF60, Relevance: .0, Instructions: 22COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 112c01b4fcd39e5cfcd61cc086c9a77d0f8b992234cc1d4bb572fe77a876a0ac
                                    • Instruction ID: 089ef76b6a710342f44c6296dfc42af9b58943d2b4462982574ff252a489db7f
                                    • Opcode Fuzzy Hash: 112c01b4fcd39e5cfcd61cc086c9a77d0f8b992234cc1d4bb572fe77a876a0ac
                                    • Instruction Fuzzy Hash: F7E0DFB02052049FD736DB59F060F293B9CAB92721F19801DE208CB102CE21DA80C286
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 018E41E8, Relevance: .0, Instructions: 21COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1faae1c735ca243ab53d7720e05a471297f15b0b44da025f3af602ce95b3639e
                                    • Instruction ID: acc302319e1afe20d74a0d680a5b31c2fe1ded20dc59d0d3409b4380a01ed34e
                                    • Opcode Fuzzy Hash: 1faae1c735ca243ab53d7720e05a471297f15b0b44da025f3af602ce95b3639e
                                    • Instruction Fuzzy Hash: 75F01578894701CFDBB0EFE99524B283AE4F794312F40411AD108C7A88D73446A0CF02
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0190D380, Relevance: .0, Instructions: 21COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                                    • Instruction ID: fd1add3851936e184b1d06a49467c1b125e3777bd6a8f34283c3463204ba3bdb
                                    • Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                                    • Instruction Fuzzy Hash: F7E0C231280209BBDB235E88CC00F69BB9ADB507A5F104031FE089A6D0C671DE91D6C4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0188A185, Relevance: .0, Instructions: 20COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 03b0af1ea7a3db892370249b09e94e40c5530e22c092425e7e0e6e554e88ae87
                                    • Instruction ID: 48e36c38b494e40e84a9f599a163e3c1f5e408909e61c99e336ab2448d8baf22
                                    • Opcode Fuzzy Hash: 03b0af1ea7a3db892370249b09e94e40c5530e22c092425e7e0e6e554e88ae87
                                    • Instruction Fuzzy Hash: B2D02BF516060057C72D7304C914F257252F781B64F34040EF20BCB9D0E954CDD1E109
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00417D7C, Relevance: .0, Instructions: 19COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.362458702.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2d498a286275d06d5014b8f6ad5db9af6501e5c95f5d2c326368ba41e017e004
                                    • Instruction ID: be229fedb1ccec77adacbb7722696d8f19690c2a6508d0b2804b441c02bb3529
                                    • Opcode Fuzzy Hash: 2d498a286275d06d5014b8f6ad5db9af6501e5c95f5d2c326368ba41e017e004
                                    • Instruction Fuzzy Hash: 29D02279B451DAC643260C3974000B8F322DEC3023F6812BACA88A3843EB02C017828A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 018816E0, Relevance: .0, Instructions: 17COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 46f59813791d3413e60a152eb94c286df1de654d327d7aa8723178f6361b01b6
                                    • Instruction ID: f772fad337dee71563c71a28444fe903499d424177268ce79c5be33d07d709c8
                                    • Opcode Fuzzy Hash: 46f59813791d3413e60a152eb94c286df1de654d327d7aa8723178f6361b01b6
                                    • Instruction Fuzzy Hash: 83D0A7711102019AEA2DBB189808B143651EF90785F38005CF20BC98C0CFA0CED3E048
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 018D53CA, Relevance: .0, Instructions: 16COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                                    • Instruction ID: a94428b71a4c0b1d011525268c07d3f09af2ea6703d51f375b95975efc5545ab
                                    • Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                                    • Instruction Fuzzy Hash: EFE08C319007849BCF16DB4CC690F4EBBF9FB45B40F140004A108AB620CA35EE00CB00
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040E44E, Relevance: .0, Instructions: 12COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.362458702.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a36b11bdb830215d2e72dcd90835245b0790c011d375bd3e981547875acbead7
                                    • Instruction ID: bcaf453f26e5fe6df15b05d7560ad9384c191707efcb020c0866232d2438ab6f
                                    • Opcode Fuzzy Hash: a36b11bdb830215d2e72dcd90835245b0790c011d375bd3e981547875acbead7
                                    • Instruction Fuzzy Hash: 8AB09206F09254009A30494938410B0FB6091C3062A0026ABCA49A34009442C019028D
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 018835A1, Relevance: .0, Instructions: 12COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                                    • Instruction ID: dcaeaac93295ac9cccb6171802a1624a001a934ec4964d87d532aea89acb4c70
                                    • Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                                    • Instruction Fuzzy Hash: 91D0A931401185BAEB02FF18C2187683BB2BB00B08F582465A90286852C33ACB0AC722
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0186AAB0, Relevance: .0, Instructions: 12COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                                    • Instruction ID: de30568db8fc4fdcf42c6dea65b34d16373faa7e979cacfe1f389b3de211d38d
                                    • Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                                    • Instruction Fuzzy Hash: 22D0E939352980CFD61BCB1DC594B5577A8BB44B45FC504A0E501CB762E62CDA44CA10
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 018DA537, Relevance: .0, Instructions: 11COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                                    • Instruction ID: 8d4de20235539cd2f869e452546c33ecd29296e1f27d6077f8f2cc39eb129c9f
                                    • Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                                    • Instruction Fuzzy Hash: 09C08C33080248BBCB126F85CC00F067F2AFBA4B60F108410FA080B570C632EA70EB84
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0185DB40, Relevance: .0, Instructions: 11COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                                    • Instruction ID: 54706eff25e987705c8dbcccf1d919b62ee27c9790720de75aa2c017c9eb2d26
                                    • Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                                    • Instruction Fuzzy Hash: 8DC08C30280A01EAFB222F24CD01B003AA1BB10B02F4400A06B00DA0F0EB78DA01E600
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0185AD30, Relevance: .0, Instructions: 10COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                                    • Instruction ID: 94c48a50090968f56c95aa9f98fc22f1339c7c09452360de6328478f26d80751
                                    • Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                                    • Instruction Fuzzy Hash: 81C02B330C024CBBC7126F49CD00F01BF2DE7A0BA0F000020F6044B671C932ED61D588
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 018836CC, Relevance: .0, Instructions: 10COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                                    • Instruction ID: 57b12d90fb3b10428726bfd54941865c5e9f01e180b298bceb88bd8a8cf9bb85
                                    • Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                                    • Instruction Fuzzy Hash: 49C08C70150440EAEA156B288D00B147254B700B21F6402547220854E0D528ED00E100
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 018676E2, Relevance: .0, Instructions: 10COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                                    • Instruction ID: 5f9be77932f2a73453493447d2a009f015ec0e5a53e7d969caab639b47b4ee1c
                                    • Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                                    • Instruction Fuzzy Hash: 8AC08C701411845AEB2A570CCE24B203A59AB0870DF68019CAA01894A2C36CEE03C248
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01873A1C, Relevance: .0, Instructions: 10COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                                    • Instruction ID: 1cc0bdef32f524a77e0e01e307c84c7cf2e7cd9015ec40a8909006ee74aa2bc1
                                    • Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                                    • Instruction Fuzzy Hash: A6C08C32080248FBC7126E45DC00F017B29E7A0B60F000020B6040A5608532EDA0D588
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01877D50, Relevance: .0, Instructions: 7COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                    • Instruction ID: d088f846dece8ef4de7c2ebae3340c531084f13a28b1fb3858835ca3f32653a0
                                    • Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                    • Instruction Fuzzy Hash: B1B092353029808FCE16DF18C084B1533E4BB48B40B8400D0E400CBA21D229E900C900
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01882ACB, Relevance: .0, Instructions: 5COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                                    • Instruction ID: f8522929d8d38b23e71a84c164e97027f35e4cb6669095392d82be9a36d6ef11
                                    • Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                                    • Instruction Fuzzy Hash: 82B01232C10441CFCF02EF44C650B197335FB00750F054490910177930C229AD01CB40
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 018999D0, Relevance: .0, Instructions: 4COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f285fff09a1bb703526d8e04cffdb58b103451fa457bfe411bd379bf3ba5dba5
                                    • Instruction ID: 60291cffbf7f60a2a2538dfe5de0fc63b178425f411457cbd2c89653b80c46ed
                                    • Opcode Fuzzy Hash: f285fff09a1bb703526d8e04cffdb58b103451fa457bfe411bd379bf3ba5dba5
                                    • Instruction Fuzzy Hash: D69002A121100053E104619944047060045A7E1341FD1C112A314C6A4CD9698D656165
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 018995F0, Relevance: .0, Instructions: 4COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1209bf274138289476928fa0969a007bbc0a83444629e4dceb7f681c1301be62
                                    • Instruction ID: 34868e9477397d6b719c961b8f109ca520bc17bed3642f4eac334ed484553255
                                    • Opcode Fuzzy Hash: 1209bf274138289476928fa0969a007bbc0a83444629e4dceb7f681c1301be62
                                    • Instruction Fuzzy Hash: D090027120100813E104619948046860005A7D0341FD1C111A701C7A5EEAA589957171
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01899520, Relevance: .0, Instructions: 4COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f688613f4460969e0893da3fbcabdbdcd242e4de43405d59a90d51468cfde25b
                                    • Instruction ID: 5c674f3fd2802c18552dea2069cf4ffb812e375ac2237f0b36ceb711dc3f8d7c
                                    • Opcode Fuzzy Hash: f688613f4460969e0893da3fbcabdbdcd242e4de43405d59a90d51468cfde25b
                                    • Instruction Fuzzy Hash: D89002E1201140A35500A2998404B0A4505A7E0341BD1C116E204C6B0CD9658955A175
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0189AD30, Relevance: .0, Instructions: 4COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 9bcd92365aa3079f2151e35c1abe69b93930607bc5a466e0d10202c7d0074109
                                    • Instruction ID: cb06cbee918eeb02ea71dd1f2d674c76b7e887c638df674d038c28c16364a3b0
                                    • Opcode Fuzzy Hash: 9bcd92365aa3079f2151e35c1abe69b93930607bc5a466e0d10202c7d0074109
                                    • Instruction Fuzzy Hash: 9E900271A0500023A140719948146464006B7E0781BD5C111A150C6A4CDD948B5963E1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01899950, Relevance: .0, Instructions: 4COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8948cbc2ad191d27d237242016582729e0f65af043eba4ec0792762df088b335
                                    • Instruction ID: aec543a95a5801798bf6333fa46a48420f8391e77f423f64d9a864f0d578e2b7
                                    • Opcode Fuzzy Hash: 8948cbc2ad191d27d237242016582729e0f65af043eba4ec0792762df088b335
                                    • Instruction Fuzzy Hash: FD9002A120140413E140659948046070005A7D0342FD1C111A305C6A5EDE698D557175
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01899560, Relevance: .0, Instructions: 4COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ff86d442d3bf1f0b37c524fa8d798754a558557f05d1a97a08b48e02f6068383
                                    • Instruction ID: 9ccf93891c5e9a83a0484eeba407a07e186d8c398f60819556837f0aeee28f25
                                    • Opcode Fuzzy Hash: ff86d442d3bf1f0b37c524fa8d798754a558557f05d1a97a08b48e02f6068383
                                    • Instruction Fuzzy Hash: 01900265221000131145A599060450B0445B7D63913D1C115F240E6E0CDA6189696361
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 018998A0, Relevance: .0, Instructions: 4COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 21017b550393726f4758a3432e2e493144d625b58a9cbfbfff743ca788611680
                                    • Instruction ID: 3e78deb59a8e8c0908b47af1721358424dcc9a414bd3058f3e7c434c0ef1c278
                                    • Opcode Fuzzy Hash: 21017b550393726f4758a3432e2e493144d625b58a9cbfbfff743ca788611680
                                    • Instruction Fuzzy Hash: 6D90026130100413E102619944146060009E7D1385FD1C112E241C6A5DDA658A57B172
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01899820, Relevance: .0, Instructions: 4COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 9877f1777ddcb0f1b57b5e5cf3c235410c3d7c84013257d84b6d6cb739dbe7dc
                                    • Instruction ID: fe06d44488edba1e486eda9b6b09da809486af6b0146cdace8990c73da1e2e68
                                    • Opcode Fuzzy Hash: 9877f1777ddcb0f1b57b5e5cf3c235410c3d7c84013257d84b6d6cb739dbe7dc
                                    • Instruction Fuzzy Hash: 5B90027124100413E141719944046060009B7D0381FD1C112A141C6A4EDA958B5ABAA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0189B040, Relevance: .0, Instructions: 4COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3148111a50fb6f7222f4de70d54a1ee052bf5e0344aa9a70a9a9ec829c2bb012
                                    • Instruction ID: afb7a28a80b2aa393c1b172afc902c5fb041e203f05b33056c12ec5311601207
                                    • Opcode Fuzzy Hash: 3148111a50fb6f7222f4de70d54a1ee052bf5e0344aa9a70a9a9ec829c2bb012
                                    • Instruction Fuzzy Hash: 909002A1601140535540B19948044065015B7E13413D1C221A144C6B0CDAA88959A2A5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0189A3B0, Relevance: .0, Instructions: 4COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5f18b5a87e4be86486e89b8fa4238ce5544907e4ae76f2d99f130c908c7a1572
                                    • Instruction ID: f72888932a5800f81c95cd085d418199ca64883ef07c0e35fc523fddb2c6d360
                                    • Opcode Fuzzy Hash: 5f18b5a87e4be86486e89b8fa4238ce5544907e4ae76f2d99f130c908c7a1572
                                    • Instruction Fuzzy Hash: E790027120144013E1407199844460B5005B7E0341FD1C511E141D6A4CDA55895AA261
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01899FE0, Relevance: .0, Instructions: 4COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 30b2d85bee73aafa2b5a8769d5f5e6d73c9790811473cea2e2beeabfa3cb2725
                                    • Instruction ID: dc13446342c5b1287df32e13214e6b45c9091440c8f421d8b6aef7f56c0244b7
                                    • Opcode Fuzzy Hash: 30b2d85bee73aafa2b5a8769d5f5e6d73c9790811473cea2e2beeabfa3cb2725
                                    • Instruction Fuzzy Hash: 2D90027131114413E110619984047060005A7D1341FD1C511A181C6A8DDAD589957162
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01899B00, Relevance: .0, Instructions: 4COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a65eaa4ebdbee400bf7764fe8b8d43c722274b043628d3d975c050c8119e1e02
                                    • Instruction ID: f01d879aad1ac6f28a37766d1859bd1e1a1fe794805b3a063feeda526fedde58
                                    • Opcode Fuzzy Hash: a65eaa4ebdbee400bf7764fe8b8d43c722274b043628d3d975c050c8119e1e02
                                    • Instruction Fuzzy Hash: 5C90026124100813E140719984147070006E7D0741FD1C111A101C6A4DDA568A6976F1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0189A710, Relevance: .0, Instructions: 4COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8abcfcd8f4d1b844a2b912e5eb1488266dcdb29bbed6195ff74755e44de54d64
                                    • Instruction ID: bd7c54938e85011ac039591c8e481ad7e155afebcd5fd1826e35f29b267f95d5
                                    • Opcode Fuzzy Hash: 8abcfcd8f4d1b844a2b912e5eb1488266dcdb29bbed6195ff74755e44de54d64
                                    • Instruction Fuzzy Hash: AE90027130100063A500A6D95804A4A4105A7F0341BD1D115A500C6A4CD99489656161
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01899730, Relevance: .0, Instructions: 4COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 05dbf7c99c62cd98a7f86595a91c84aa2b1f291fe2e7058915e11d456e668682
                                    • Instruction ID: 6810ef6e1fc2b87fedd7cf773628b9b9621349a7e2052580cd4a7fd16491ed71
                                    • Opcode Fuzzy Hash: 05dbf7c99c62cd98a7f86595a91c84aa2b1f291fe2e7058915e11d456e668682
                                    • Instruction Fuzzy Hash: 5090026160500413E140719954187060015A7D0341FD1D111A101C6A4DDA998B5976E1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01899760, Relevance: .0, Instructions: 4COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f3339704e7f3ab67056c4dbae9deaf336429b2b02312616f12c6aaf98c1e6a40
                                    • Instruction ID: c3a7469b3c2ee847db6199049c7f42ddaee04ad151f497d1b40dbc8860c33b4f
                                    • Opcode Fuzzy Hash: f3339704e7f3ab67056c4dbae9deaf336429b2b02312616f12c6aaf98c1e6a40
                                    • Instruction Fuzzy Hash: 5690027120100413E100619955087070005A7D0341FD1D511A141C6A8DEA9689557161
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01899770, Relevance: .0, Instructions: 4COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2dab988fe0ec9540ca0dbc2acf55d4591dfd77f719da5db880244855f5a48eec
                                    • Instruction ID: 59e59e8b5fdd16ceb9e7e2921c210cb99d2d01a20d9a9ec058747bdfda6aabcb
                                    • Opcode Fuzzy Hash: 2dab988fe0ec9540ca0dbc2acf55d4591dfd77f719da5db880244855f5a48eec
                                    • Instruction Fuzzy Hash: 9490026120504453E10065995408A060005A7D0345FD1D111A205C6E5DDA758955B171
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0189A770, Relevance: .0, Instructions: 4COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 594120acba88c3568a7d0caa7a21fc44c1c9a8fd798129a48c896ffb6898f7eb
                                    • Instruction ID: 853105f029676ddb1ff60898cb09b8f570fc2dd296d1e94d836b72a412de04b0
                                    • Opcode Fuzzy Hash: 594120acba88c3568a7d0caa7a21fc44c1c9a8fd798129a48c896ffb6898f7eb
                                    • Instruction Fuzzy Hash: AF90027520504453E50065995804A870005A7D0345FD1D511A141C6ECDDA948965B161
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01899A80, Relevance: .0, Instructions: 4COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0d6dbeaea7ffdede3b00f91d8e10cd63114707e3f8d7708b401af47d272cc363
                                    • Instruction ID: b26ef8debec16861d7e94a0deac62f072b246d0f3a6a4c96237d8d47f3b968cf
                                    • Opcode Fuzzy Hash: 0d6dbeaea7ffdede3b00f91d8e10cd63114707e3f8d7708b401af47d272cc363
                                    • Instruction Fuzzy Hash: F490026120144453E14062994804B0F4105A7E1342FD1C119A514E6A4CDD5589596761
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 018996D0, Relevance: .0, Instructions: 4COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5f0fb53bba43bfe420b887754ce8c402b2a9c5824ccccc2fa5212cac6988f45f
                                    • Instruction ID: b86ce4c56cb4634406d2460ed8e3c51a15c0aead547d83439627ca15aeec19e7
                                    • Opcode Fuzzy Hash: 5f0fb53bba43bfe420b887754ce8c402b2a9c5824ccccc2fa5212cac6988f45f
                                    • Instruction Fuzzy Hash: 4F90027120100853E10061994404B460005A7E0341FD1C116A111C7A4DDA55C9557561
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01899610, Relevance: .0, Instructions: 4COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5aaf2bcf179ee3a3005582a519481ced67d76cdb3479eed9488eb4a1d59acd50
                                    • Instruction ID: 89dfb2ab7d947bd37f028f2e74f1ca1b3a25e4ed40bce8bff726a14b97ecf0ad
                                    • Opcode Fuzzy Hash: 5aaf2bcf179ee3a3005582a519481ced67d76cdb3479eed9488eb4a1d59acd50
                                    • Instruction Fuzzy Hash: C090027160500813E150719944147460005A7D0341FD1C111A101C7A4DDB958B5976E1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01899A10, Relevance: .0, Instructions: 4COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 44af57c5506e76e0d32dc5a95e2658c98460419d947b8de9ccaf8e7d08382901
                                    • Instruction ID: 823481f345ca0ad91134f0122efce3c166ac8d3bf2cdf583421b5200228cb47a
                                    • Opcode Fuzzy Hash: 44af57c5506e76e0d32dc5a95e2658c98460419d947b8de9ccaf8e7d08382901
                                    • Instruction Fuzzy Hash: A390027120140413E100619948087470005A7D0342FD1C111A615C6A5EDAA5C9957571
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01899650, Relevance: .0, Instructions: 4COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c371ed2e0262532fddcced92b3678de88c9253daa047282bac73ae9a23a185bb
                                    • Instruction ID: 81833543a967eea2838880af48b67dd40d38b0e410e5430b0884b37ceb99f4de
                                    • Opcode Fuzzy Hash: c371ed2e0262532fddcced92b3678de88c9253daa047282bac73ae9a23a185bb
                                    • Instruction Fuzzy Hash: FB90027120504853E14071994404A460015A7D0345FD1C111A105C7E4DEA658E59B6A1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01899670, Relevance: .0, Instructions: 2COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                    • Instruction ID: 672e2559d12b217acc140b2f20f3d5215a5fe16b230c5eee8d570b957e3d5979
                                    • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                    • Instruction Fuzzy Hash:
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 018EFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 53%
                                    			E018EFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0189CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E018E5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E018E5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                    0x018efdda
                                    0x018efde2
                                    0x018efde5
                                    0x018efdec
                                    0x018efdfa
                                    0x018efdff
                                    0x018efe0a
                                    0x018efe0f
                                    0x018efe17
                                    0x018efe1e
                                    0x018efe19
                                    0x018efe19
                                    0x018efe19
                                    0x018efe20
                                    0x018efe21
                                    0x018efe22
                                    0x018efe25
                                    0x018efe40

                                    APIs
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 018EFDFA
                                    Strings
                                    • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 018EFE2B
                                    • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 018EFE01
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.363273180.0000000001830000.00000040.00000001.sdmp, Offset: 01830000, based on PE: true
                                    Similarity
                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                    • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                    • API String ID: 885266447-3903918235
                                    • Opcode ID: 0f3573a719cee61d27cce6e11a83dc36f392c38dafaed9a675329c82d68ca1d0
                                    • Instruction ID: 73cff755b631ae4b1bd64d8b18b1312dfa073e4ad0b0a51101c55afcaad3a0d4
                                    • Opcode Fuzzy Hash: 0f3573a719cee61d27cce6e11a83dc36f392c38dafaed9a675329c82d68ca1d0
                                    • Instruction Fuzzy Hash: B7F0FC76144102BFE6201A49DC05F237F9ADB45730F140314F714961D1DA62FA3087F5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Analysis Process: cscript.exe PID: 5288 Parent PID: 3388 cscript.exeCOMMON

                                    Executed Functions

                                    Function 00D69F30, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • NtCreateFile.NTDLL(00000060,00000000,.z`,00D64B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00D64B87,007A002E,00000000,00000060,00000000,00000000), ref: 00D69F7D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.479738533.0000000000D50000.00000040.00000001.sdmp, Offset: 00D50000, based on PE: false
                                    Yara matches
                                    Similarity
                                    • API ID: CreateFile
                                    • String ID: .z`
                                    • API String ID: 823142352-1441809116
                                    • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                    • Instruction ID: e29b87f6abb582cccaa3548eaf39a21cc7420bb3f2a9a6801a0f3b9a1964b5b7
                                    • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                    • Instruction Fuzzy Hash: 45F0B2B2210208ABCB08CF88DC95EEB77ADAF8C754F158248BA0D97241C630E8118BA4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D69FDA, Relevance: 1.6, APIs: 1, Instructions: 55filenativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • NtReadFile.NTDLL(00D64D42,5EB6522D,FFFFFFFF,00D64A01,?,?,00D64D42,?,00D64A01,FFFFFFFF,5EB6522D,00D64D42,?,00000000), ref: 00D6A025
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.479738533.0000000000D50000.00000040.00000001.sdmp, Offset: 00D50000, based on PE: false
                                    Yara matches
                                    Similarity
                                    • API ID: FileRead
                                    • String ID:
                                    • API String ID: 2738559852-0
                                    • Opcode ID: 96213414eff7c75733083490c3d738fa655d2eb5102b515818be3c59422b165c
                                    • Instruction ID: c73677d7f662fcaec526bd1ef3d5023948fcf3500179971a5f959b5c99b64215
                                    • Opcode Fuzzy Hash: 96213414eff7c75733083490c3d738fa655d2eb5102b515818be3c59422b165c
                                    • Instruction Fuzzy Hash: E80129B2200104ABDB14DF98DC95EEB77ADEF8C354F058649FA5DA7241D630E9118BB0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D69FE0, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • NtReadFile.NTDLL(00D64D42,5EB6522D,FFFFFFFF,00D64A01,?,?,00D64D42,?,00D64A01,FFFFFFFF,5EB6522D,00D64D42,?,00000000), ref: 00D6A025
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.479738533.0000000000D50000.00000040.00000001.sdmp, Offset: 00D50000, based on PE: false
                                    Yara matches
                                    Similarity
                                    • API ID: FileRead
                                    • String ID:
                                    • API String ID: 2738559852-0
                                    • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                    • Instruction ID: 03fd566fd788a555a94bf11c8e57cdcd22556ca8be063e4a36a99344c09ea3ad
                                    • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                    • Instruction Fuzzy Hash: D6F0A4B2210208ABCB14DF8DDC91EEB77ADEF8C754F158248BA1DA7241D630E8118BA0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D6A10C, Relevance: 1.5, APIs: 1, Instructions: 31memorynativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00D52D11,00002000,00003000,00000004), ref: 00D6A149
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.479738533.0000000000D50000.00000040.00000001.sdmp, Offset: 00D50000, based on PE: false
                                    Yara matches
                                    Similarity
                                    • API ID: AllocateMemoryVirtual
                                    • String ID:
                                    • API String ID: 2167126740-0
                                    • Opcode ID: e6c71ee8c728272fe655faef2510aeaf55002f7dcc29b04e338e8c71131a89b2
                                    • Instruction ID: 954836a0a0d07d96f85e03a2fc94581b7ea012e28e7f7d7ad86a011ba4435e65
                                    • Opcode Fuzzy Hash: e6c71ee8c728272fe655faef2510aeaf55002f7dcc29b04e338e8c71131a89b2
                                    • Instruction Fuzzy Hash: DAF012B1210109AFCB14DF98CC41EEB77A9EF8C350F114648FE59A7291C630E911CBB4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D6A110, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00D52D11,00002000,00003000,00000004), ref: 00D6A149
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.479738533.0000000000D50000.00000040.00000001.sdmp, Offset: 00D50000, based on PE: false
                                    Yara matches
                                    Similarity
                                    • API ID: AllocateMemoryVirtual
                                    • String ID:
                                    • API String ID: 2167126740-0
                                    • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                    • Instruction ID: dea8a27124a843166fdf9b3b7fbf216d3cbef60b4f50550577fcbb650983cfe0
                                    • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                    • Instruction Fuzzy Hash: 4EF015B2210208ABCB14DF89CC81EAB77ADEF88750F118248BE08A7241C630F811CBB0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D6A05A, Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • NtClose.NTDLL(00D64D20,?,?,00D64D20,00000000,FFFFFFFF), ref: 00D6A085
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.479738533.0000000000D50000.00000040.00000001.sdmp, Offset: 00D50000, based on PE: false
                                    Yara matches
                                    Similarity
                                    • API ID: Close
                                    • String ID:
                                    • API String ID: 3535843008-0
                                    • Opcode ID: eb801680615d22dbc4e63bb697b867162241bba26f49d9e9cd3755d14fec05fc
                                    • Instruction ID: f92bd3711fe9f52ae07ade8217ac99ad205770234f367ac806f8cd9c183934af
                                    • Opcode Fuzzy Hash: eb801680615d22dbc4e63bb697b867162241bba26f49d9e9cd3755d14fec05fc
                                    • Instruction Fuzzy Hash: 00E08C31600204ABDB20EBA8CC45FEB7B68EF84390F10456AB94CEB242C530E501CAA0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D6A060, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • NtClose.NTDLL(00D64D20,?,?,00D64D20,00000000,FFFFFFFF), ref: 00D6A085
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.479738533.0000000000D50000.00000040.00000001.sdmp, Offset: 00D50000, based on PE: false
                                    Yara matches
                                    Similarity
                                    • API ID: Close
                                    • String ID:
                                    • API String ID: 3535843008-0
                                    • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                    • Instruction ID: 7d91c0cd3fc432f8cca602fb7ef7c50c2454fe54fd24671be17d47f548e1c63f
                                    • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                    • Instruction Fuzzy Hash: F8D01776200214ABD710EB98CC85FA77BADEF48760F154599BA58AB242C530FA008AE0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 04F59860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.482489071.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: true
                                    • Associated: 00000013.00000002.483114878.000000000500B000.00000040.00000001.sdmp Download File
                                    • Associated: 00000013.00000002.483133229.000000000500F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: b472fe19f8ad93496ae2c0e8b039004c4aeafe0426ee41d8c32a9373adf804f0
                                    • Instruction ID: 2218123fb3ecf2b4a507084b9dac071be2659d3f34aabebb7e8881fcbf83038e
                                    • Opcode Fuzzy Hash: b472fe19f8ad93496ae2c0e8b039004c4aeafe0426ee41d8c32a9373adf804f0
                                    • Instruction Fuzzy Hash: 8690027134100813F111615A4504707000997D0285F91C412A0426558DDA96D953B161
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 04F59840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.482489071.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: true
                                    • Associated: 00000013.00000002.483114878.000000000500B000.00000040.00000001.sdmp Download File
                                    • Associated: 00000013.00000002.483133229.000000000500F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: 272b1df77f8bb441d0e8de168650add7449c11652fdd6b8d29cbda5e1217c1bb
                                    • Instruction ID: a38dc3ae14340d49f5b0fc8b467d9724bc8ef5b28cd81c32f02333add8420af1
                                    • Opcode Fuzzy Hash: 272b1df77f8bb441d0e8de168650add7449c11652fdd6b8d29cbda5e1217c1bb
                                    • Instruction Fuzzy Hash: DE900261382045527545B15A44045074006A7E0285791C012A1416950CC966E857E661
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 04F595D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.482489071.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: true
                                    • Associated: 00000013.00000002.483114878.000000000500B000.00000040.00000001.sdmp Download File
                                    • Associated: 00000013.00000002.483133229.000000000500F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: 28c5f80194601eedb59e59d3eb38f4baba82764954364c8eb462f3dd979b9373
                                    • Instruction ID: cc10bcd187f0ebed39f1f8d071cfd541c3c3d40874c9479fa232d01f17f03a05
                                    • Opcode Fuzzy Hash: 28c5f80194601eedb59e59d3eb38f4baba82764954364c8eb462f3dd979b9373
                                    • Instruction Fuzzy Hash: 339002A1342004036105715A4414616400A97E0245B51C021E1016590DC965D8927165
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 04F599A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.482489071.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: true
                                    • Associated: 00000013.00000002.483114878.000000000500B000.00000040.00000001.sdmp Download File
                                    • Associated: 00000013.00000002.483133229.000000000500F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: 201e524d778cbaa950525f12b216da789bd393bfd6a61d1ce5f82e79dfe41447
                                    • Instruction ID: 575ed5d9aa34dee200597a3855f80e01466a2a0840d58401355137fa1aea0e2a
                                    • Opcode Fuzzy Hash: 201e524d778cbaa950525f12b216da789bd393bfd6a61d1ce5f82e79dfe41447
                                    • Instruction Fuzzy Hash: 9C9002A138100842F100615A4414B060005D7E1345F51C015E1066554DCA59DC537166
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 04F59540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.482489071.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: true
                                    • Associated: 00000013.00000002.483114878.000000000500B000.00000040.00000001.sdmp Download File
                                    • Associated: 00000013.00000002.483133229.000000000500F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: 7f60291e23b279a3c78623ad34332524ef7b85bbee5732e685f6fbc3d387d357
                                    • Instruction ID: 7633d909570ba3d72822e0c45f45917f50c9eade8c572814697eeec8c83e78e6
                                    • Opcode Fuzzy Hash: 7f60291e23b279a3c78623ad34332524ef7b85bbee5732e685f6fbc3d387d357
                                    • Instruction Fuzzy Hash: 33900265351004032105A55A0704507004697D5395351C021F1017550CDA61D8626161
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 04F59910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.482489071.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: true
                                    • Associated: 00000013.00000002.483114878.000000000500B000.00000040.00000001.sdmp Download File
                                    • Associated: 00000013.00000002.483133229.000000000500F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: b9fba887b07f42adf1d1d54b9355b690068ba61bc4114a9a1cb6f10861024587
                                    • Instruction ID: f179fcccebcf19bba5026a7d6f6a842ea0c82d91c96344142f1fc69ca27cf0a7
                                    • Opcode Fuzzy Hash: b9fba887b07f42adf1d1d54b9355b690068ba61bc4114a9a1cb6f10861024587
                                    • Instruction Fuzzy Hash: E99002B134100802F140715A4404746000597D0345F51C011A5066554ECA99DDD676A5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 04F596E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.482489071.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: true
                                    • Associated: 00000013.00000002.483114878.000000000500B000.00000040.00000001.sdmp Download File
                                    • Associated: 00000013.00000002.483133229.000000000500F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: 6c534c1deedee24449d70c6756d9f30c3d61b5a533403f4c4f2fd8daf9990540
                                    • Instruction ID: afb07667baef6a4ea64e7f5b3a4bf5471b90ec247d3679525863fc1c22ed4a33
                                    • Opcode Fuzzy Hash: 6c534c1deedee24449d70c6756d9f30c3d61b5a533403f4c4f2fd8daf9990540
                                    • Instruction Fuzzy Hash: 7F90027134108C02F110615A840474A000597D0345F55C411A4426658DCAD5D8927161
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 04F596D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.482489071.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: true
                                    • Associated: 00000013.00000002.483114878.000000000500B000.00000040.00000001.sdmp Download File
                                    • Associated: 00000013.00000002.483133229.000000000500F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: 16231773c919748490d7d32a0864da4967a2e6581355dbc6fc8f60796c5ec312
                                    • Instruction ID: ade336944d912d0e36553546e67d1cf768ef26db9c576161839c983889e2d272
                                    • Opcode Fuzzy Hash: 16231773c919748490d7d32a0864da4967a2e6581355dbc6fc8f60796c5ec312
                                    • Instruction Fuzzy Hash: 8790027134100C42F100615A4404B46000597E0345F51C016A0126654DCA55D8527561
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 04F59660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.482489071.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: true
                                    • Associated: 00000013.00000002.483114878.000000000500B000.00000040.00000001.sdmp Download File
                                    • Associated: 00000013.00000002.483133229.000000000500F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: 827cc3db9b0c50f9310cb952addfb32decb336773abfc1c58a34b04bece45142
                                    • Instruction ID: 51a0e4e3a2e90c0812ad4588cdd95788c5168b70407f89e9dfa8e79aeaf6f69a
                                    • Opcode Fuzzy Hash: 827cc3db9b0c50f9310cb952addfb32decb336773abfc1c58a34b04bece45142
                                    • Instruction Fuzzy Hash: 4D90027134100C02F180715A440464A000597D1345F91C015A0027654DCE55DA5A77E1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 04F59650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.482489071.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: true
                                    • Associated: 00000013.00000002.483114878.000000000500B000.00000040.00000001.sdmp Download File
                                    • Associated: 00000013.00000002.483133229.000000000500F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: 8fd4ec5333189cee48dc5cd7e8cf2d5c581f12045e3b0da1303ead89e86a9d43
                                    • Instruction ID: 95a555f4ddf6cd8c9e404bb0b1d31e81be4aa0162ad66f3669243b5e0c731d5a
                                    • Opcode Fuzzy Hash: 8fd4ec5333189cee48dc5cd7e8cf2d5c581f12045e3b0da1303ead89e86a9d43
                                    • Instruction Fuzzy Hash: AA90027134504C42F140715A4404A46001597D0349F51C011A0066694DDA65DD56B6A1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 04F59A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.482489071.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: true
                                    • Associated: 00000013.00000002.483114878.000000000500B000.00000040.00000001.sdmp Download File
                                    • Associated: 00000013.00000002.483133229.000000000500F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: ebb3809ac4480383dc8d5ff9e1709458423dd31f1547012fdc5d0f02f90f3eb5
                                    • Instruction ID: a064034568e0481d9b979573e8a4bf10f219079c621f3c668cd5eedb6b1de66d
                                    • Opcode Fuzzy Hash: ebb3809ac4480383dc8d5ff9e1709458423dd31f1547012fdc5d0f02f90f3eb5
                                    • Instruction Fuzzy Hash: E090026135180442F200656A4C14B07000597D0347F51C115A0156554CCD55D8626561
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 04F59FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.482489071.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: true
                                    • Associated: 00000013.00000002.483114878.000000000500B000.00000040.00000001.sdmp Download File
                                    • Associated: 00000013.00000002.483133229.000000000500F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: 111285dea24215243c402f7cccd96a3f3174bf983c01d52f8628142362502a3e
                                    • Instruction ID: 3fd64ccb348ffbb47d005904d9b32518a6a294dca1232c7ab2b948040596cda1
                                    • Opcode Fuzzy Hash: 111285dea24215243c402f7cccd96a3f3174bf983c01d52f8628142362502a3e
                                    • Instruction Fuzzy Hash: 2790027135114802F110615A8404706000597D1245F51C411A0826558DCAD5D8927162
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 04F59780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.482489071.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: true
                                    • Associated: 00000013.00000002.483114878.000000000500B000.00000040.00000001.sdmp Download File
                                    • Associated: 00000013.00000002.483133229.000000000500F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: 0444b93f006a3755ed3211c774e8be6427b755e495f791577b1458bf8a137554
                                    • Instruction ID: 6356b95611b4440e235348a1ae4e15c18acc923507d226b888da6ebbc4149362
                                    • Opcode Fuzzy Hash: 0444b93f006a3755ed3211c774e8be6427b755e495f791577b1458bf8a137554
                                    • Instruction Fuzzy Hash: DF90026935300402F180715A540860A000597D1246F91D415A0017558CCD55D86A6361
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 04F59710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.482489071.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: true
                                    • Associated: 00000013.00000002.483114878.000000000500B000.00000040.00000001.sdmp Download File
                                    • Associated: 00000013.00000002.483133229.000000000500F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: 6e7834480763b24e202a4cabc2b2c2ea51345b7b789dffe22dd0a08d328fd536
                                    • Instruction ID: 239923df4a100db6e990b1c25e8fe1e5fe7b22222453e9b297465285e705e11f
                                    • Opcode Fuzzy Hash: 6e7834480763b24e202a4cabc2b2c2ea51345b7b789dffe22dd0a08d328fd536
                                    • Instruction Fuzzy Hash: BC90027134100802F100659A5408646000597E0345F51D011A5026555ECAA5D8927171
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D68C50, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Sleep.KERNELBASE(000007D0), ref: 00D68CF8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.479738533.0000000000D50000.00000040.00000001.sdmp, Offset: 00D50000, based on PE: false
                                    Yara matches
                                    Similarity
                                    • API ID: Sleep
                                    • String ID: net.dll$wininet.dll
                                    • API String ID: 3472027048-1269752229
                                    • Opcode ID: 27803267761635131e2e24b43c9cb6f267791ca448c6959cca8459e91f90e27b
                                    • Instruction ID: 4ca20019854c7f7c0c3ead47b16602894c54b39f0b7f8e801799bdb1c3ff7963
                                    • Opcode Fuzzy Hash: 27803267761635131e2e24b43c9cb6f267791ca448c6959cca8459e91f90e27b
                                    • Instruction Fuzzy Hash: 7A3183B6500244BBC724DF64D885FA7B7B8FF48700F04851DF62AAB241DA71B650DBB4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D68C46, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 82sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Sleep.KERNELBASE(000007D0), ref: 00D68CF8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.479738533.0000000000D50000.00000040.00000001.sdmp, Offset: 00D50000, based on PE: false
                                    Yara matches
                                    Similarity
                                    • API ID: Sleep
                                    • String ID: net.dll$wininet.dll
                                    • API String ID: 3472027048-1269752229
                                    • Opcode ID: 4132c683f69085e950b5d09e2b35f53d16859debb393e6fa2b484c9b4c797a7a
                                    • Instruction ID: 775e78bf83bbc06701bfba81208801b4cadeba04ad4da9acfff71dcc6ce9e120
                                    • Opcode Fuzzy Hash: 4132c683f69085e950b5d09e2b35f53d16859debb393e6fa2b484c9b4c797a7a
                                    • Instruction Fuzzy Hash: 6C2191B1640344BFC720DF68D885FABB7B4EB48700F14811DFA19AB281DB71A690DBB5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D6A240, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00D53AF8), ref: 00D6A26D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.479738533.0000000000D50000.00000040.00000001.sdmp, Offset: 00D50000, based on PE: false
                                    Yara matches
                                    Similarity
                                    • API ID: FreeHeap
                                    • String ID: .z`
                                    • API String ID: 3298025750-1441809116
                                    • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                    • Instruction ID: c68a71fc25600c7b1160709eb4a83a94ad94e7cb250f9f42ec60bee80ed5c0f8
                                    • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                    • Instruction Fuzzy Hash: 1CE04FB12102046BD714DF59CC45EA777ADEF88750F014554FD0857241C630F910CAF0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D582E8, Relevance: 3.1, APIs: 2, Instructions: 56threadwindowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 00D5834A
                                    • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 00D5836B
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.479738533.0000000000D50000.00000040.00000001.sdmp, Offset: 00D50000, based on PE: false
                                    Yara matches
                                    Similarity
                                    • API ID: MessagePostThread
                                    • String ID:
                                    • API String ID: 1836367815-0
                                    • Opcode ID: 6da670a221946ee55be005eabd1a7868c9999052b832f4e5de4de1e304de8697
                                    • Instruction ID: 3369e475f307a2a3e2eba5ac0f1384d9d38f46872786944e8749339843715a8a
                                    • Opcode Fuzzy Hash: 6da670a221946ee55be005eabd1a7868c9999052b832f4e5de4de1e304de8697
                                    • Instruction Fuzzy Hash: 0501A731A802287BEB20A6959D43FFE772CAB40F51F154119FF04FA1C1E6D5690946F6
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D582F0, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 00D5834A
                                    • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 00D5836B
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.479738533.0000000000D50000.00000040.00000001.sdmp, Offset: 00D50000, based on PE: false
                                    Yara matches
                                    Similarity
                                    • API ID: MessagePostThread
                                    • String ID:
                                    • API String ID: 1836367815-0
                                    • Opcode ID: da21c3352d2c5d1e9cbb8f90683f5c8b4db3c1cabdf29c5ef604bd67f1c16db5
                                    • Instruction ID: 11136985e6240b8ff59d587e3a209cf19d6b49440c5a3a96a78ee60bff5aadcc
                                    • Opcode Fuzzy Hash: da21c3352d2c5d1e9cbb8f90683f5c8b4db3c1cabdf29c5ef604bd67f1c16db5
                                    • Instruction Fuzzy Hash: EC01A731A802287BEB20A6999C03FBE776CAB40F51F044115FF04FA1C1EAD4790946F6
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D6A448, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.479738533.0000000000D50000.00000040.00000001.sdmp, Offset: 00D50000, based on PE: false
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 532fd2f32828f18834232c7062b8a84a8753b9cce841fb0e415bab03e724c5a8
                                    • Instruction ID: 2a19a82818a08a2086bc240641665a827450171c4c50f7dd59105a09f70a60ce
                                    • Opcode Fuzzy Hash: 532fd2f32828f18834232c7062b8a84a8753b9cce841fb0e415bab03e724c5a8
                                    • Instruction Fuzzy Hash: 7E018B722102047BDB20EF9DCC89EE777ADEF85760F148154FA4DAB242D631AD008BB1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D5ACD0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00D5AD42
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.479738533.0000000000D50000.00000040.00000001.sdmp, Offset: 00D50000, based on PE: false
                                    Yara matches
                                    Similarity
                                    • API ID: Load
                                    • String ID:
                                    • API String ID: 2234796835-0
                                    • Opcode ID: 4e7e6ba31bbc1c6f731b244d46290ada3a087f6c5bf953407071256f7589dc13
                                    • Instruction ID: 6d0bac5b30e9d72b62e3b41d439ee82860151f4db927d8e9c00a9f891efcc1c7
                                    • Opcode Fuzzy Hash: 4e7e6ba31bbc1c6f731b244d46290ada3a087f6c5bf953407071256f7589dc13
                                    • Instruction Fuzzy Hash: 29011EB5D4020DBBDF10EAA4DC42FAEB778DB54309F0482A5ED1897241F671EB588BB1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D6A2B0, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00D6A304
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.479738533.0000000000D50000.00000040.00000001.sdmp, Offset: 00D50000, based on PE: false
                                    Yara matches
                                    Similarity
                                    • API ID: CreateInternalProcess
                                    • String ID:
                                    • API String ID: 2186235152-0
                                    • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                    • Instruction ID: efe90527baa8b6f45addd416bcb188c4438f7b767f8d9d820e546a2c7a3501f6
                                    • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                    • Instruction Fuzzy Hash: FB01AFB2210108ABCB54DF8DDC80EEB77ADAF8C754F158258BA0DA7241C630E851CBA4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D6A2AD, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00D6A304
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.479738533.0000000000D50000.00000040.00000001.sdmp, Offset: 00D50000, based on PE: false
                                    Yara matches
                                    Similarity
                                    • API ID: CreateInternalProcess
                                    • String ID:
                                    • API String ID: 2186235152-0
                                    • Opcode ID: 67a2cd242e1a7b85e04970a902396552e76c7d434dcacda387efa9a1a7009304
                                    • Instruction ID: fb5ed3759564fdea297697559519b156da8d5e952da7805e50583e396f03a49e
                                    • Opcode Fuzzy Hash: 67a2cd242e1a7b85e04970a902396552e76c7d434dcacda387efa9a1a7009304
                                    • Instruction Fuzzy Hash: DF01AFB2214108AFCB54CF89DC81EEB37AAAF8C354F158258BA0DE7250C630E951CBA0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D68D80, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,00D5F020,?,?,00000000), ref: 00D68DBC
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.479738533.0000000000D50000.00000040.00000001.sdmp, Offset: 00D50000, based on PE: false
                                    Yara matches
                                    Similarity
                                    • API ID: CreateThread
                                    • String ID:
                                    • API String ID: 2422867632-0
                                    • Opcode ID: 9fd13ad1eddfb97d1fc3a7be7d1ce3a32329781aa6c6b2d655bbcfbc2f374003
                                    • Instruction ID: 807673c571a650dd690e0d2246f77dbd941940e6ab2198af8da49c08e31bd9fe
                                    • Opcode Fuzzy Hash: 9fd13ad1eddfb97d1fc3a7be7d1ce3a32329781aa6c6b2d655bbcfbc2f374003
                                    • Instruction Fuzzy Hash: 9DE06D333803043BE7206599AC02FA7B39CDB91B21F540026FA0DEB2C2D996F80142B4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D6A200, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RtlAllocateHeap.NTDLL(00D64506,?,00D64C7F,00D64C7F,?,00D64506,?,?,?,?,?,00000000,00000000,?), ref: 00D6A22D
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.479738533.0000000000D50000.00000040.00000001.sdmp, Offset: 00D50000, based on PE: false
                                    Yara matches
                                    Similarity
                                    • API ID: AllocateHeap
                                    • String ID:
                                    • API String ID: 1279760036-0
                                    • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                    • Instruction ID: 36c6eb7f0604b0c759e3255635d1ca6c97b155971915afac75fbed463a0af2d3
                                    • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                    • Instruction Fuzzy Hash: 61E046B1210208ABDB14EF99CC41EA777ADEF88750F118558FE086B242C630F911CBF0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D6A3A0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                    Download Yara Rule
                                    APIs
                                    • LookupPrivilegeValueW.ADVAPI32(00000000,?,00D5F1A2,00D5F1A2,?,00000000,?,?), ref: 00D6A3D0
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.479738533.0000000000D50000.00000040.00000001.sdmp, Offset: 00D50000, based on PE: false
                                    Yara matches
                                    Similarity
                                    • API ID: LookupPrivilegeValue
                                    • String ID:
                                    • API String ID: 3899507212-0
                                    • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                    • Instruction ID: aadd61bc567a8ed92606449af45a514400d953240d88bfc4fd44626480c83587
                                    • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                    • Instruction Fuzzy Hash: 4DE01AB12002086BDB10DF49CC85EE737ADEF88650F018154BA0867241C930E8118BF5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D5F6A0, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetErrorMode.KERNELBASE(00008003,?,00D58CF4,?), ref: 00D5F6CB
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.479738533.0000000000D50000.00000040.00000001.sdmp, Offset: 00D50000, based on PE: false
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorMode
                                    • String ID:
                                    • API String ID: 2340568224-0
                                    • Opcode ID: 7ea49bcfd7eb89cfce1dd1d38e7dcc5e35a49d50de701d0c82c68256bf4518e3
                                    • Instruction ID: e976baf6f63ec388c6a9187b983a9c6c99052c9f2a667820f81c8af774792e86
                                    • Opcode Fuzzy Hash: 7ea49bcfd7eb89cfce1dd1d38e7dcc5e35a49d50de701d0c82c68256bf4518e3
                                    • Instruction Fuzzy Hash: 22D052626A03083BEA10FAA89C03F26328AAB45B01F490064FA88AA2C3E960E4008175
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D6A347, Relevance: 1.5, APIs: 1, Instructions: 9processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00D6A304
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.479738533.0000000000D50000.00000040.00000001.sdmp, Offset: 00D50000, based on PE: false
                                    Yara matches
                                    Similarity
                                    • API ID: CreateInternalProcess
                                    • String ID:
                                    • API String ID: 2186235152-0
                                    • Opcode ID: ce1561ce3f7902b9ed8954485ed97ef6fc42a15023c7abfe5f7347c48f159d87
                                    • Instruction ID: 9442aa20df0f3f3b0c12ded73eb6d3e6efd549ba283b50612e7d07a80390a1d4
                                    • Opcode Fuzzy Hash: ce1561ce3f7902b9ed8954485ed97ef6fc42a15023c7abfe5f7347c48f159d87
                                    • Instruction Fuzzy Hash: B4B012B764D3D00EE60321F838140D87F0084A717534E00CBC2C84C453900514428262
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 04F5967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.482489071.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: true
                                    • Associated: 00000013.00000002.483114878.000000000500B000.00000040.00000001.sdmp Download File
                                    • Associated: 00000013.00000002.483133229.000000000500F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: 664e9463eb97b26c5efa9a490095c8c473584baf995525ae3d7eaa8b3bd71ec3
                                    • Instruction ID: 7885085b840e7ae63a4fca60af42254be878645718b485aaabbf1d0beab1bab0
                                    • Opcode Fuzzy Hash: 664e9463eb97b26c5efa9a490095c8c473584baf995525ae3d7eaa8b3bd71ec3
                                    • Instruction Fuzzy Hash: F4B09BB1D414C5C5F715D7614608B17794077D0745F17C051D2031641B4778D096F5B5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Non-executed Functions

                                    Function 04FAFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 53%
                                    			E04FAFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E04F5CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E04FA5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E04FA5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                    0x04fafdda
                                    0x04fafde2
                                    0x04fafde5
                                    0x04fafdec
                                    0x04fafdfa
                                    0x04fafdff
                                    0x04fafe0a
                                    0x04fafe0f
                                    0x04fafe17
                                    0x04fafe1e
                                    0x04fafe19
                                    0x04fafe19
                                    0x04fafe19
                                    0x04fafe20
                                    0x04fafe21
                                    0x04fafe22
                                    0x04fafe25
                                    0x04fafe40

                                    APIs
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04FAFDFA
                                    Strings
                                    • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 04FAFE01
                                    • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 04FAFE2B
                                    Memory Dump Source
                                    • Source File: 00000013.00000002.482489071.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: true
                                    • Associated: 00000013.00000002.483114878.000000000500B000.00000040.00000001.sdmp Download File
                                    • Associated: 00000013.00000002.483133229.000000000500F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                    • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                    • API String ID: 885266447-3903918235
                                    • Opcode ID: 4439762dcffcb46e9cb251b999aac2be5317c375b3b24069abba0b63bb49e5a0
                                    • Instruction ID: 0a7c3062b557dfad5cf6a383260f20d763bd8a4b3751f680e1f11824201a2135
                                    • Opcode Fuzzy Hash: 4439762dcffcb46e9cb251b999aac2be5317c375b3b24069abba0b63bb49e5a0
                                    • Instruction Fuzzy Hash: 69F0F6B2600201BFEA201A45DC46F33BF5AEB84730F254315F6285A1E1EA62FC3196F4
                                    Uniqueness

                                    Uniqueness Score: -1.00%